When we upgrade our Forensic Workstations we cascade the older machines onto administrative and imaging tasks. One particular ex Forensic Workstation had supported a tape drive for a year or two but now was about to become totally redundant. Instead of suffering this fate I decided to dedicate it to running Helix. The box itself is a Supermicro chassis sporting a Supermicro X6-DAL-TG motherboard, twin Xeon Nocona 3.4 ghz processors, 2GB ram and a hot swap drive bay.
I had read Andre Ross's blog post Installing Helix 2008R1 and Jess Garcia's How to install Helix to Disk webpage and decided that installing to hard disk was the way to go.
The process I followed to do this successfully (guided by Andre Ross's post in the main) was:
- Equip box with an unformatted wiped hard disk - using a partitioned (with ext2 and linuxswap) disk caused the installation routine to hang.
- Boot box to Helix 2008R1 CD and commence installation by going to System->Administration->Install
- At the point the installer hangs (Who are you screen) click cancel and then quit
- Commence installation routine again and create a user - I called mine Helix
- Configure Network Adaptor to connect to the internet via System->Administration->Network
- Launch Update Manager via System->Administration->Update Manager and update all packages.
- Applications->Forensics & IR->Root Terminal
:~#apt-get install smbfs
:~#apt-get install winbind
Part 1 of the job is done. A little bit of configuration is needed to make the machine more usable in it's main role as an imaging machine. I am not a Linux guru so apologies for the Janet and John approach for those that are. Also my imaging machines are in a secure environment and not normally connected to the internet so I felt relaxing security a little may be OK.
Relaxing Security
- System->Administration->Login Window
On the Security tab you may wish to enable Automatic Login for the Helix user - Applications->Forensics & IR->Root Terminal
- :~# nano /etc/sudoers
- Use arrow keys to scroll to end of file then type
Helix ALL=(ALL) NOPASSWD: ALL
(presuming helix was the name of the user account you created, if not substitute helix with the name of your account) - Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor. The syntax is critical - if sudoers is messed up your OS may not boot. The reason this is done is that most of the applications we wish to use run at root. However user accounts do not have root privileges. This is overcome by using the sudo command which periodically requires you to enter a password which is a pain. Editing the sudoers file as shown above removes the requirement to enter a password when sudo is used.
- By default there are three icons in the panel (like Windows Quick Lauch) on the taskbar at the top of the desktop (Firefox, help and terminal). Right click on Terminal and Remove from Panel.
- Access Applications->Forensics & IR->Root Terminal in the menu and right click and select Add to Panel
Imaging Applications
I work in an Encase shop so I am going to concentrate on applications that image to EWF format (aka e.01 files). There are currently two applications installed that do this - Linen and EWFacquire.
Linen
Linen needs some configuration to run from the shortcut Applications->Forensics & IR->Linen. This shortcut (I think the proper linux terminology is launcher) runs a script called sl in /usr/bin. sl needs editing.
- Applications->Forensics & IR->Root Terminal (or click on Root Terminal in the Panel)
- :~# nano /usr/bin/sl
- Use nano to delete the line
cp /cdrom/IR/bin/linen /usr/local/bin - Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor.
At this stage Linen does not reside in /usr/local/bin - we need to put an up to date copy there.
- On a Windows box where Encase version 6 is installed copy the Linen file from the root Encase folder within Program Files to a thumb drive.
- On the Helix box copy Linen from the thumb drive to /usr/local/bin as follows:
- Launch root terminal from panel on task bar and mount your thumb drive by clicking on it's icon on the task bar and selecting Mount
- :~# cp /media/sdc1/linen /usr/local/bin (where sdc1 is your thumb drive)
Linen should now be launchable via the menu. But in true windows style I created a desktop shortcut by right clicking the Linen menu item and selecting add launcher to desktop.
EWFacquire
ewfacquire /dev/sdb
where /dev/sdb is the drive to be imaged. Again I created a desktop shortcut by:
- Right clicking on the desktop and selecting Create Launcher
- Change the type to Application in Terminal
- Set the name appropriately
- In the command box type sudo /usr/bin/ewfacquire /dev/sdb
- Click OK
It is probably worth noting that you would not want to launch EWFacquire from the desktop launcher unless you had established the path of each drive by typing fdisk -l into the root terminal.
Guymager
Guymager is another imaging tool that utilises Libewf. It is controlled from a GUI and is a desirable addition to our imaging tools. I intend to do a mini review of it along with steps I have carried out to validate it in a forthcoming blog post. It is not installed on the Helix CDRom but can be installed to our hard disk installation.
- Launch a Root Terminal
- :~# nano /etc/apt/sources.list
- Use arrow keys to scroll to end of file then type deb http://apt.pinguin.lu/i386 ./
- Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor.
- Whist still connected to internet type in root terminal
- :~# apt-get update
- :~# apt-get install guymager smartmontools hdparm libewf-tools
Once the process is completed guymager can be launched from a root terminal. Again I created a desktop shortcut by:
- Right clicking on the desktop and selecting Create Launcher
- Change the type to Application in Terminal
- Set the name appropriately
- In the command box type sudo /usr/bin/guymager
- Click OK
Guymager utilises a configuration file - guymager.cfg. For my setup I wanted to make some changes. The program advises that changes should be made to local.cfg, however I did not have much success with this. I edited guymager.cfg with nano:
- Launch a Root Terminal
- :~# nano /etc/guymager/guymager.cfg
and modify entries to the following - Language='en'
EwfFormat=Encase5
EwfCompression=Best
EwfSegmentSize=1500 - and in the Table LocalDevices area add a new line beneath the line of ------------
containing the serial number of the hard disk drive where Helix is installed
e.g. '1ATA_Maxtor_6B300S0_B605MV0H'
The best way to establish the serial no. is probably with Guymager itself. - Many other changes can be made as documented within guymager.cfg
- Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor.
Adepto
Although Adepto does not image to EWF files I know some people use it. Some changes need to be made to get it to work.
- Launch a File Browser with root permissions by launching a root terminal and typing nautilus
- Use the file browser to navigate to /home/helix (helix being the name of the user account I created during the installation routine - if you used another account name navigate to /home/theAccountNameYouUsed )
- Right click or use the edit menu to create a folder then name it Adepto
- Double click Adepto and create a subfolder within Adepto called Logs
- Right click on Logs and Make Link
- Right click on the resulting Link to Logs and Cut
- Navigate to /usr/local/adepto and paste your link file
- Right click on the existing Logs file and delete
- Rename Link to logs to logs
Adepto should work now.
Some Networking Stuff
In our lab we image to a file server running Microsoft Windows Server 2003. When I have used the Helix CDs in the past it was always a pain to image to an attached hard drive then transfer the image to the file server later. I wanted the Helix Imager to image direct to our file server and be part of our Windows Workgroup.
To do this:
- via System->Administration->Network configure to connect to your internal network
- on the windows file server create a share (I called mine Helix) and create a user named Helixuser (having done this you can apply appropriate security to this user at the Windows end)
- Create a mount point to the windows share by:
- Launch a Root Terminal
- :~#mkdir /media/helix
- :~# nano /etc/nsswitch.conf
modify (add wins prior to dns) the following line to read
hosts: files mdns4_minimal [NOTFOUND=return] wins dns mdns4
Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor - :~# nano /etc/fstab
- Append the line below to the end of the fstab file
//server/Helix /media/helix cifs username=user,password=*,iocharset=utf8,file_mode=0777,dir_mode=0777 0 0
where server is your server name, Helix is the name of your Windows share, helix is the name of the linux mount point, user is the name of an account on your Windows server and * is substituted for whatever your password is. - Type CTRL+o to save then press enter then type CTRL+x to exit nano text editor
- :~# mount -a
- Configure the way the Helix Imager box is recognised within our Windows Workgroup
- at the root terminal :~# nano /etc/samba/smb.conf
- Within the global settings area modify entries to the following
workgroup = THENAMEOFYOURWORKGROUP
server string = %h
Now that a mount point has been created to your windows share specifying /media/helix as the path to image to in Linen, EWFacquire or Guymager will output the image to the Windows File Server.
1 comment:
Nice work, I'd thought about installing it previously but had faltered at the first hurdle when the installer crashes and went back to good old SMART Linux with their 'new' Ubuntu flavour.
I've also never bothered creating a new user and adding them to the sudoers file either, I've always figured that no-one is getting in to the box remotely anyway and I ALWAYS forget the sudo bit when I'm working from the terminal, but I know it is good practice not to be logged in as root.
I've never put enough work into mounting Samba shares either, so I will take your tips for that.
I think it's an excellent idea to have a Linux imaging machine in the office too, too many people are just so fully dependent on FTK Imager and EnCase that they have nothing left in their arsenal for the awkward drives that Windows just sometimes won't play with.
Post a Comment