[sf-lug] forensics with Linux

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sat Nov 21 17:17:44 PST 2009

Some bits that might help, in not necessarily any particular order.

o Follow one's documented incident response plan (the handling of such
   incidents was properly planned for, right?).
o Having, or not having the above, DON'T PANIC!  Quick rash decisions
   can cause problems, and may not be reversible.
o There's often the typical trade-off to be considered between:
   o Continue to watch, track, and investigate; try not to tip one's hand
     (at least not prematurely, anyway).
   o Shut stuff down, try to thwart further damage, clean up, and move on
   o One may not have a choice (e.g. governmental, law enforcement,
     contractual obligations, practical matters and/or policy may dictate
     what methods are used, and when).
o Never trust that a compromised system is reporting anything
   accurately, or is, or was doing what it should be doing.  E.g. "root
   kits", kernel modules, etc. can make it infeasible to impossible to
   determine from compromised system itself if the system itself is
   compromised or not.
o Shutting down as or about as abruptly as possible may enhance
   preservation of disk data.  "Normal" shutdown procedures/sequences may
   be compromised, and may alter or destroy evidence.  E.g. for fast
   shutdown, remove power - for a laptop that may entail removing
   external power and pulling the laptop battery.  Note also that many
   modern systems, when "power switch"/button is pressed may not
   immediately shut down, but instead will (with short press), attempt to
   start a normal shutdown procedure (press and hold may drop power - but
   it might not be fast enough, as that may attempt to start normal
   shutdown procedures first).  Removing power connections (power cords)
   and pulling any (e.g. laptop) battery power source may be best and
   fastest.  Absolutely no guarantees that such an approach would be
   harmless to all hardware (e.g. pulling laptop battery from a running
   laptop may damage the laptop hardware and/or battery - but is
   improbable to damage the hard drive hardware).
o shutting down may lose evidence of what's resident in RAM - and
   possibly only in RAM - some malware will run only in RAM and not exist
   on disk (e.g. some network worms / bot nets may operate that way to
   make it harder to catch and examine the malware).
o shutting down allows one to then boot from good known operating system
   (e.g. validated CD-ROM or USB, etc.), and examine disk(/flash/ROM/...)
   of compromised or suspected compromised system - and to accurately see
   what is there.
o Don't know that it's ever been used or successfully used in any public
   forensics cases or the like yet, but copying a full image of the hard
   drive data isn't quite the same.  There are advanced techniques,
   which, at least in theory, may allow for recovery of data that was
   physically overwritten on the hard drive.  This evidence may not be
   accessible from the external interfaces of the hard drive (may require
   access to raw data from drive heads and/or advanced scanning of the
   magnetic media).  See, e.g.:
o Stuff (e.g. malware) can be tucked away in CMOS/BIOS/flash, etc.
   BIOS/CMOS may allow areas of disk to be "hidden"/reserved - stuff
   could be hidden there.  Filesystems and storage can be abused - e.g.
   data stored where it shouldn't legitimately belong, or filesystems
   tampered with in ways to further hide data.
o It's often/generally infeasible to "clean up" the data/programs, etc.
   of a compromised system - most commonly much more efficient to do a
   fresh clean install, apply security updates/patches, make sufficiently
   sure vulnerabilities that allowed exploit have been closed, and if any
   data/programs are going to be merged or brought in from what was
   compromised system/image, they must be fully validated as
   clean/correct before reintroducing them.
o clean-up; don't trust information reported by or actions taken by
   compromised or possibly compromised system, see also:
o Have a peek at:
o Many other good/excellent points/tips already earlier on this
o I am not a lawyer, nor do I play one on TV.
o I am not a forensics expert.


> Date: Wed, 18 Nov 2009 07:05:33 -0800
> From: Pseudo Anonymous <pseudo.anonymous70 at gmail.com>
> Subject: [sf-lug] forensics with Linux
> To: sf-lug at linuxmafia.com
> forensics with Linux
> Let's say someone hands us a laptop that is or likely has been
> compromised.  Let's say we actually want to preserve an exact image
> copy of the laptop hard drive.  Let's say we also want to compute some
> secure cryptographic hashes of entire laptop hard drive and
> digitally sign - such as with gpg - those hashes and statement about
> those hashes.  Let's say we've got quite sufficiently large external
> USB drive that we can attach and that wasn't at all involved in
> compromise and hasn't been attached to that laptop before.
> So, how would we best proceed to: boot Linux off of CD or DVD (or
> possibly even USB stick) and make absolutely no write access to the
> laptop hard drive - e.g. nothing that would automatically or by default
> mount or attempt to mount anything on the laptop filesystem(s) rw?
> We'd also want to be sure nothing attempts to run/boot/execute anything
> off the laptop hard drive.  Let's say we've got someone that well knows
> how to wield fdisk/cfdisk/sfdisk/mke2fs/dd/gpg/openssl, and at least
> most common Linux systems administration tasks, but may or may not be a
> forensics expert, and we're mostly interested in preserving evidence of
> state and data of laptop hard drive.
> Any particular recommendations of handy readily available Linux
> distribution that would be best/easiest to accomplish these tasks -
> such as run from live CD image, and if needed, including actions or
> boot options to ensure it doesn't make or attempt to make any write
> access to laptop hard drive by default including having it not making
> nor attempting to make any rw mounts of laptop filesystem(s).
> And for the legal or legally inclined folks, particular recommendations
> for evidence preservation/handling for possible use in criminal and/or
> civil case(s) in such described situation?

More information about the sf-lug mailing list