Forensics is the best part of digital devices which even a basic user does in his day to day life but doing it in some technical way and including some cyber laws makes it more powerful. While forensic examination of electronic data storage devices has been in use for quite some time now, digital forensics gained greater significance with the arrival and wide-spread use of mobile electronic devices capable of storing and manipulating digital data. Apart from analysing data to arrive at conclusion that support an investigation, digital forensics also gives guidelines for data collection, preservation and imaging. One of the uses of the Matriux distribution is that it is extremely useful for a digital forensic examiner. While a discussion of the digital forensic processes and techniques is beyond the scope of this paper, we will discuss some of the features of Matriux that assist the digital forensic investigator.
Digital forensics is a systematic procedure that needs to be followed to arrive at a conclusion in an investigation. The steps include the following aspects
- Preservation of evidence
- Data acquisition
- Data recovery
- Analysis of data
- Document / reporting the evidence
There are various techniques and tools to follow these steps. Some of these are elaborated in this section.
Preservation of Evidence
It is the technique of storing digital evidence in a safe manner. For example, using a Faraday Bag to protect Hard Disks from external interference.
Acquisition saves the state of a digital system so that it can be later analyzed. Some of the good tools to enable data acquisition which we have included in our distro are
- AIR and
AIR (Automated Image and Restore)
AIR(Automated Image and Restore) Imager is a GUI front end for dd. It is easy to create and restore digital images. It has the following features
- Image verification via MD5 or SHA1
- Image compression/decompression using gzip/bzip2
- Image over a TCP/IP network uses netcat/cryptcat
- Wiping (zeroing) drives or partitions
Installation of AIR
Prerequisites for AIR are is:-
- md5deep package
- dc3dd 6.12.3
Some of these packages you can get with Sharutils. It can be downloaded it from http://packages.debian.org/lenny/sharutils according to your architecture. Then go to terminal, go to the place where you saved the package and type:-
sudo apt-get install sharutils(This installs sharutils package) (Download your AIR package fromhttp://sourceforge.net/apps/mediawiki/air-imager/) sudo tar -zxvf air-version (this unzips your package) chmod +x install-air-version (This gives a executable permission to the file) ./install-air-version (Installs your air package)
It first checks for Perl updated version and downloads it and then starts AIR installation. After completion you will be given a message “All Done”. If you face any problem in installing AIR please check whether you installed libx11-dev and xutils-dev packages. If not please install them then again run AIR installation.
To access AIR, type sudo air in terminal.
To take a image of a drive you can select destination path and image compression technique. If you want to split the image into parts you can specify the space in size. By clicking on Show Status windows button you can observe different status of the selected devices configuration. We can even wipe out / rewrite a drive with zeros by selecting zero as a connected device. You can connect a remote computer and take its image or restore a image on it by selecting NET as a connected device.
Guymager is a forensics tool used for imaging a disk / memory card.
• User friendly
• Fast and multi-threaded data compression
• Extended information to the image file.
• Open Source
Installation/Update of the package
Guymager is contained in the standard repositories of several distributions. Installation can be done with a graphical tool or on the command line with the following commands:-
apt-get install Guymager To update:- apt-get update dpkg -i guymager-beta_ver_i386.deb apt-get -f install
you can manually download the packages from http://apt.pinguin.lu/ according to your processor architecture and you can use the same command to install the Guymager. However, to run, you need the dependency packages namely smartmontools and hdparm.
Guymager is a Qt-based forensic imager. It is capable of producing image files in EWF and dd format.
The internal structure is based on separate threads for reading, MD5 calculation, writing and includes a parallelised compression engine, thus making full usage of multi-processor and hyper-threading machines. Guymager should be run with root privileges, as other users do not have access to physical devices normally.
Guymager mainly works with two configuration files:
/etc/guymager/guymager.cfg – The main configuration file and/etc/guymager/local.cfg – The parameters adjusted here have precedence over guymager.cfg
The above figure represents the GUI of Guymager. It is divided in to two sections. Section one shows your disks connected to your machine. You can connect your storage devices even after you launch the program by clicking on rescan at the top. Each disk is represented with its serial number and model.
Second section indicates the information of the selected partition with MD5 hash value.
By right clicking on a selected partition provides you with operations like Acquire and Info. Selecting Info will provide you with detailed information of the selected partition. You can also observe the commands executed in the window to retrieve the details.
By selecting Acquire, you are asked for the image acquisition parameters. After giving the related parameters click on ok. This it will start Data acquisition which is shown in the state tab from the GUI and it is indicated with the progress of process.
The default settings can be reverted from the default configuration file by accessing it from Vim.tiny/etc/Guymager/Guymager.cfg