Secure boot, write blockers and forensic platforms

Before discussing some of the topics foreshadowed immediately above, we turn to an important corollary that follows from the chain of evidence requirements of the courts. This relates to the booting of a system prior to its investigation and imaging. System boot in such situations must be undertaken in a secure and controlled manner which is noninvasive, that is, in a manner which precludes any modification to the content of disks and/or files being examined and imaged. It should also preclude any modification to the metainformation or descriptive information that describes either the system or the disks and/or files (e.g., time last written to). To ensure this, forensic investigators need to circumvent the default boot process (the normal boot process which boots from the system hard drive), and to boot the system using their own specialized boot diskette or CD that is configured to boot the system in a controlled manner from the diskette or CD, typically to DOS or Linux. This will require redirecting the boot source to a floppy or CD drive at system startup. The need for such a controlled boot process to guarantee that nothing will be written to the evidence disk(s) prior to their investigation becomes apparent when one considers the variety of implicit checks and operations carried out at boot and initialization time by some operating systems, in particular the more powerful Microsoft operating systems. These operations can for instance include registry updates in the case of Microsoft Windows 2000/NT or file decompression that will result in updated file timestamps. Such operations are invasive or intrusive and compromise the integrity of any related information being examined or imaged.

Once the system is booted, assurance of continued protection of original disks and files from being written to by the system relies on write blocker technology. A write blocker can be implemented in either hardware or software (see NIST’s ‘‘Hard Disk Write Block Tool Specification’’ [10] for an account of write blocking software). The function of awrite blockeris, in any case, to make absolutely certain that any unknown or unexpected disk or file write—a write unknown to and unexpected by the investigator—is blocked. This ensures that no writes to the disk or file that is about to be imaged can take place before the imaging. As a general rule, safeguards implemented in hardware are more reliable than those implemented in software, and write blockers are no exception. Software write blockersbased upon interception of interrupt calls are commonly used; they can conceivably, however, be circumvented and there is a recent trend towards hardware write blockers. Imaging of seized disks and files should only take place with the appropriate write blocking in place.

In any event, in addition to the use of secure boot and write blocking, an investigator needs to use trusted software comprising a secured command line interface or shell and a forensically sound copying program, both executed from removable media and thus trusted, in order to ensure the integrity of the file or disk imaging.

Digital Intelligence Inc. [11] provides a range of diskwrite blockerswhile Guidance Software has released FastBloc [12], which is a hard drive duplication device that allows investigators to duplicate disks noninvasively in Microsoft Windows environments. FastBloc may be used in conjunction with Guidance Software’s EnCase system, in which case the acquired data can then be managed as part of the EnCase methodology.

Many recently developed computer forensic tools, developed specifi- cally with forensics in mind, have been targeted at Microsoft Windows systems. Published procedures for forensic examination too have tended to focus on Microsoft platforms, with some notable exceptions listed below. The reason for this apparent bias is simply that as a result of its long history, UNIX already has an established plethora of tools which achieve what is needed—there has been much less of a need to develop new tools specifically for forensic investigation when using UNIX systems. For instance, the September 2000 issue of SC Magazine reviewed a number of forensic imaging tools, including Linux dd 6.1 (Red Hat Inc.) and gave it their top rating [13]. Furthermore, there are several highly regarded UNIX/Linux forensics toolsets, which have been in wide usage for some time including: the Linux Forensic Toolkit (LFT) from NASA, the Coroner’s Toolkit by Farmer and Venema [14], and ForensiX from Fred Cohen & Associates [15]. While the last is available only to LE, the related White

Glove/PLAC distribution [16] is available to the general public. Three accounts of forensic procedures relating specifically to the UNIX platform are as follows:

1. Basic Steps in Forensic Analysis of UNIX Systems by University of Washington’s Dave Dittrich [17];

2. The chapterUNIX Systems Analysisby Seglem, Luque and Murphy in Casey’sHandbook of Computer Crime Investigation[18];

3. The series of articles describing The Coroner’s Toolkit in Dr Dobbs Journalby Dan Farmer and Wietse Venema [14].

Linux has achieved a special position as a forensic platform in recent times on account of its rich utility set inherited from UNIX and due to the large number of different file systems that it understands, including nfs, ntfs, and vfat. Having obtained a disk partition image using the UNIX/Linux utilitydd, an investigator using a Linux platform can then analyze that partition image by mounting itread-onlyin loopback mode, which provides the specific file system support needed to analyze it, be it a Microsoft file system, or a UNIX- variant, or some other file system. This provides the investigator with the powerful facility to analyze not just files within the file system or partition but also the so-called ambient (supposedly unused) disk space on the disk or partition while mounting the partitionread-onlyprovides the write blocking safeguard discussed earlier. Other powerful UNIX/Linux forensic capabilities include generalized string searching using grepand other utilities, and file integrity checking usingmd5sumand related utilities.