Forensics: Mounting partitions from full-disk 'dd' images

Published: 2009-08-18
Last Updated: 2009-08-19 00:26:36 UTC
by Daniel Wesemann (Version: 1)
3 comment(s)

If you are, as I am, a GCFA who attended Rob Lee's famous training in the not-so-recent past, you probably still are "carving out" partitions from within an acquired full disk "dd" image by running it through another "dd". Given how quickly the disk sizes are increasing, this is highly inefficient both in terms of disk space and analyst time used.

But there's a better way. You already know how to use "loopback mount" on Linux to mount an image? Well, loopback mount supports an "offset" parameter that lets you mount a partition directly from within a larger full-disk image. Thusly:

root@ubuntu:/media/disk-1# ls -al
total 39082701
drwxrwxrwx 1 root root 4096 2009-07-12 13:33 .
drwxr-xr-x 4 root root 4096 2009-08-18 19:04 ..
-rwxrwxrwx 1 root root 878 2009-07-07 11:46 fdisk
-rwxrwxrwx 1 root root 701 2009-07-07 11:47 hdparm
-rwxrwxrwx 2 root root 40020664320 2009-07-07 14:34 image-sda
-rwxrwxrwx 1 root root 43 2009-07-07 12:02 md5sum
-rwxrwxrwx 1 root root 43 2009-06-29 13:13 md5sum-sda
drwxrwxrwx 1 root root 0 2009-07-11 19:03 $RECYCLE.BIN
root@ubuntu:/media/disk-1# fdisk -ul image-sda
You must set cylinders.
You can do this from the extra functions menu.

Disk image-sda: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x9c879c87

Device     Boot Start End      Blocks    Id System
image-sda1 *    63    78140159 39070048+ 7  HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(4863, 254, 63)

root@ubuntu:/media/disk-1# mount -o ro,loop,offset=32256 -t auto image-sda /media/image
root@ubuntu:/media/disk-1# cd ..
root@ubuntu:/media# cd image
root@ubuntu:/media/image# ls
AUTOEXEC.BAT favorites ntldr Start Menu blp INFCACHE.1 pagefile.sys System Volume Information boot.ini IO.SYS Program Files temp

CONFIG.SYS MSDOS.SYS RECYCLER WINDOWS Documents and Settings NTDETECT.COM spoolerlogs
root@ubuntu:/media/image#


The magic "32256" offset passed to "mount" is easily explained as the start of the partition you are interested in (63 in this case) multiplied by the unit size (512 in this case).  If you have more than one partition, just repeat the above steps for the other slices.

There you go. This easily saves several hours and untold gigabytes of disk space compared to the GCFA "carving out" method.

 

Keywords: dd forensics
3 comment(s)

Domain tcpdump.org unavailable

Published: 2009-08-18
Last Updated: 2009-08-18 15:59:56 UTC
by Deborah Hale (Version: 2)
4 comment(s)

 

We received an inquiry today regarding a popular utility domain being unavailable.  It appears that there is some problem with tcpdump.org availability.  Does anyone have any information as to the cause for this outage?  Please let us know.

 Deb Hale Long Lines, LLC

Update: www.tcpdump.org is back online.

Update: Looks like the problem was a hitch in the XEN Kernel and the server had to be rebooted.  Thanks to our reader Robin for sending along the information from the folks at tcpdump.org letting us know what happened.

Keywords: outage website
4 comment(s)

Sysinternals Procdump Updated

Published: 2009-08-18
Last Updated: 2009-08-18 15:33:03 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Sysinternals has released v1.4 that fixes a bug that was introduced in v1.3. This update fixes the compatibility problem with Windows XP and Windows Server 2003.

technet.microsoft.com/en-us/sysinternals/dd996900.aspx

 

Deb Hale Long Lines, LLC

Keywords: sysinternals
0 comment(s)

Security Bulletin for ColdFusion and JRun

Published: 2009-08-18
Last Updated: 2009-08-18 15:29:45 UTC
by Deborah Hale (Version: 1)
0 comment(s)

A security bulletin has been issued and a hotfix has been made available for ColdFusion version 8.0.1 and earlier versions and for JRun 4.0.  A critical vulnerability has been identified that could lead to the potential compromise of user accounts or compromise of the affected system.

For more information see:

www.adobe.com/support/security/bulletins/apsb09-12.html

 

Deb Hale Long Lines, LLC

Keywords: Adobe Hotfix
0 comment(s)

Website compromises - what's happening?

Published: 2009-08-18
Last Updated: 2009-08-18 15:20:57 UTC
by Deborah Hale (Version: 1)
6 comment(s)

Recently there seems to have been a lot of activity with websites getting hacked.  Folks are getting really frustrated and are looking for answers to what is causing the problems and what they can do to protect their sites from compromise.

Unfortunately I am not a web development expert.  We do have Handlers that are...  I just don't happen to be one of them.  My expertise with websites is hosting them and protecting the servers that we host our customers sites on.  I monitor activity on our servers and check log files daily for any unusual activity or attempts to hack our customers sites or attempts to hack into our servers.  The last few weeks we have had an increase in the attempts to access our servers (brute force).  As soon as these attempts are flagged they are added to the blocklist for our network.  It is incredible to me how many IP's I have had blocklisted (blocked) in a short amount of time.  

We had two customers domains get wacked.  In both cases the index.html file was replaced with a modified file that contained a hidden link to .ru websites.  In both cases these "alterations" were found to be the result of a Gumblar type infection on the customers PC that is used to do the upload of the website to our server.  It appears in both cases that it was a Gumblar type infection, however instead of the typical Gumblar that we saw back in the May 2009 timeframe - the domains involved were a couple of .ru domains.  Perhaps just shifting resources a little or perhaps a new strain of an old bad guy. In investigating the infection in the two domains involved, I came across a really good article explaining what Gumblar was all about. 

www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

The initial infections were both discovered over the weekend so I was unable to contact the customers immediately to let them know what was going on.  In both cases I disabled the index.html files and changed the passwords on the ftp accounts on the domains.  In both cases for several days afterwords I saw many attempts to login to the ftp accounts with incorrect passwords from multiple China IP addresses.  

This was an interesting exercise in web security for me.  My assumption was that the server itself was lacking in security.  I therefore worked very hard after taking this position to make sure that our webhosting servers were secured to the best of my ability and I aggressively monitor these servers to make sure that they continue to be secure.  Now I know, no matter how secure your hosting company tries to make your domains it may be your own internal lack of security practices that are putting your domains in jeopardy.

So my question to our readers is:

What are you doing to protect your webpages? 

We have had novice webpage developers in the past ask us what they can do to protect the security of their webpage.  Unfortunately we see that anyone now can create a webpage.  It doesn't take any special education or skills to create a webpage as we have witnessed by looking at the social networking sites. In these sites anyone (maybe even a monkey)  can create their own webpages. ( We have seen how secure that is). So what are your recommendations?

I would like to hear from you.  Please let me know if I can include your information in the diary. I will publish a list of the good tips that I get from you our readers.

 

Deb Hale Long Lines, LLC

6 comment(s)

MS09-039 exploit in the wild?

Published: 2009-08-18
Last Updated: 2009-08-18 10:24:24 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

We received a note from a reader who wanted to remain anonymous that the MS09-039 vulnerability is actively exploited in the wild. To remind you, this vulnerability affects servers with the WINS service installed. The patch fixes two vulnerabilities.

We do not have any technical information yet. However, the DShield graph shows a relatively high increase in targets for port 42 (see http://isc.sans.org/port.html?port=42):

 DShield port 42

TCP port 42 is used for WINS replication. It's also interesting that the number of sources isn't that high as well.

If you have some technical information or manage to acquire network traffic for this port (especially if coming from outside) please let us know.

--
Bojan

Keywords: exploit ms09039
0 comment(s)

Comments


Diary Archives