Let’s imagine the following fictional scenario:
You are operating on a shoe string security budget. An old Windows XP SP0 machine was compromised and you are tasked with acquiring a raw hard drive image so that you can perform some forensics on that image later on. To keep things simple we are leaving memory forensics for another time :).
NOTE: You can of course use this method for non compromised machines too but in this post “the machine from which we will retrieve the hard drive image” will be called “the compromised machine” for brevity :).
NOTE 2: Try not to skim too much through this and look at least look at the security notes at the end!
How can you do this?
One simple way to do it is with Backtrack 5: This Linux distribution comes with a new Forensically sound boot mode and most of the best security tools (including forensic tools) already installed for you.
Virtual machines note
You can also use this method (which is more likely to be useful in real life and is also very simple to carry out) to convert vmdk hard drive images into raw hard drive images instead of the serious pain other people went through to achieve similar things -that is ok for fun! and many thanks to all the guys who took the time to document all that in the links that follow- (tools with cumbersome installation steps, multiple time consuming steps and significant limitations -like not being able to process more than 2GB hard drives-, no VMWare 7 hard drive support, etc).
Once you have the raw hard drive image you can pretty much convert to any virtualisation platform using some of the information in the previous links flawlessly.
The method described in this post will always work: Both for real systems as well as virtual machines. It is important to note that this will also work with Virtual Box, Qemu or any other virtualisation platform (not just VMWare) because it is platform agnostic (you only need the virtualisation platform to let you boot from the ISO file and you are set).
For all these reasons I believe this is one of the best methods to capture a raw hard drive image.
Step 1 – Download a Backtrack ISO image from the website or torrent
Burn that to a DVD if using a physical system or set the ISO file as a DVD if using VMWare or similar.
Step 2 – Reboot the compromised machine, configure the BIOS to boot from the DVD (set the ISO file as a DVD if using VMWare)
This is a bit obvious but here is a screenshot anyway (note how the CD-ROM is at the top of the boot sequence):
Step 3 – Boot the compromised machine from the Backtrack 5 DVD in Forensics mode
NOTE: Type enter on the black screen before this if you are impatient 😉
NOTE: You will of course have to setup the network and verify connectivity after you boot
In this example, the compromised machine will be setup as 192.168.7.10.
Step 4 – Prepare a netcat listener to capture the image over the network
A common problem when capturing a raw hard drive image is: Where can I store these many GB?? A USB dongle or a slave hard drive are somewhat cumbersome options. There is an easier way: Capture the raw hard drive image over the network (i.e. to a machine that has access to more hard drive space to store the image).
One way to do this is to setup a netcat listener on a given port so that input to that port is saved as a raw image on that machine. The netcat listener machine can also be a Backtrack 5 DVD or installation but you only really need netcat and dd for this.
In this example the netcat listener machine is 192.168.7.123. The netcat listener can be prepared as follows: First netcat listens on port 123 -you can obviously choose any port for this!-, all the input to this port is redirected to the dd command, which will save the output file -“of” for short- as WinXPSP0.img:
# nc -nlvp 123 | dd of=WinXPSP0.img
Step 5 – Send the raw image over the network from the compromised machine
Because Backtrack has been booted in Forensics mode the hard drive is not mounted, we need to determine what device the hard drive is on, to do this we can search for things like “sda” or “hda” in the dmesg command output:
# dmesg | grep sda
We can also verify that the hard drive has not been mounted by analysing the mount command output (this returns nothing because it was not mounted):
# mount | grep sda
We can also verify that the device in question is what we expect it to be with the fsstat tool which is included by default in Backtrack 5 (for brevity we truncate the output so that only the file system is displayed):
# fsstat /dev/sda1 | head -3
After all these checks, we are ready to send the image over the network. In our example, we will read the raw hard drive data using the dd command (“if” is short for “input file”) and then pipe the output of that to netcat, which will send the raw data to our netcat listener that we setup earlier:
# dd if=/dev/sda1 | nc 192.168.7.123 123
You will note that nothing is displayed initially, that is ok, after this finishes (it will take a while depending on the hard drive size) you will get some stats on this screen, be patient!
All of this in one image:
Step 6 – Monitor and verify the raw image is transmitted correctly from the listener machine
On the listener machine you will basically see no output at all so what you can do is to look at how many GB have to be transmitted (for example from the output of the dmesg command above we know this is going to be 4.3GB or so) and look at how the image size grows over time in another window.
Only after you are sure all the raw data has been copied you can “Control + C” here to see the output of the dd command. You can verify the image is an NTFS volume with other tools like for example the file command:
In the screenshot above you can see how the connection is coming from 192.168.7.10, the compromised machine in this example. You should see this straight away and this will let you know things are working correctly. You will only see the dd stats after Control + C is pressed.
Security Notes
The security conscious among you will be thinking something along the lines of “you are sending a full raw hard drive image over the network in clear-text .. are you crazy?” if you thought this … good on you! 🙂
Encryption
NOTE: If you are doing this from two guest virtual machines on the same host machine (i.e. not really using the network at all, as I did above) encryption is really pointless and unnecessary overhead but nice for fun and experimentation :).
You can trivially change the netcat examples above by substituting netcat (nc) with sbd (which also comes with Backtrack, has similar switches to netcat and allows for good encryption):
Listener example:
Change this:
# nc -nlvp 123 | dd of=WinXPSP0.img
To this:
# sbd -nlvp 123 -k this_is_my_super_long_and_complex_password_type_something_else_here_lalala_hey | dd of=WinXPSP0.img
Compromised machine example:
Change this:
# dd if=/dev/sda1 | nc 192.168.7.123 123
To this:
# dd if=/dev/sda1 | sbd -k this_is_my_super_long_and_complex_password_type_something_else_here_lalala_hey 192.168.7.123 123
Limiting TCP connections
ok, that sorts out encryption, what about limiting TCP connections to only accept them from the compromised machine? (i.e. instead of anybody in your network/planet) You can also do this trivially by following the steps in this blog post.