Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

Restore compromised systems with diagnostics LiveCDs

Two tools let you detect system break-ins and recover critical data

Mayank Sharma (geeky_bodhi@yahoo.co.in), Freelance technical writer
Mayank Sharma has been writing about technology, especially free and open software, for the past five years. He helped launch South Asia's leading FLOSS monthly LINUX For You (as its Assistant Editor) and is currently busy putting together a Web-based publication devoted to localization, education, and FLOSS migration. Besides writing, Mayank loves to hack also; his most recent contribution is an installer for the Utkarsh localization project. Still struggling for a computer science degree, he loves Formula One car racing.

Summary:  Want to assess your Linux® system's integrity and recover lost data without lengthy installation and configuration efforts? Get to know two packages -- Helix and Plan-B -- that bring you that ability through the magic of LiveCD.

Date:  31 Jan 2006
Level:  Introductory
Also available in:   Russian

Activity:  10258 views
Comments:  

Mayank's previous article "Assess system security using a Linux LiveCD" looked at LiveCDs that come with tools to help you assess your computer's security. But what do you do if a system has been compromised and used for illegal or unauthorized activities? One option is to call computer security experts. Another is to download the tools the experts use, learn them, and become your own expert in integrity assurance and data recovery. And no need to worry about setting them up -- they're LiveCD!

About LiveCD

A LiveCD is an operating system (plus other software) stored on a bootable CD-ROM from which the OS can be executed without having to go through time-consuming installation. Most are based on the Linux kernel (but there are LiveCDs for other operating systems). A LiveCD works by placing the files on a RAM disk (making less RAM for applications, which can slow performance). Once you kick out the LiveCD and reboot, your original system comes back. Some LiveCDs come with an installation utility that lets you install the system on a hard drive or USB keydrive; most can access information on internal/external hard drives, disks, and Flash memories.

syslinux is used to boot Linux-based LiveCDs, as well as Linux floppies. For the PC, the bootable CD generally conforms to the El Torito specification, which treats a special file on the disc (possibly hidden) as a floppy diskette image. Many LiveCDs use a compressed filesystem image that often comes with the cloop compressed loopback driver to effectively double the storage capacity.

A number of emulators on the market let you try a LiveCD without the need to burn it to a CD or boot it on the computer. The most widely supported i386 emulator is VMware. Others include Qemu, PearPC, and Bochs, which can all also emulate the x86 and/or PowerPC® platforms; but due to their emulation methods, they are slower than the commercial alternatives. Another commercial one is VirtualPC.

Investigating computers

Breaking into computers or computer networks and using them as a cover for serious illegal activities is a common activity, so common that many people have the skills necessary to do it. The ability to detect and catch a perpetrator, however, is less common. The greatest (though fictional) forensics expert Sherlock Holmes once said, "It is a capital mistake to theorize before you have all the evidence. It biases the judgment."

Collecting evidence from compromised systems is the job of computer forensics experts, the Sherlock Holmes of the digital age. They use specialized tools to collect information about the system, dissect, and analyze it. It is no surprise that the best tools for the job are open source ones. The Coroner's Toolkit (TCT), the Sleuth Kit, the Autopsy Forensic Browser, and FLAG (Forensics Log Analysis GUI) are popular tools used not only by security experts but also by instructors of computer-security courses.

Helix

Like many specialized LiveCDs, Helix was born out of necessity. Andrew Fahey, a security and forensics expert working with e-fense Inc., started with a Knoppix base and added the tools he used for his day-to-day work.

"The user base is fairly interactive. I have users from around the world that contribute feedback. Since people use Helix in various environments, making sure everything works perfectly in every situation is an ongoing, time-consuming task. That is why I rely on users for that feedback to improve Helix and to fix any bugs that have been found. I also rely on users for language translation," says Andrew.

Helix has a live Windows®-side interface that allows a Live Windows system to be forensically imaged. This interface has been translated into German and will soon be translated into Portuguese. In addition, many incident/response tools have been designed with first response in mind. Helix is also in use by many organizations teaching forensics, including the National White Collar Crime Center (NW3C), the System Administrator Network Security (SANS) Institute, and the National Consortium for Justice Information and Statistics.

Helix was not designed to be installed on the hard disk, but a future version might be. "I would like to see a hardware abstraction layer installed similar to what Fedora uses for hardware recognition. I have already added the union-fs module a while ago, which was a major hurdle to overcome," notes Andrew. While most of the tools that go into Helix are his personal choices, some are recommendations by the community. His biggest issue is with tools that require licensing.

The next release will have updated tools and the new Retriever and new Adepto programs, which Andrew uses all the time along with tools from The Sleuth Kit and PyFLAG.


Figure 1. Helix, PyFLAG, Adepto, and ClamAV virus scan in action
Helix, PyFLAG, Adepto, and ClamAV virus scan in action

Plan-B

Plan-B by Jeremy McDaniel is a forensics LiveCD inspired by Peter Anvin's SuperRescue CD. It's based on Red Hat 9, runs Blackbox Window Manager, and uses the zisofs filesystem to compress about 1.4GB of data into a CD. It has forensic analysis tools like Autopsy, The Sleuth Kit, BCWipe, and more along with everyday tools like e-mail clients, browsers, chat clients, and word editors. According to the project's Web site:

The biggest changes (in the next version) will be updates to most if not all the current software, the addition of a 2.6 kernel, and rollover to Fedora. The primary database will be MySQL for the addition of a new application server. Plans are now in the works to create an eServer™-based Security/Auditing/Planning Module. It eventually will be released as a standalone application. Plan-B will simply serve as a mobile testing solution. This would be a tool for a team-based audit and penetration testing interface with report creation ability.

Figure 2. Plan-B provides a familiar command-line interface in this analysis report
Plan-B provides a familiar command-line interface

Conclusion

Imagine being able to easily acquire the skills of a seasoned computer forensics expert from a bootable Linux CD. It's not a dream. It's reality when you use either of the LiveCDs reviewed in this article. Happy sleuthing!


Resources

Learn

Get products and technologies

  • Helix is a customized distribution of the Knoppix Live Linux CD that focuses on incident response and forensics tools.

  • Plan-B is a bootable Linux environment that can serve many roles for a technician or network administrator.

  • PyFlag is a version of FLAG (Forensic and Log Analysis GUI) that can simplify the process of log-file analysis and forensic investigations and uses a back-end database to handle large datasets.

  • The Sleuth Kit (TSK) is a collection of command-line tools based on The Coroner's Toolkit (TCT); Autopsy is a graphical interface to the command-line tools in TSK.

  • The Coroner's Toolkit (TCT) is a collection of programs to perform a post-mortem analysis of a UNIX system after break-in.

  • BCWipe is a shell extender for Windows intended to securely delete your files.

  • Order the SEK for Linux, a two-DVD set containing the latest IBM trial software for Linux from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.

  • With IBM trial software, available for download directly from developerWorks, build your next development project on Linux.

Discuss

About the author

Mayank Sharma has been writing about technology, especially free and open software, for the past five years. He helped launch South Asia's leading FLOSS monthly LINUX For You (as its Assistant Editor) and is currently busy putting together a Web-based publication devoted to localization, education, and FLOSS migration. Besides writing, Mayank loves to hack also; his most recent contribution is an installer for the Utkarsh localization project. Still struggling for a computer science degree, he loves Formula One car racing.

Report abuse help

Report abuse

Thank you. This entry has been flagged for moderator attention.


Report abuse help

Report abuse

Report abuse submission failed. Please try again later.


developerWorks: Sign in


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


Rate this article

Comments

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Linux, Open source
ArticleID=103132
ArticleTitle=Restore compromised systems with diagnostics LiveCDs
publish-date=01312006
author1-email=geeky_bodhi@yahoo.co.in
author1-email-cc=

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

For articles in technology zones (such as Java technology, Linux, Open source, XML), Popular tags shows the top tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), Popular tags shows the top tags for just that product zone.

For articles in technology zones (such as Java technology, Linux, Open source, XML), My tags shows your tags for all technology zones. For articles in product zones (such as Info Mgmt, Rational, WebSphere), My tags shows your tags for just that product zone.

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Try IBM PureSystems. No charge.

Special offers