Tuesday, July 25, 2006

Updated FreeBSD Forensics

This morning I was reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 third edition of Anti-Hacker Toolkit. I realized no one had updated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 section "Vnode: Transforming a Regular File into a Device on FreeBSD." Keith Jones wrote that section four years ago when he co-authored cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first edition of AHT. That part of AHT shows how to mount a hard drive image as a file, such that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hard drive image can be examined in a forensically safe manner.

If you follow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advice in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book and try to vnconfig, you get this error:

orr:/home/richard$ vnconfig
ERROR: vnconfig(8) has been discontinued
Please use mdconfig(8).

Fair enough. Let's see what we need to do to use mdconfig.

I used cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 jbr_bank/forensic_duplication/JBRWWW.dd.gz hard drive image from Real Digital Forensics by Keith Jones, Curt Rose, and myself. If you want that image or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r files from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 book, you'll need cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 DVD that ships with it.

After gunzipping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 archive, I used mdconfig to create a vnode.

orr:/nsm/rdf$ sudo mdconfig -a -t vnode -f JBRWWW.dd
md0
orr:/nsm/rdf$ sudo mdconfig -l -u md0
md0 vnode 4.0G /nsm/rdf/JBRWWW.dd

I now have JBRWWW.dd attached to device md0. Let's see what it is.

orr:/nsm/rdf$ sudo fdisk /dev/md0
******* Working on device /dev/md0 *******
parameters extracted from in-core disklabel are:
cylinders=524 heads=255 sectors/track=63 (16065 blks/cyl)

parameters to be used for BIOS calculations are:
cylinders=524 heads=255 sectors/track=63 (16065 blks/cyl)

Media sector size is 512
Warning: BIOS sector numbering starts with sector 1
Information from DOS bootblock is:
The data for partition 1 is:
sysid 7 (0x07),(OS/2 HPFS, NTFS, QNX-2 (16 bit) or Advanced UNIX)
start 63, size 8401932 (4102 Meg), flag 80 (active)
beg: cyl 0/ head 1/ sector 1;
end: cyl 522/ head 254/ sector 63
The data for partition 2 is:

The data for partition 3 is:

The data for partition 4 is:


That looks like a NTFS partition. Time to mount it.

orr:/nsm/rdf$ sudo mount_ntfs -o ro /dev/md0s1 /mnt
orr:/nsm/rdf$ mount
/dev/ad0s2a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s2f on /home (ufs, local, soft-updates)
/dev/ad0s2g on /nsm (ufs, local, soft-updates)
/dev/ad0s2h on /tmp (ufs, local, soft-updates)
/dev/ad0s2d on /usr (ufs, local, soft-updates)
/dev/ad0s2e on /var (ufs, local, soft-updates)
/dev/ad0s3 on /data (msdosfs, local)
/dev/acd0 on /cdrom (udf, local, read-only)
/dev/md0s1 on /mnt (ntfs, local, read-only)

So far so good. What do we see on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 drive?

orr:/nsm/rdf$ ls /mnt
$AttrDef IO.SYS
$BadClus Inetpub
$Bitmap MSDOS.SYS
$Boot NTDETECT.COM
$Extend Program Files
$LogFile System Volume Information
$MFTMirr WINNT
$Secure arcldr.exe
$UpCase arcsetup.exe
$Volume boot.ini
AUTOEXEC.BAT ntldr
CONFIG.SYS pagefile.sys
Documents and Settings update.exe

That looks like a Microsoft Windows NTFS drive to me.

When done, I clean up.

orr:/nsm/rdf$ sudo umount /mnt
orr:/nsm/rdf$ sudo mdconfig -d -u md0

You can use this same technique with .iso's too.

orr:/data/iso$ sudo mdconfig -a -t vnode -f boot.iso
md0
orr:/data/iso$ sudo mdconfig -l -u md0
md0 vnode 38M /data/iso/boot.iso
orr:/data/iso$ sudo mount -t cd9660 /dev/md0 /mnt
orr:/data/iso$ mount
/dev/ad0s2a on / (ufs, local)
devfs on /dev (devfs, local)
/dev/ad0s2f on /home (ufs, local, soft-updates)
/dev/ad0s2g on /nsm (ufs, local, soft-updates)
/dev/ad0s2h on /tmp (ufs, local, soft-updates)
/dev/ad0s2d on /usr (ufs, local, soft-updates)
/dev/ad0s2e on /var (ufs, local, soft-updates)
/dev/ad0s3 on /data (msdosfs, local)
/dev/acd0 on /cdrom (udf, local, read-only)
/dev/md0 on /mnt (cd9660, local, read-only)
orr:/data/iso$ ls /mnt
TRANS.TBL etc images ppc
orr:/data/iso$ sudo umount /mnt
orr:/data/iso$ sudo mdconfig -d -u md0

I think that's neat.

No comments: