Tactical Forensics Platform
Earlier I wrote about my proposed Tactical Network Security Monitoring Platform. Today I finally sat down and installed the operating systems I need on this system to create a portable tactical forensics and investigation platform. I did not want to use my main work laptop for this sort of work because I do not administer it. I needed my forensics platform to be separate from the corporate domain and totally under my control. I only feel comfortable attesting to the configuration of a system doing forensics if I built it from the ground up and I am the sole administrator.For operating systems, I had three needs. I wanted Windows XP because the majority of commercial forensics software runs on Windows. I wanted Ubuntu Hardy Heron so I could have access to Linux forensics software and VMware Server. (Windows is also a possible VMware Server candidate, but I might install a copy of VMware Workstation on the Windows side.) I wanted FreeBSD 7.0 in case I needed to do packet capture and related network security monitoring tasks.
I decided to triple-boot these three operating systems. The box has three logical hard drives. Two are physical (147 GB each) and the third is a RAID 0 array resulting in a single HDD of 447 GB.
Before I got the following to work I had to experiment with various setups. The following is what I settled upon. I'm posting this information for future reference and for those who might want to try the same setup.
First I installed Windows XP on the only HDD it could see, one of the 147 GB HDDs. I thought this a little odd, but it suited my purposes. I rebooted and Windows started without incident.
Next I changed the default boot drive in the BIOS from the Windows HDD to the next HDD. I installed Ubuntu Hardy Heron Desktop on that second 147 GB HDD. I selected the "Advanced" option and told Ubuntu to install its bootloader into one of the drives (/dev/sdc, which turned out to be a problem) I was using for Linux.
When I tried rebooting, GRUB had created entries for Linux and Windows but neither worked. I realized for some reason the way the drives were ordered on the Ubuntu live CD/installer wasn't the same way they were seen by GRUB (or by Linux, once booted). I figured out this was the problem and manually changed the GRUB command line to boot properly into Linux. I needed to implement a similar fix for Windows. I'll show what the result was shortly. I made the changes to GRUB permanently before going to the next step.
Finally I installed FreeBSD 7.0, which saw the remaining 447 GB HDD as /dev/da0 and the other HDDs as /dev/ad4 and /dev/ad6. I didn't touch /dev/ad4 or /dev/ad6 but installed the FreeBSD bootloader into /dev/da0.
After a reboot I had to try various combinations to get GRUB to properly boot FreeBSD 7.0, but eventually I got that working too.
Here is how Linux's fdisk -l saw the computer:
root@nextcom01:~# fdisk -l
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f8004b1
Device Boot Start End Blocks Id System
/dev/sda1 * 1 19456 156280288+ 7 HPFS/NTFS
Disk /dev/sdb: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x8f8004b1
Device Boot Start End Blocks Id System
/dev/sdb1 * 1 249 2000061 83 Linux
/dev/sdb2 * 250 747 4000185 82 Linux swap / Solaris
/dev/sdb3 * 748 3237 20000925 83 Linux
/dev/sdb4 3238 19457 130287150 5 Extended
/dev/sdb5 3238 4482 10000431 83 Linux
/dev/sdb6 4483 6972 20000893+ 83 Linux
/dev/sdb7 6973 7221 2000061 83 Linux
/dev/sdb8 7222 19457 98285638+ 83 Linux
Disk /dev/sdc: 479.9 GB, 479965741056 bytes
255 heads, 63 sectors/track, 58352 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f800000
Device Boot Start End Blocks Id System
/dev/sdc1 * 1 58352 468712408+ a5 FreeBSD
Here is the GRUB menu I got working:
$ grep -v ^# /boot/grub/menu.lst
default 0
timeout 10
title Ubuntu 8.04, kernel 2.6.24-16-generic
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro quiet splash
initrd /boot/initrd.img-2.6.24-16-generic
quiet
title Ubuntu 8.04, kernel 2.6.24-16-generic (recovery mode)
root (hd0,0)
kernel /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro single
initrd /boot/initrd.img-2.6.24-16-generic
title Ubuntu 8.04, memtest86+
root (hd0,0)
kernel /boot/memtest86+.bin
quiet
title Other operating systems:
root
title Microsoft Windows XP Professional
root (hd2,0)
savedefault
map (hd0) (hd2)
map (hd2) (hd0)
chainloader +1
title FreeBSD 7.0
root (hd1,a)
savedefault
chainloader +1
I'll probably resize the Windows partition and add a D: drive. I just noticed I devoted the whole drive to C: during installation.
Update: I wasn't able to use the version of GParted available through Ubuntu (0.3.5 I think) to resize the C: partition but I did use the latest stable liveCD (0.3.6-7) to resize C: and create E: (D: was already the optical drive).
Comments
Thanks for sharing your setup.
Just a couple of questions.
1. Did you install Win XP Pro 64 bit ? It would probably make very little difference because almost all apps run in WOW64 today. Still it would be nice to know your exact setup.
2. The box is sweet, but I noticed it had 7200 RPM disks. Does this constrain an otherwise high end box ?
3. Can you share with us what forensics software are you referring to that runs on Hardy ?
Once again, thanks for these types of posts. I look forward to following your progress on this project.
Cheers,
Caner
Windows doesnt preload sata or raid drivers into its install disk,yet another way for mass distributors to take a nickel.
Best Idea in the world,find driver for reading Raid\Sata drive and google nlite,then burn driver to boot cd and have at it,no f6 no 3rd party drivers needed,when you have to do these setups enough,this is a lifesaver.
NSA releases new version of Linux software