The White Glove Bootable CDs are designed specifically to allow forensically sound and covert operations. This starts with the way they boot up and continues through all aspects of their operation.
At bootup, file systems are sought out and mounted read-only for forensic analysis without alteration. The network interface is brought up but it emits no packets and does not configure an IP address or respond to ARP requests. Even when an IP address is assigned, the system has no services available unless and until you configure them. By using a floppy disk you can create atuomated startup capabilities to configure the system as you like it, but by default it does things safely.
The Bootable CD forensic analysis versions include a wide variety of useful tools for forensic analysis. This includes disk, file system, and file imaging, verification, and analysis tools. Some of the relevalt programs include:
| antiword | Get at detailed content and structure of Word docuemtns |
| badblocks | Search a device for bad blocks |
| cfdisk | Curses based disk partition table manipulator |
| chklastlog | Check lastlog for anomolies |
| chkrootkit | Check for known rootkits |
| cksum | Checksum and count the bytes in a file |
| cmp | Compare two files |
| comm | Compare two sorted files line by line |
| convert | Convert between image formats |
| dd | Disk dump |
| debugfs | Ext2 file system debugger |
| debugreiserfs | Reiser file system debugger |
| diff | Find differences between two files |
| diff3 | Find differences between three files |
| dsniff | Sniff network packets from Ethernets |
| dump_cis | Display PCMCIA Card Information Structures |
| dumpe2fs | Dump filesystem information |
| egrep | Print lines matching a pattern |
| ethereal | Watch ethernet packets graphically from X11 |
| ettercap | Capture ethernet packets |
| extract_compressed_fs | Extract a compressed file system |
| fdisk | Partition table editor for hard disks |
| file | Determine file type |
| find | Search a directory hierarchy |
| find_ethernet | Fine ethernets |
| find_hdd | Find hard disk drieves |
| find_scsi | Find SCSI devices |
| find_usb | Find USB devices |
| findimages | Find graphical; image files |
| ForensiX | Forensic analysis in X11 |
| forword | Forensics for Word |
| fsck | File system checker |
| fsck.ext2 | Check EXT2 file system |
| fsck.ext3 | Check ext3 file system |
| fsck.minix | Check minix file system |
| gettextize | Get the size of an EXT file system |
| grep | Print lines matching a pattern |
| hdparm | Hard disk parameter fetch and set |
| httrack | Retrieve web sites |
| hunt | Packet analysis and session interception |
| hwclock | Query and set the hardware clock |
| iconv | Convert between file codings |
| ide_info | Information on the IDE interface |
| identify | Describe format and characteristics of image file(s) |
| import | Capture X screen and save to a file |
| isodump | Dump an ISO9660 file system |
| isoinfo | Information on an ISO9660 file system |
| isosize | Size of an ISO9660 file system |
| isovfy | Verify an ISO9660 file system |
| kbd_mode | Report or set the keyboard mode |
| less | Show files page-by-page and allow search |
| losetup | Setup loopback file systems |
| libpst | Convert outlook PST files to Unix mbox files |
| libdbx | Convert outlook express files to mail directories |
| ls | List files |
| lsattr | List file attributes |
| lsdev | List devices |
| mac-robber | Modified, Access, and Change (MAC) times from allocated files |
| mawk | Pattern scanning and text processing language |
| md5sum | MD5 cryptographic checksum generator |
| more | Show a file a page at a time (like less) |
| mount | Mount a file system |
| mpg123 | Play audio MPEG 1.0/2.0 file (layers 1, 2 and 3) |
| mtools | Utilities to access DOS disks in Unix |
| mtr | Network diagnostic tool (ping and traceroute) |
| nasl | Network intrusion detection tool |
| nc | NetCat - Cat for networks |
| ndisasm | Netwide Disassembler - 80x86 binary file disassembler |
| netdump | Dump network packets |
| nm | List symbols from object files. |
| nmap | Network mapping utility |
| noctrl | Remove control characters from files |
| nonull | Remove null (0) characters from files |
| noparity | Remove parity bits from filess |
| noreps.pl | Remove repetitive lines from a file |
| ntpd | Network time protocol daemon |
| objdump | Display information from object files |
| od | Octal to decminal conversion |
| oo | Open Office |
| otod | Convert octal to decimal |
| pd | Partition table decoder |
| probe | Probes for PCI and other bridge hardware |
| ps2ascii | Convert postscript to ascii |
| raidstart | Start a RAID array |
| reiserfsck | Check a reiser file system |
| scp | SSH copy program |
| scsi_info | Information on SCSI devices |
| showkey | Examine the scan codes and keycodes sent by the keyboard |
| smbtar | Back up Windows file shares to tape files |
| sniffit | Network traffic sniffer |
| snort | Network sniffer and intrusion deteciton front end |
| ssh | Secure Shell encrypted communication client |
| strings | Extract strings from a file |
| sync | Write all not-yet-written content to disks |
| tail | Show the end of a file |
| tar | Tape Archiver |
| tcpdump | Show network packets to the user |
| tcpspy | Watch TCP connections |
| tct | The Coroner's Toolkit |
| tee | Split output to a file and to standard output |
| theword | Word file revision analysis |
| traceroute | Trace a route over the network |
| track | Interface to httrack |
| webget | Get a URL from the web |
| wget | Get a URL from the web |
Here is an example of one of the analysis tools called forword, designed to do forensic extraction of metadata and contents from Word and other OLE documents and operating on a file called "Typing_some_text_into_the_WS2_document.doc" on a mounted hard disk (/mnt/hda1).
cp /usr/local/forword/forword /; cd /forword # This only needs to be done once per reboot forword /mnt/hda1/Typing_some_text_into_the_WS2_document.doc
This produces the output below as well as a text extraction of the content of the document and a set of "trash" files containing content of the file that is no longer used and OLE files associated with each object within the original file. It also finds and extracts hidden fioles planted within word documents (a steganographic technique) and can sometimes remove or ignore Word passwords. It performs an MD5 checksum before and after operating so the contents of the file can be validated relaive to other forensic tools and to demonstrate that it has not altered the original file.
===================================================================
ForWord Processing "Typing_some_text_into_the_WS2_document.doc"
===================================================================
MD5 Checksum:59ed67750752ea25e232f07cc7000159 Typing_some_text_into_the_WS2_document.doc
===================================================================
Object Data "Typing_some_text_into_the_WS2_document.doc"
===================================================================
--- ppset "CompObj" --------------------------------------------------
n id id name vartype contents
1 0 "doc_long" 1e (string) "Microsoft Word Document"
2 1 "doc_class" 1e (string) "MSWordDoc"
3 2 "doc_spec" 1e (string) "Word.Document.8"
----------------------------------------------------------------------
--- ppset "DocumentSummaryInformation" -------------------------------
n id id name vartype contents
1 1002 "_PID_GUID" 41 (unknown)
2 b "scalecrop" b (bool) 0
3 5 "linecount" 3 (long) 1
4 c "headingpairs" 100c (variant[])
4.01 1e (string) "Title"
4.02 3 (long) 1
5 6 "parcount" 3 (long) 1
6 d "docparts" 101e (string[])
6.01 1e (string) "Typing some text into the WS2 document"
7 16 b (bool) 0
8 17 3 (long) 528490
9 f "company" 1e (string) "Forensic"
a 10 "linksuptodate" b (bool) 0
b 11 "sharecount2" 3 (long) 109
c 13 b (bool) 0
----------------------------------------------------------------------
--- ppset "SummaryInformation" ---------------------------------------
n id id name vartype contents
1 2 "title" 1e (string) "Typing some text into the WS2 document"
2 3 "subject" 1e (string) ""
3 a "edittime" 40 (filetime) 0000.00.00 00:01:00.000000
4 4 "author" 1e (string) "User1-Dallas"
5 5 "keywords" 1e (string) ""
6 c "createtime" 40 (filetime) 2004.05.14 15:10:00.442944
7 d "lastsavedtime" 40 (filetime) 2004.05.14 15:16:00.475648
8 7 "template" 1e (string) "Normal"
9 e "pagecount" 3 (long) 1
a 8 "lastsavedby" 1e (string) "User1-Dallas"
b f "wordcount" 3 (long) 15
c 9 "revnumber" 1e (string) "3"
d 10 "charcount" 3 (long) 89
e 12 "appname" 1e (string) "Microsoft Word 8.0"
f 13 "security" 3 (long) 0
----------------------------------------------------------------------
# Microsoft Word Document (MSWordDoc, 2004.05.14 15:16:34.505648, rev 3)
Title: Typing some text into the WS2 document
Author: User1-Dallas
Organization: Forensic
Application: Microsoft Word 8.0
Template: Normal
Created: 2004.05.14 15:10:00.442944
Last saved: 2004.05.14 15:16:00.475648
1 15 89
===================================================================
Trash and Hidden "Typing_some_text_into_the_WS2_document.doc"
===================================================================
Processing "Typing_some_text_into_the_WS2_document.doc":
Trash (and system) report:
Type 1 (Big blocks): 0 bytes
Type 2 (Small blocks): 0 bytes
Type 4 (File space): 406 bytes
Type 8 (System space): 1300 bytes
1+2: 0 of 19456 bytes (0.0 %)
1+2+4+8: 1706 of 19456 bytes (8.8 %)
Trash type=3 offset=0 size=20
Trash type=11 offset=0 size=20
Trash type=15 offset=0 size=20
Hidden file report:
No hidden file stored.
Done.
Processing "Typing_some_text_into_the_WS2_document.doc": Saving... Trash type=1 offset=0 size=0
Trash type=2 offset=0 size=0
Trash type=4 offset=0 size=406
Trash type=8 offset=0 size=1300
Done.
===================================================================
List embedded files "Typing_some_text_into_the_WS2_document.doc"
===================================================================
0: 1 'Root Entry' (pps 0) ROOT 2004.05.14 15:16:34.505648 2004.05.14 15:11:00.255444
1: 1 '1Table' (pps 1) FILE 1000 bytes
2: 2 ' CompObj' (pps 5) FILE 6a bytes
3: 3 'ObjectPool' (pps 6) DIR 2004.05.14 15:16:34.505648 2004.05.14 15:16:34.505648
4: 4 'WordDocument' (pps 2) FILE 1000 bytes
5: 5 ' SummaryInformation' (pps 3) FILE 1000 bytes
6: 6 ' DocumentSummaryInformation' (pps 4) FILE 1000 bytes
===================================================================
Debug version of embedded files
===================================================================
laola: get_iolist(3, 0, 4294967295, 0)
laola: get_iolist(3, 0, 4294967295, 0)
laola: get_iolist(3, 0, 128, 0)
0: 1 'Root Entry' (pps 0) ROOT 2004.05.14 15:16:34.505648 2004.05.14 15:11:00.255444
laola: get_iolist(3, 384, 128, 0)
laola: get_iolist(3, 256, 128, 0)
laola: get_iolist(3, 640, 128, 0)
laola: get_iolist(3, 128, 128, 0)
laola: get_iolist(3, 768, 128, 0)
laola: get_iolist(3, 512, 128, 0)
1: 1 '1Table' (pps 1) FILE 1000 bytes
2: 2 ' CompObj' (pps 5) FILE 6a bytes
3: 3 'ObjectPool' (pps 6) DIR 2004.05.14 15:16:34.505648 2004.05.14 15:16:34.505648
4: 4 'WordDocument' (pps 2) FILE 1000 bytes
5: 5 ' SummaryInformation' (pps 3) FILE 1000 bytes
6: 6 ' DocumentSummaryInformation' (pps 4) FILE 1000 bytes
===================================================================
Other Details
===================================================================
Processing "Typing_some_text_into_the_WS2_document.doc":lhalw: status=ok Header (chunk 1) - pps=2
lhalw: bytes of header: ...
lhalw: word_status=4608 word_fast=0 word_crypted=0 tmp=0 word_version_ok=0
lhalw: begins at 1024, ends at 1132, length=108
lhalw: NOT word_version_ok
lhalw: word_textl=108
done.
===================================================================
MD5 Checksum:59ed67750752ea25e232f07cc7000159 Typing_some_text_into_the_WS2_document.doc
===================================================================
Done
===================================================================
Many people ask about how to do a forensically sound image of a hard disk drive over a network. White Glove was, as far as I am aware, the first commercial tool to provide this capability in a bootable CD format. After getting the computer booted from the CD and bringing up the network (see other tutorial elements for details), use the following command to forensically image the hard disk /dev/hda to the remote file server my-files.com in the file /usr/fred/testimage under the user ID fred
dd if=/dev/hda of=- bs=8192 conv=noerror | ssh fred@my-files.com 'dd if=- of=/usr/fred/testimage'
Searching raw disk images is another common activity. In most cases, a raw file system search involves something simple like looking for "word or phrase". This would be done on drive /dev/hda like this:
grep -a 'word or phrase' /dev/hda
In this case the output may include a lot of binary data that will mess up your display as well as more than just the srea around the string you are searching for. To get it to strings only you would do this:
grep -a 'word or phrase' /dev/hda | strings
Many people prefer to look at the data in a program that allows them to page back and forth. This is called less and it would look like this:
grep -a 'word or phrase' /dev/hda | less
For more information on this and other forensics activities with White Glove bootable CDs, it's a good idea to get the short coursees on that subject.