Mayank's previous article "Assess system security using a Linux LiveCD" looked at LiveCDs that come with tools to help you assess your computer's security. But what do you do if a system has been compromised and used for illegal or unauthorized activities? One option is to call computer security experts. Another is to download the tools the experts use, learn them, and become your own expert in integrity assurance and data recovery. And no need to worry about setting them up -- they're LiveCD!
Breaking into computers or computer networks and using them as a cover for serious illegal activities is a common activity, so common that many people have the skills necessary to do it. The ability to detect and catch a perpetrator, however, is less common. The greatest (though fictional) forensics expert Sherlock Holmes once said, "It is a capital mistake to theorize before you have all the evidence. It biases the judgment."
Collecting evidence from compromised systems is the job of computer forensics experts, the Sherlock Holmes of the digital age. They use specialized tools to collect information about the system, dissect, and analyze it. It is no surprise that the best tools for the job are open source ones. The Coroner's Toolkit (TCT), the Sleuth Kit, the Autopsy Forensic Browser, and FLAG (Forensics Log Analysis GUI) are popular tools used not only by security experts but also by instructors of computer-security courses.
Like many specialized LiveCDs, Helix was born out of necessity. Andrew Fahey, a security and forensics expert working with e-fense Inc., started with a Knoppix base and added the tools he used for his day-to-day work.
"The user base is fairly interactive. I have users from around the world that contribute feedback. Since people use Helix in various environments, making sure everything works perfectly in every situation is an ongoing, time-consuming task. That is why I rely on users for that feedback to improve Helix and to fix any bugs that have been found. I also rely on users for language translation," says Andrew.
Helix has a live Windows®-side interface that allows a Live Windows system to be forensically imaged. This interface has been translated into German and will soon be translated into Portuguese. In addition, many incident/response tools have been designed with first response in mind. Helix is also in use by many organizations teaching forensics, including the National White Collar Crime Center (NW3C), the System Administrator Network Security (SANS) Institute, and the National Consortium for Justice Information and Statistics.
Helix was not designed to be installed on the hard disk, but a future version might be. "I would like to see a hardware abstraction layer installed similar to what Fedora uses for hardware recognition. I have already added the union-fs module a while ago, which was a major hurdle to overcome," notes Andrew. While most of the tools that go into Helix are his personal choices, some are recommendations by the community. His biggest issue is with tools that require licensing.
The next release will have updated tools and the new Retriever and new Adepto programs, which Andrew uses all the time along with tools from The Sleuth Kit and PyFLAG.
Figure 1. Helix, PyFLAG, Adepto, and ClamAV virus scan in action
Plan-B by Jeremy McDaniel is a forensics LiveCD inspired by Peter Anvin's SuperRescue CD. It's based on Red Hat 9, runs Blackbox Window Manager, and uses the zisofs filesystem to compress about 1.4GB of data into a CD. It has forensic analysis tools like Autopsy, The Sleuth Kit, BCWipe, and more along with everyday tools like e-mail clients, browsers, chat clients, and word editors. According to the project's Web site:
The biggest changes (in the next version) will be updates to most if not all the current software, the addition of a 2.6 kernel, and rollover to Fedora. The primary database will be MySQL for the addition of a new application server. Plans are now in the works to create an eServer™-based Security/Auditing/Planning Module. It eventually will be released as a standalone application. Plan-B will simply serve as a mobile testing solution. This would be a tool for a team-based audit and penetration testing interface with report creation ability.
Figure 2. Plan-B provides a familiar command-line interface in this analysis report
Imagine being able to easily acquire the skills of a seasoned computer forensics expert from a bootable Linux CD. It's not a dream. It's reality when you use either of the LiveCDs reviewed in this article. Happy sleuthing!
Learn
-
"Assess system security using a Linux LiveCD" (developerWorks, July 2005) reviews four LiveCD offerings that specialize in nailing down systems vulnerabilities.
-
"Rock your desktop with entertainment LiveCDs" (developerWorks, January 2006) reviews four LiveCD offerings to help turn your Linux machine into a complete home entertainment system.
-
"Back to school with education LiveCDs" (developerWorks, January 2006) reviews three LiveCD offerings that bring the teacher into your home.
-
"Craft a load-balancing cluster with ClusterKnoppix" (developerWorks, December 2004) shows you how to use Knoppix-based LiveCDs to build your own supercomputing Linux cluster.
-
"Spin up a Linux LiveCD" (developerWorks, July 2004) is a no-install approach to running or demonstrating Linux.
-
Keep up with Linux distributions at DistroWatch.com (which promises to "put the fun back in computing").
-
In the developerWorks Linux zone, find more resources for Linux developers.
-
Stay current with developerWorks technical events and Webcasts.
Get products and technologies
-
Helix is a customized distribution of the Knoppix Live Linux CD that focuses on incident response and forensics tools.
-
Plan-B is a bootable Linux environment that can serve many roles for a technician or network administrator.
-
PyFlag is a version of FLAG (Forensic and Log Analysis GUI) that can simplify the process of log-file analysis and forensic investigations and uses a back-end database to handle large datasets.
-
The Sleuth Kit (TSK) is a collection of command-line tools based on The Coroner's Toolkit (TCT); Autopsy is a graphical interface to the command-line tools in TSK.
-
The Coroner's Toolkit (TCT) is a collection of programs to perform a post-mortem analysis of a UNIX system after break-in.
-
BCWipe is a shell extender for Windows intended to securely delete your files.
-
Order the SEK for Linux, a two-DVD set containing the latest IBM trial software for Linux from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.
-
With IBM trial software, available for download directly from developerWorks, build your next development project on Linux.
Discuss
-
KernelNewbies.org: If you are new to hacking the kernel, find lots of resources including an IRC channel, a mailing list, and a wiki.
-
Check out developerWorks
blogs and get involved in the developerWorks community.
Mayank Sharma has been writing about technology, especially free and open software, for the past five years. He helped launch South Asia's leading FLOSS monthly LINUX For You (as its Assistant Editor) and is currently busy putting together a Web-based publication devoted to localization, education, and FLOSS migration. Besides writing, Mayank loves to hack also; his most recent contribution is an installer for the Utkarsh localization project. Still struggling for a computer science degree, he loves Formula One car racing.
