2011-06-30

5 reasons why you should use open source tools for computer forensics investigations

In some ways computer forensics is a scientific process, you need to prove facts with a reproducible process.
Scientists use open source software all the time and they have good reasons that also apply for you, computer forensics.


1. The tool itself is publicly available

If another expert is called in, he can always download the tools you used and reproduce your findings without having to buy an often very expensive license for possibly a one shot third party tool.


2. The code is open.

Any doubt about the tool itself, you can show the source code and tell exactly what the software has done. You have to rely to documentation and explanations from a third party if you use closed source tools.


3. You (often) can go back in time.

Old versions are often available in public source repositories
Legal processes are really long. They can probably span several versions of any piece of software you used during your investigations. What if the publisher won't publish the old version anymore ?


4. Steps to reproduce your findings are easily documented.

Open source tools are often backed by command line tools. So in your report, you can just copy paste all the commands you used and all the outputs.
Any other expert can pop in, redo the same thing and check the output is exactly the same.


5. They are customizable and flexible

One of the mantra of linux for example is that one tool does one simple thing but does it right so you can combine them to fulfill your need.

The golden hammer never exists and sometime you miss just one little thing/feature to be able to accomplish a specific task. Open source rocks in this case, you have the source code, you can hack it to accomplish your task.

And ... why not sharing your hack back to the community ? :)
No comments:
Labels:

2011-06-05

poor man's backup and defragmentation process under linux for my desktops

No need to defragment linux ever ?! Try that and see for yourself.

As the title of this blog says I'm using gentoo. I just love this system. But compiling often has a drawback, it just spreads files around your filesystem all the time.

But there is no defragmenter yet under linux. So here is what I do to backup AND defrag my boxes.

First burn or even better, usb install the awesome SystemRescueCd.

Boot under systemrescueCD.

From there, mount back your main partition (here sda1) and do some cleanup prior to backup:
mount /dev/sda1 /mnt/gentoo
rm -Rf /mnt/gentoo/tmp/*
rm -Rf /mnt/gentoo/var/log/* # warning : if you don't care about your logs !
rm -Rf /mnt/gentoo/usr/portage/distfiles/* # you can always redownload them 
# etc ...

Important : umount the partition after cleanup
cd /
umount /mnt/gentoo

Now mount an external HD or your backup volume (here sdb1) :
Note : don't do that on FAT !! It must be something that we can name "filesystem" like ext4, xfs etc .. With at least the partition size you want to backup as free space of course.

mount /dev/sdb1 /mnt/backup

Dump an image of your main partition on it:
pv /dev/sda1 > /mnt/backup/sda1.img

You should see on the right side how many coffees you can drink during the dump.

Remount your backup read-only and check out quickly if the backup was successfull :
mount -o loop,ro /mnt/backup/sda1.img /mnt/custom
ll /mnt/custom

Now be extra careful, format your main partition (here sda1, the same as above), no typo are authorized here :
mkfs.ext4 /dev/sda1

Optional step for those who uses labels/UUID : restore them !
cat /mnt/custom/etc/fstab # to get whatever you use to mount your partition
tune2fs /dev/sda1 -U 4c7556bf-5c6c-4f85-bc45-d7fa55c8ca1d # for example for UUID

mount your all nice and clean main partition and restore the files from your backup.
mount /dev/sda1 /mnt/gentoo
rsync -av --progress /mnt/custom/ /mnt/gentoo/ #be careful the ending slashes ARE important

You'll notice how this is piece of cake for your main harddrive to cope with the incoming files and how painful it will be for your backup drive to be able to feed it from the files splashed all over the image (even from raid0 external disks on esata to a poor performing laptop drive !).

If your console slows down the process you can switch to another one and do df to see /dev/sda1 catching up the Use% of /mnt/backup/sda1.img.

Pack up, and enjoy the speed boost.

umount /mnt/gentoo
umount /mnt/custom
umount /mnt/backup
reboot
2 comments:
Labels: ,
Subscribe to: Posts (Atom)