Forensic Investigation of Live CDs
Written by Andrew Case and Daryl Pfeif   

Miss the photos and figures?
View, read, share, save, and print this article
as it appeared in the print edition now, online!

DIGITAL FORENSICS is the process of analyzing data stored on a wide range of electronic media for evidence relevant to an investigation. During the normal investigative process, this evidence is collected from computer hard drives, servers, USB thumb drives, CD ROMs, DVDs, and other media storage devices. When evidence is stored on these devices, there is a well-established set of procedures that allow for orderly acquisition and analysis of data and for the admissibility of investigation results in a legal setting. These procedures include creating an exact copy of relevant devices, verifying the copy with cryptographic hashing, automated data processing using forensic software, and finally evidence examination.

When a filesystem is intact on any device, a wealth of evidence is available for analysis, including system files and directories; their contents; their created, modified, and deleted times; and the files’ sizes. If the standard forensics process can be successfully completed, an investigator can rely on a multitude of forensic applications, previous training, and experience in order to solve a case. Investigators are also assured that they can comfortably provide expert testimony and reports about their work, as hundreds of people have previously testified in the same situation and scenario.

Unfortunately for investigators, as the tools and techniques commonly used to perform digital investigations have improved, so have the methods cybercriminals use to circumvent them. One method that has been steadily gaining traction within the anti-forensics community is the use of live CDs. This community is specifically advocating use of live CDs based on the belief that they disrupt the entire forensics process and make the implementation of standard forensic procedures impossible.

A live CD is an operating system that is packaged on CD or DVD and does not require the use of a traditional hard drive to operate. Unlike traditional operating systems that use hard drives to store data, live CDs place all information within the computer’s volatile memory store (RAM). Since live CDs do not interact with hard drives or even require a hard drive to be attached to a computer, there are no existing forensic procedures that can be used to acquire, analyze, and present evidence. This problem exists because forensic tools require access to a standard filesystem that they can process. However, in the case of a live CD, all data is stored in memory—including the filesystem—and standard forensic tools are not equipped to handle this situation.

The inability for an investigator to immediately access a filesystem makes a number of powerful forensic techniques—such as timelining, hashing, indexing, and deleted-file recovery—unusable since they all rely on an intact filesystem that can be parsed and processed. Even techniques that do not rely on the filesystem are difficult to use when faced with an investigation in which live CDs were used. For instance, file carving—the process of identifying and extracting files from unordered binary streams of data—is generally very effective for recovering previously deleted files. Unfortunately, file carving is not usable against a live-CD memory capture because it relies on files to be contiguously allocated and because the contents of live-CD files are scattered among pages of physical memory.

Even the mundane task of searching keywords against a set of evidence is not effective in this scenario because determining the context of a keyword match is a very difficult and time-consuming process, especially across a large number of matches. For example, if a keyword is an e-mail address and a match is found, an investigator would have trouble proving whether the e-mail address was stored in a contact book on disk, in a web browser, in an e-mail client’s memory, embedded within a document, or any of the other places that data can be stored.

Further complicating this lack of context is the absence of metadata related to any findings. Even if a keyword could be matched to a file, important information such as the creation, modified and accessed times, file-owner information, filename, and place within the filesystem-directory structure would be unrecoverable.

The difficulties faced by digital forensics investigators when handling cases involving live CDs has not gone unnoticed by the privacy and security communities. As an example, “The Amnesic Incognito Live System” (TAILs) is a live CD operating system centered on privacy that states on its homepage: “No trace is left on local storage devices unless explicitly asked.” The expressed purpose of the program is to preserve the user’s privacy and anonymity from a forensic investigation. TAILs also forces all network connections from the machine through the TOR anonymity system. The combination of these characteristics means that not only is disk forensics impossible against TAILs systems, but network analysis will only be able to uncover encrypted data.

Another potent live CD is the BackTrack system that allows for complete network and computer security assessments, including compromise testing of vulnerable computers. While developed for IT security professionals, the live CD is available to all, and the potent security abilities, combined with the inability of forensics investigators to determine past actions of users, make it a very desirable system.

Beside the discussed live-CD systems, anecdotal evidence of the anti-forensics power given by live CDs can be found by querying search engines with “anti forensics,” “live CD”, and similar terms. These searches will reveal many forum posts and articles discussing how the use of live CDs is a foolproof method to avoid digital forensic investigations.

In addition to the technical complications related to live CD analysis, there is the added difficulty of convincing lawyers and judges to admit the evidence. As previously discussed, providing context of findings is extremely difficult, and the lack of metadata prevents the creation of timelines that are often crucial for proving the validity of findings. Furthermore, providing a disk image along with a set of cryptographic hashes that prove that evidence has not been tampered with is impossible because the filesystem was stored within memory.

Training investigators to handle situations involving live CDs is also a difficult task. The standard way of obtaining evidence is to first power off the machine, label it, and then transport it to a forensic lab. If this procedure was enacted against a machine booted into a live CD, all evidence would be immediately lost. To preserve the evidence, investigators must be trained on how to properly acquire memory captures from a running computer. This is a specialized task and requires software and hardware that is not a part of traditional forensic training and experience.

To remedy these specific issues and to create a methodology and the accompanying tools required to make investigation of live CDs possible, Digital Forensics Solutions has developed a number of techniques that allow for complete recovery of a live CD’s filesystem. These techniques revolve around deep memory analysis of the in-memory filesystem.

Another Union Filesystem (AUFS) is the filesystem chosen by all popular live CDs, including TAILs, BackTrack, Ubuntu, and numerous others. Since live CDs are booted from non-writable media, any changes that occur in the filesystem, such as file creation, deletion, and editing, must be stored in another location. To accommodate this, AUFS creates two layers—also known as branches—within the filesystem: The first layer is the non-writeable media, normally the CD or DVD from which the operating system booted. The second layer is a tmpfs filesystem, which is a special filesystem that only operates in memory. This use of tmpfs allows for changes to be kept throughout the life of the operating system without being able to write back to the source media and without requiring hard disks. Figure 2 illustrates the process that AUFS must implement in order to provide a coherent filesystem between data in-memory and on the booted CD or DVD.

Understanding how a filesystem is stored in memory allows for development of an algorithm that can acquire it in a forensically sound manner. The first step in this process is realizing that it is possible to focus on particular branches of a filesystem for acquisition. The read-only branch of a filesystem is not interesting from a forensic perspective as it never changes and can be easily acquired by imaging the CD or DVD used to boot the system. However, the in-memory, writable branch of a filesystem is extremely interesting as it contains all of the files and directories that were edited and created since booting the system. This branch reveals the exact actions of the user and prevents the investigator from needing to wade through all of the operating-system files that are not relevant to the current investigation.

Leveraging this knowledge of the filesystem layers, Digital Forensics Solutions was able to develop a plug-in for the Volatility memory-analysis project that is capable of full recovery of the file contents, directory structure, and metadata of the writeable layer. Volatility is an open-source project that performs analysis of Windows and Linux memory captures, and provides developers with a number of tools to create their own analysis plugins. The recovery plugin starts by locating the AUFS filesystem within memory and then enumerating all files and directories. For each entry that it encounters, this plugin records all relevant metadata, such as modified, accessed, and created times, owner and group information, names, and permissions. As it encounters these files, the plugin also copies the complete contents of the file, as well as all of the acquired metadata, to an output directory specified by the investigator. The metadata associated with each file is set for recovered files using the appropriate system calls, such as chmod to set file permissions and chown to set owner information.

Although the metadata associated with a file can be recoverable, recovery of deleted information from the filesystem is only partially possible because the complex storage of a file’s contents quickly becomes unstable after a file is deleted. This means that deleted file analysis can be useful only in certain situations, such as when it is important to prove that evidence was purposely deleted or to document that certain programs were installed. Unfortunately, straightforward recovery of file contents is not possible.

Use of the developed plug-in is very straightforward and immediately recovers all filesystem data. The following command line invocation will recover the filesystem from the memory image backtrack4.img using the plug-in:

python –f backtrack4.img –profile=backtrack4 –o recoverd_fs linux_aufs

Once the plug-in has completed the data-recovery process, the filesystem will be written as it was in the memory to the directory “recovered_fs.” To perform a forensically-sound investigation of the recovered filesystem, the output directory should be placed on external media or a separate partition. Using this method, the storage media can be mounted as read-only after recovery. Standard forensic tools can then be used to analyze the filesystem as if it were originally on a hard drive.

By automating forensic memory analysis of RAM, Digital Forensics Solutions has provided investigators with a method to completely reconstruct a live CD-booted filesystem. Recovery of the filesystem not only allows for standard forensic process to be followed, including the recovery of all relevant evidence, but it also allows for the evidence obtained and the results gathered to be used in a legal setting. Through the development of the Volatility memory analysis plug-in, the anti-forensics power of live CDs has been greatly diminished, and analysis of these systems is now possible for investigators of all skill levels.

About the Authors

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is a Senior Security Analyst and a GIAC-certified digital forensics investigator at Digital Forensics Solutions (DFS). His primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field.

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it is a co-founder of Digital Forensics Solutions (DFS).

Return to the December 2011 Featured Products & Services Main Page

< Prev   Next >

Forensic Podiatry (Part Two of Two)

THE DISCIPLINE of forensic podiatry—or, in other words, the examination of pedal evidence—has progressed significantly over the past ten years. It is no longer a question of “What can you do with a footprint?” but rather, “Who can we use to evaluate the footprint?” Cases involving pedal evidence, especially bloody footprints and issues of determining shoe sizing or fit issues compared to questioned footwear, have become more common over the past two or three years.