In the past few weeks, I've had the opportunity to make forensic disk images of what one might call "non-standard" devices. The devices were a Lenovo Thinkstation D20, an Acer Netbook, and an MacBook Air.
Lenovo Thinkstation
The Lenovo presented a few problems. First, it was seized and disassembled by non-computer-forensics professionals. Translated: the drives were removed and not marked as to their bays or cabling. Two drives were identical in size and the third was over three times larger. All were were SAS (Serial Attached SCSI) drives which have non-standard connectors. I had no connectors to remove the drives and image them individually (though cannibalization from the Lenovo was possible), and the computer specs suggested that there was a raid array on the two drives of matching size.
What did I do? I decided to use CAINE, a forensic boot disc, and an external hard drive. CAINE would allow me to use the Lenovo for the specialized connectors needed for the SAS drives, and allow the hardware controller on the motherboard to reassemble RAID array.
The first step was to ensure I could boot the system with CAINE. I was unable to boot from CD-ROM using the Lenovo's optical drive (which was unusual, to be sure) but I was able to get a USB version of CAINE booted. I ensured, by adjusting the BIOS, that the USB would be the first device to boot.
I reinstalled and connect the drives, uncertain as to proper order, and booted CAINE. Lucky for me, the on-board RAID controller detected the disks, reported there have been a change in the devices (the drive order), and then correctly reassembled the array. CAINE reported two drives (the large disk, with the OS as it turns out), and the array. I imaged both to the external drive with Guymager, a graphical front end for libewf, an open sourced disk imaging library and toolset that produces images in expert witness format.
Acer Netbook
The Acer Netbook was probably the least troublesome device, but did not lend itself well to disassembly. Drive removal and hardware write-blocking are the ideals in forensic disk imaging. However, this isn't always possible or convenient. In the case of the Acer Netbook D255, there was no simple hard disk cover to remove. Hard disk access appears to involve keyboard removal and an underlying cover, or seven case screws and an almost surgical separation of plastic catches. Simply put, I didn't want to break the netbook, and I know that some storage devices have ROM chips that prevent them from being read when disconnected from the particular motherboard anyway.
Again, CAINE to the rescue. In the case of the ACER, there was no boot menu. Changes to the BIOS were needed to ensure the USB device booted before the internal hard disk. I tried to boot CAINE with an attached USB optical drive and with a USB version of CAINE. The ACER did not register the USB optical drive in the BIOS, but the USB flash drive with CAINE was detected. I booted from the USB, mounted a external hard drive, and imaged the drive with libewf.
MacBook Air
This was my first encounter with the MacBook Air. Like the Acer, the construction of the device discouraged disassembly. I know that the Macs won't boot from a FAT formatted USB because of the EFI boot schema. However, booting from CD-ROM is possible by pressing and holding the "C" key immediately after powering the computer.
I attached a USB CD-ROM drive because the AIR does not have an optical drive like other MacBooks. I initially booted with CAINE, but the graphics drivers were incompatible with the Mac. I attempted a graphics safe-mode boot and a text-only boot, but the same result: a garbled display that made proceeding impossible.
I obtained a second forensic boot disk called DEFT. It is a newer release than CAINE and I hoped it had updated graphics drivers that might overcome the problem. The initial boot froze the system. DEFT boots into text mode, and there are no other menu choices. However, a series boot options at the bottom of the boot screen reminded me of some boot issues I have experienced in that past several versions of Ubuntu, on which both these forensics distributions are based. I passed the "nomodeset" option in the F6 menu (curiously named "Password"), and DEFT booted to a text screen. I was also able to boot to a GUI with the deft-gui command.
With this in mind, I revisited CAINE. I have a preference for CAINE because I understand how it works and it's implementation of write-blocking and have tested it. The CAINE developer, Nanni Bassetti, is ever-ready to help new users and explain his techniques. I do not know how DEFT works and the information is not readily available, at least not in English. This is not to disparage DEFT in anyway. I'm just trying to highlight the fact that we must use tools that we understand and have tested.
I again booted the MacBook Air with Caine. At the boot screen, there is no obvious way to pass boot options. However, pressing escape brings up a boot command line. Pressing tab displays the boot options on the original boot screen. I passed the arguments "textonly nomodeset" and CAINE successfully booted to a console. At the console, I was able to start the GUI with "startx". I accomplished imaging as before, with libewf and an external USB hard disk drive.
Subscribe to:
Post Comments (Atom)
Time Perspective
Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...
-
The Google Chrome cache represents a challenge to forensic investigators. If the extent of your examination has been to open t...
-
I was asked recently to help recover deleted messages from an iPhone SMS database. Conveniently, this is called "sms.db" on the i...
-
I commonly use adb and fastboot to access Android devices. Ubuntu has packages for those tools making installation easy: $ sudo apt-get i...
Very nice article :)
ReplyDeleteThanks