While many of the commercial tools have been developed for Windows or Mac environments, the Linux platform deserves its own section, as it contains extremely powerful tools that can assist in a forensic investigation. Throughout the book, various hands-on exercises are performed to demonstrate to the user how a certain program or process is run. For example, forensic acquisitions are performed as well as various forensic tools run through a command prompt. Some tools make sense to run on a Mac workstation, while others are better performed on a Linux machine. Depending on the exercise, we will be jumping back and forth between operating systems, so be sure to note which platform is being used prior to following along. If you do not have a Linux or Macintosh workstation available, consider using a virtual machine to simulate the environment (building a Linux virtual machine is covered later in this section).
Introduction to Linux
In order to understand the Linux tools that will be used in
Chapter 6, it is important to have an understanding of the Linux operating system as well as some of the basic commands. Linux was originally created by Linus Torvalds, a young student from Finland. The first version of the Linux Kernel (v1.0) was released in 1994, with the latest running version being 2.6. One of the more interesting aspects of the Linux kernel is that it was developed under the GNU General Public License. This means that the source code is freely distributed and available to the general public for use.
In Linux, all files are part of the same file structure, as opposed to a Windows environment, which has separate drives (C:/ - hard disk, D:/ - CD-ROM, etc.). If a user connects a hard drive and a USB drive to a Linux workstation, they will all be part of the same folder structure as shown in the following text:
kstrzempka@linux-001:/$ tree -L 1 /
In the above code, the “/” signifies the root of the file system. The following describes some of the folders in the root directories and the types of files they might contain:
• /etc: Configuration files for software that was downloaded and installed on the system.
• /home/<users>: Within the home directory, there will be a folder for each of the users on the system. Each user's files will then be stored within his or her particular folder.
• /dev: External devices that have been connected to the machine are listed here. Any SATA/SCSI devices connected over USB or firewire are listed as “/dev/sda,” “/dev/sdb,” etc. They are assigned letters in the order in which they are connected to the machine.
• /var: System log files are stored here.
For each folder or file on a Linux workstation, file permissions are shown for three different types of users: the owner, a group, and the world (others). They are listed as either “r” (read), “w” (write), or “x” (execute). In the following example, the user has read and write permissions, while the group and other have read-only. The “-” at the very beginning of each line signifies that the object is a file. If it were a directory, there would be a “d” in place of the hyphen, or an “l” if it were a link to another file or directory.
kstrzempka@linux-001:~/Desktop/book-screenshots$ ls -l
-rw-r- -r- - 1 kstrzempka kstrzempka 24655 2010-12-15 17:38 iPhone-connected-DFU.png
-rw--r- -r- - 1 kstrzempka kstrzempka 26203 2010-12-15 17:37 linux-iphone-normal.png
-rw--r- -r- - 1 kstrzempka kstrzempka 27311 2010-12-17 15:15 nano-hosts-file.png
Various commands can be used to modify permissions on a file or folder. To change permissions, it is important to understand the numerical (or “octal”) value for read, write, and execute assignments. Permissions are calculated based on the following values:
So, if a user, group, or other is assigned a “7,” they would have read, write, and execute permissions. The command to modify permissions as well as a few examples are shown in the “Basic Linux commands” section.
Basic Linux commands
The following sections provide a breakdown of some of the common Linux commands including a description of the command, its general usage, and one or more examples of how the command can be applied. For a reference guide, see Appendix X: Linux Cheat Sheet.
•
manDescription: Pulls up online manuals for the requested command in the terminal window. Within the manual will be a detailed description of the command as well as its usage (including all of the options or “flags” for that command).
$ man [-][-k keywords] commands
In the following examples, the first command lists information on the “mount” command, while the second searches all manuals containing the characters “zip”:
MOUNT(8)
Linux Programmer's Manual
MOUNT(8)
NAME
mount - mount a filesystem
SYNOPSIS
mount -a [-fFnrsvw] [-t vfstype] [-O optlist]
mount [-fnrsvw] [-o option[,option]…] device❘dir
mount [-fnrsvw] [-t vfstype] [-o options] device dir
DESCRIPTION
All files accessible in a Unix system are arranged in one big tree, the file hierarchy, rooted at /. These files can be spread out over seva eral devices. The mount command serves to attach the filesystem found on some device to the big file tree. Conversely, the umount(8) command will detach it again.
The standard form of the mount command is
Archive::Any::Plugin::Zip (3pm) - Archive::Any wrapper around Archive::Zip
Archive::Zip (3pm)
- Provide an interface to ZIP archive files.
Archive::Zip::FAQ (3pm) - Answers to a few frequently asked questions about Archive::Zip
Archive::Zip::MemberRead (3pm) - A wrapper that lets you read Zip archive members as if they were files.
Archive::Zip::Tree (3pm) - (DEPRECATED) methods for adding/extracting trees using Archive::Zip
bunzip2 (1)
- a block-sorting file compressor, v1.0.4
bzcmp (1)
- compare bzip2 compressed files
bzdiff (1)
- compare bzip2 compressed files
bzegrep (1)
- search possibly bzip2 compressed files for a regular expression
bzfgrep (1)
- search possibly bzip2 compressed files for a regular expression
bzgrep (1)
- search possibly bzip2 compressed files for a regular expression
bzip2 (1)
- a block-sorting file compressor, v1.0.4
bzip2recover (1)
- recovers data from damaged bzip2 files
bzless (1)
- file perusal filter for crt viewing of bzip2 compressed text
bzmore (1)
- file perusal filter for crt viewing of bzip2 compressed text
funzip (1)
- filter for extracting from a ZIP archive in a pipe
gpg-zip (1)
- encrypt or sign files into an archive
gunzip (1)
- compress or expand files
gzip (1)
- compress or expand files
Image::ExifTool::ZIP (3pm) - Read ZIP archive meta information
lz (1)
- gunzips and shows a listing of a gzip'd tar'd archive
mzip (1)
- change protection mode and eject disk on Zip/Jaz drive
prezip-bin (1)
- prefix zip delta word list compressor/decompressor
tgz (1)
- makes a gzip'd tar archive
unzip (1)
- list, test and extract compressed files in a ZIP archive
unzipsfx (1)
- self-extracting stub for prepending to ZIP archives
uz (1)
- gunzips and extracts a gzip'd tar'd archive
zforce (1)
- force a ‘.gz’ extension on all gzip files
zip (1)
- package and compress (archive) files
zipcloak (1)
- encrypt entries in a zipfile
zipgrep (1)
- search files in a ZIP archive for lines matching a pattern
zipinfo (1)
- list detailed information about a ZIP archive
zipnote (1)
- write the comments in zipfile to stdout, edit comments and rename files in zipfile
zipsplit (1)
- split a zipfile into smaller zipfiles
•
helpDescription: Displays information on the requested command, including usage and examples, similar to “man.” Some commands use the - -help notation, while others simply use -h or -help.
Usage: mount -V
: print version
mount -h
: print this help
mount
: list mounted filesystems
mount -l
: idem, including volume labels
So far the informational part. Next the mounting.
The command is ‘mount [-t fstype] something somewhere’.
Details found in /etc/fstab may be omitted.
mount -a [-t │-O] …
: mount all stuff from /etc/fstab
mount device
: mount device at the known place
mount directory
: mount known device here
mount -t type dev dir
: ordinary mount command
Note that one does not really mount a device, one mounts a filesystem (of the given type) found on the device.
One can also mount an already visible directory tree elsewhere:
mount - -bind olddir newdir
or move a subtree:
mount - -move olddir newdir
One can change the type of mount containing the directory dir:
mount - -make-private dir
mount - -make-unbindable dir
One can change the type of all the mounts in a mount subtree
containing the directory dir:
mount - -make-rshared dir
mount - -make-rprivate dir
mount - -make-runbindable dir
A device can be given by name, say /dev/hda1 or /dev/cdrom, or by label, using -L label or by uuid, using -U uuid .
Other options: [-nfFrsvw] [-o options] [-p passwdfd].
For many more details, say man 8 mount .
•
cdDescription: This command is used to change into another directory. In Linux, the special character “~” is used to represent the current user's home directory. For example, the user kstrzempka has a home directory on a Linux system at /home/kstrzempka. From anywhere in the file system, you can use ~ to refer to /home/kstrzempka. This works well for documentation, so throughout this book we refer to ~ and, even if you have set up a different user name, the command will still function as expected.
$ cd ~
(changes into the user's home directory from anywhere)
$ cd
(changes into the user's home directory from anywhere)
$ cd ~/Desktop/Projects
(changes into the “Projects” folder located on the user's Desktop)
$ cd ..
(changes directories up 1 level (back into “Desktop”)
$ cd ../../
(changes directories up 2 levels)
$ cd /
(changes into the root file system folder from anywhere)
•
mkdirDescription: Creates a directory in the current location, unless otherwise specified.
$ mkdir iPhone
(creates the “iPhone” folder in the current directory)
$ mkdir -p ~/iPhone/Forensics/Book (creates the full path of directories even if top levels do not exist)
•
rmdir/rmDescription: Removes existing directories or files based on the flags specified. The “rmdir” command will only remove empty folders. If there are files within the directory, these will first need to be removed prior to running the “rmdir” command. The “rm” command can be used to remove both files and folders and will prompt the user prior to removing. You can override the prompt with the -f option, but use with caution.
$ rmdir Linux
(removes only an empty folder)
$ rmdir -p /Linux/Forensics/Book
(removes each folder within the specified path)
$ rm -r Linux
(removes the specified folder and all of its contents)
$ rm -rf Linux
(removes the specified folder and all of its contents without prompting)
$ rm test.txt
(deletes the specified file)
$ rm *.txt
(deletes all .txt files within the current directory)
$ rm *
(deletes all files within the current directory)
•
pico/nanoDescription: Both pico and nano are CLI text editors that allow the creation and modification of text files. These commands must be run within the directory in which the user wishes to save the file. Pico will be used for this example, but nano is run the same way. To create a file, simply type the command.
Typing “pico” will open the text editor within the CLI, allowing the user to enter whatever text he or she wishes (see
Figure 1.7).
When the text has been entered, pressing “Ctrl+X” will “exit” the text editor and allow the user to save. As shown in
Figure 1.7, this particular file was saved as “Test” and, upon hitting enter, was saved in the user's current directory.
To modify an already existing file, simply follow the command with the file name or full path and file name if the file is in a different directory:
•
lsDescription: Lists files and folders. The “ls” command without any options specified will list the file/folder names only in the current directory. Adding the “-lh” options will provide a long listing with more details on the file, including permissions, ownership, size, and date and timestamps.
kstrzempka@linux-001:~/Desktop/book-screenshots$ ls
iPhone-connected-DFU.png linux-iphone-normal.png nano-hosts-file.png
kstrzempka@linux-001:~/Desktop/book-screenshots$ ls -lh
-rw-r- -r- - 1 kstrzempka kstrzempka 25K 2010-12-15 17:38 iPhone-connected-DFU.png
-rw-r- -r- - 1 kstrzempka kstrzempka 26K 2010-12-15 17:37 linux-iphone-normal.png
-rw-r- -r- - 1 kstrzempka kstrzempka 27K 2010-12-17 15:15 nano-hosts-file.png
•
treeDescription: Shows the hierarchy of folders for the directory specified. If no parameters are specified, the current directory will be used. In Linux, the current directory is referred to as a single “.” while one directory up is a double period “..”. In the following output, the current directory is used, which happens to be the current user's home directory. The user can specify how many directory levels he or she wishes to view with the “-L” flag. In the first example, one level is shown, whereas in the second example, two levels of the source directory and files are shown. One must not forget that all the details of a command can be learnt by examining the man page (man tree) or specifying the command's help parameter (tree - -help).
kstrzempka@linux-001:~$ tree -L 1.
kstrzempka@linux-001:~$ tree -L 2 Desktop/
│
└── README.Multiplatform
│
├── iPhone-connected-DFU.png
│
├── linux-iphone-normal.png
│
└── nano-hosts-file.png
├── Directions for viewing recovered iPhone data.pdf
•
lessDescription: Displays specified text one page at a time. This command is commonly used in conjunction with other commands to show output one page at a time. The following command will display the contents of “large-document.pdf” one screen at a time within the terminal window:
$ less large-document.pdf
Once you are in the less utility, there are a few key commands to remember.
• spacebar: display one screen/page down
• b: display one screen/page up
• /: search for a pattern
• Enter: move one line down
There are many more commands and tricks to this powerful utility, so read the help screens, man page, or simply search the Internet for more helpful tips.
•
catDescription: Outputs the contents of a file to the screen or to a new file if specified (without retaining the format of the file).
kstrzempka@linux-001:~/Desktop$ cat textfile.txt
iphone forensics is so much fun.
This file contains unnecessary information used to display the workings of the “cat” command.
The “cat” command can be used in conjunction with “less” in order to display the contents of a file one page at a time.
This command can also be used to combine files into one (i.e., for split forensic images). This is often referred to as concatenating files.
$ cat file1.txt file2.txt file3.txt > final.txt
•
findDescription: Used to search for files in a directory hierarchy. The following command will list all of the files, including the full path, contained on the specified user's desktop:
$ find /home/kstrzempka/Desktop
The find command can also be used in combination with another command. For example, the following will run the “md5sum” command on the files from the “find” command:
$ find . -type f -exec md5sum {} ; > ~/md5.txt
In this example, the command instructs the computer to find a regular file (-type f) in the current directory (“.”) and execute (-exec) the strings command on all files found ({}). The “;” signifies the end of the -exec command. It then takes that output and redirects it (>) to “md5.txt” in the user's home directory (
Grundy, 2008).
If one runs a command against the results of a large number of files, one can run into issues. In those cases, one should research piping the output of the file command to a utility called xargs.
•
chmodDescription: Short for “change mode,” this command changes file or folder permissions, as described in the previous section. Many examples are provided in the following text. Note that these commands must either be run in the directory in which “textfile.txt” is stored, or the full path to the file must be provided.
*Provides details on the file permissions for “textfile.txt”
kstrzempka@linux-001:~/Desktop$ ls -l textfile.txt
-rw-r- -r- - 1 kstrzempka kstrzempka 264 2011-03-01 12:17 textfile.txt
*Gives read, write, and execute permissions for the owner, and read and execute permissions for group and world.
kstrzempka@linux-001:~/Desktop$ chmod 755 textfile.txt
kstrzempka@linux-001:~/Desktop$ ls -l textfile.txt
-rwxr-xr-x 1 kstrzempka kstrzempka 264 2011-03-01 12:17 textfile.txt
*Gives read, write and execute permissions for the owner, and execute permissions for group and world.
kstrzempka@linux-001:~/Desktop$ chmod 711 textfile.txt
kstrzempka@linux-001:~/Desktop$ ls -l textfile.txt
-rwx- -x- -x 1 kstrzempka kstrzempka 264 2011-03-01 12:17 textfile.txt
*Gives read, write and execute permissions for the owner, and read-only permissions for group and world.
kstrzempka@linux-001:~/Desktop$ chmod 744 textfile.txt
kstrzempka@linux-001:~/Desktop$ ls -l textfile.txt
-rwxr- --r- - 1 kstrzempka kstrzempka 264 2011-03-01 12:17 textfile.txt
The “chmod” command can also be run on a group of files or a folder.
$ chmod 755 *
(Changes permissions of all files in the current directory)
$ chmod 444 Files/
(Changes permissions of the “Files” directory and all of the files within it)
•
chownDescription: Changes the owner or group of a specified file. In the following example, the original owner and group of “textfile.txt” was kstrzempka. The chown command changed the owner to “root.” This command required “sudo” (see description for sudo command).
kstrzempka@linux-001:~/Desktop$ ls -l textfile.txt
-rwxr- -r- - 1 kstrzempka kstrzempka 264 2011-03-01 12:17 textfile.txt
kstrzempka@linux-001:~/Desktop$ sudo chown root textfile.txt
[sudo] password for kstrzempka:
kstrzempka@linux-001:~/Desktop$ ls -l textfile.txt
-rwxr- -r- - 1 root kstrzempka 264 2011-03-01 12:17 textfile.txt
•
sudoDescription: Running a command with “sudo” in front of it gives the user elevated permissions, allowing him or her to run a command as a super user or another user. Sudo is required to run certain commands such as apt-get (to install software), chown (to change ownership), and many other commands depending on the files it must access. To use sudo, it is simply added at the beginning of a command and it requires the user to enter his/her password.
$ sudo apt-get install hexedit
[sudo] password for viaForensics:
•
apt-getDescription: The “apt” part of the apt-get command stands for Advanced Packaging Tool (APT) and allows the user to install and uninstall software, upgrade existing software, or even perform system updates. To successfully run this command, sudo is required.
$ sudo apt-get install scalpel
(Installs scalpel software package)
[sudo] password for viaForensics:
$ sudo apt-get remove scalpel
(Uninstalls scalpel software package)
[sudo] password for viaForensics:
$ sudo apt-get update
(Updates the APT package index, which stores packages available for download)
[sudo] password for viaForensics:
$ sudo apt-get upgrade
(Upgrades APT package versions, including security updates; must be run AFTER update)
[sudo] password for viaForensics:
•
grepDescription: Searches through a file or a list of files and folders for a specified phrase. It is equivalent to opening a document and doing a “find” for a certain phrase. The search is case sensitive, so if the user is unsure of whether a letter should be capitalized or lower cased, he or she must specify the “-i” (case insensitive) flag. This option will take longer, depending on the size of the file that is being searched. The general usage is:
The following contains several examples of the usage of “grep:”
$ grep Forensics iPhoneBook.txt
(will search for “forensics” in the specified file)
$ grep -i forensics iPhoneBook.txt
(will search for forensics, case insensitive, in the specified file)
$ grep “Katie Strzempka” iPhoneBook.txt
(will search the specified file for “Katie Strzempka”, case sensitive)
The next command searches the contents of all files on the user's desktop for the word “unnecessary.” The results shown indicate that this word was found in “textfile.txt,” and there are matches for this word in “WXP-PRO-OEM.iso” also. Because this is a binary file, further techniques will need to be used to make the content viewable.
kstrzempka@linux-wks-001:~/Desktop$ grep unnecessary *
textfile.txt:This file contains unnecessary information used to display the workings of the “cat” command.
Binary file WXP-PRO-OEM.iso matches
•
Piping and redirecting files (
│ and >)Description: The pipe character “│” (located above the “Enter” key on most keyboards) allows the output of one command to be sent to another for further processing. Output can also be redirected into another file using “>”.
The following command takes the results of “cat file.txt” and pipes it to the “less” command, allowing the user to view the contents one page at a time.
The next searches for “iPhone” in “book.txt” (using the grep command), then it takes the results and searches again for “iOS.” The final results are then piped through “less” to be displayed one page at a time.
$ grep iPhone book.txt │ grep iOS │ less
Redirecting output from a command can also be helpful. The following command takes the output of book.txt (using the cat command) and copies the output into a file called “newdocument.txt” on the user's desktop:
cat book.txt > ~/Desktop/newdocument.txt
Redirection can be very helpful when running the “strings” command on a particular file, or an entire disk image. This very example is shown in detail in
Chapter 6– Data and Application Analysis (“Strings” section).
•
xxdDescription: This tool generates a hex dump of a provided file or disk image. It allows an examiner to view these files in hex format, jump to a specific offset, or even search the file for data. There are other hex editors that can also be used for this purpose; however, xxd is standard within a Linux build. The general usage is as follows:
The following command displays the Photos.sqlite file from an iPhone file system using xxd. When using xxd, it is better to either pipe it through “less” and view one page at a time, or redirect the output to another file for viewing, as there is a significant amount of data when using this command.
kstrzempka@linux-wks-001:~$ xxd ~/Desktop/Photos.sqlite │ less
0000000: 5351 4c69 7465 2066 6f72 6d61 7420 3300
SQLite format 3.
0000010: 1000 0101 0040 2020 0000 003f 0000 0000
…..@ …?….
0000020: 0000 0028 0000 0002 0000 000c 0000 0001
…(…………
0000030: 0000 0000 0000 0000 0000 0001 0000 0000
…………….
0000040: 0000 0000 0000 0000 0000 0000 0000 0000
…………….
0000050: 0000 0000 0000 0000 0000 0000 0000 0000
…………….
0000060: 0000 0000 0d00 0000 0d07 f400 0f12 0ec0
…………….
0000070: 0dfa 0d5c 0cc7 0b7f 0b17 0a64 09cc 0945
……….d…E
0000080: 08d6 085b 07f4 0000 0000 0000 0000 0000
…[…………
At the beginning of a disk image, database, or other type of file, there are oftentimes a lot of zeros (in other words, no data). The “-a,” or autoskip option, will jump straight to the section of the file that contains actual data:
kstrzempka@linux-wks-001:~$ xxd -a ~/Desktop/Photos.sqlite │ less
0000000: 5351 4c69 7465 2066 6f72 6d61 7420 3300
SQLite format 3.
0000010: 1000 0101 0040 2020 0000 003f 0000 0000
…..@ …?….
0000020: 0000 0028 0000 0002 0000 000c 0000 0001
…(…………
0000030: 0000 0000 0000 0000 0000 0001 0000 0000
…………….
0000040: 0000 0000 0000 0000 0000 0000 0000 0000
…………….
0000050: 0000 0000 0000 0000 0000 0000 0000 0000
…………….
0000060: 0000 0000 0d00 0000 0d07 f400 0f12 0ec0
…………….
0000070: 0dfa 0d5c 0cc7 0b7f 0b17 0a64 09cc 0945
……….d…E
0000080: 08d6 085b 07f4 0000 0000 0000 0000 0000
…[…………
0000090: 0000 0000 0000 0000 0000 0000 0000 0000
…………….
00007f0: 0000 0000 650d 0717 391b 0181 0369 6e64 ….e…9….ind
0000800: 6578 476c 6f62 616c 7349 6465 6e74 6966 exGlobalsIdentif
0000810: 6965 7249 6e64 6578 476c 6f62 616c 730e ierIndexGlobals.
0000820: 4352 4541 5445 2049 4e44 4558 2047 6c6f CREATE INDEX Glo
0000830: 6261 6c73 4964 656e 7469 6669 6572 496e balsIdentifierIn
If you really want to get crazy, you can also use the “-b” option to view the image in binary!
kstrzempka@linux-wks-001:~$ xxd -b iPhone.dmg │ less
05843f4: 00000000 01100001 00000000 01110000 00000000 01110000
.a.p.p
05843fa: 00000000 01101100 00000000 01100101 00000000 00101110
.l.e..
0584400: 00000000 01101101 00000000 01101111 00000000 01100010
.m.o.b
0584406: 00000000 01101001 00000000 01101100 00000000 01100101 .i.l.e
058440c: 00000000 01101001 00000000 01110000 00000000 01101111 .i.p.o
Having the ability to view a file or, better yet, a disk image, gives the examiner a significant amount of power. This option is further explored in
Chapter 6 within the “Advanced Forensic Analysis” section.
Setting up a Linux virtual machine
In order to install and run the tools listed in the previous section, an examiner must have access to a Linux workstation. It is realized that access to this type of physical machine is not always available. For this reason, it is important to point out that Linux can be run in a virtual environment. In this section, the process of setting up a Linux virtual machine (VM) will be covered.
For this example, VirtualBox is going to be used. VirtualBox is now owned by Oracle and has a free license for academic and personal use. If you are using VirtualBox for commercial work, please ensure you follow all licensing guidelines.
VirtualBox can be downloaded for many operating systems including Microsoft Windows, Mac OS X, and Linux (2.4 and 2.6) at
http://www.virtualbox.org/. After VirtualBox has been installed, one will see the Oracle VM VirtualBox manager shown in
Figure 1.8, where one can create and manage new virtual machines.
When creating the new VM, one must make sure that one has enough hard drive space (at least 20 GB is recommended) and as much RAM as can be spared.
Using the VirtualBox Manager GUI to create the new VM is straightforward. However, if one has access to an Ubuntu Linux 64-bit workstation or server but not the ability to run desktop applications, here are the steps one can follow to set up, configure, and run the new VM (Virtual Box 3.2.10).
From an SSH session, it is best to use the program screen so that if connection to the server is lost, one's VM remains active. Then, these steps are to be followed:
wget http://ubuntu.mirrors.pair.com/releases/maverick/ubuntu-10.10-desktop-amd64.iso
VBoxManage createvm -name iphone-book-vm -ostype Ubuntu -register
VBoxManage modifyvm iphone-book-vm - -memory 1536 - -acpi on - -boot1 dvd
- -nic1 bridged - -usb on - -usbehci on - -vrdp on - -vrdpport 3392
- -clipboard bidirectional - -pae on - -hwvirtex on - -hwvirtexexcl on - -vtxvpid on
- -nestedpaging on - -largepages on
VBoxManage modifyvm iphone-book-vm - -bridgeadapter1 eth0
VBoxManage storagectl iphone-book-vm - -name “IDE Controller” --add ide
VBoxManage createvdi - -filename ~/vbox/iphone-book-vm.vdi
- -size 20000 - -register
VBoxManage storageattach iphone-book-vm - -storagectl “IDE Controller”
- -port 0 - -device 0 - -type hdd - -medium ~/vbox/iphone-book-vm.vdi
VBoxManage storageattach iphone-book-vm - -storagectl “IDE Controller”
- -port 1 - -device 0 - -type dvddrive - -medium ~/vbox/ubuntu-10.10-desktop-i386.iso
VBoxHeadless -startvm iphone-book-vm -p 3392 &
#need to eject DVD, the restart
VBoxManage storageattach iphone-book-vm - -storagectl “IDE Controller” - -port 1
- -device 0 - -type dvddrive - -medium none
#restart the virtual machine
VBoxHeadless -startvm iphone-book-vm -p 3392
At this point, the VM will start up and one can access the install using any remote desktop protocol (RDP) viewer such as Remote Desktop Connection on Windows, rdesktop on Linux, or Microsoft's Remote Desktop Connection Client for Mac. To access the above session, one would have to connect to <host server's IP:3392>. From there, the install is followed until it is time to reboot.
If you shutdown or the reboot ends the VBoxHeadless session, you can simply issue the command again to start the server backup. Then, RDP back into the machine and install openssh-server, so we can use ssh instead of the less efficient RDP:
sudo apt-get install openssh-server
Now, the VM's IP address can be found by running ifconfig and looking at the “inet addr” for eth0. One can use one's favorite ssh program (if on Windows, Putty can be tried for a great, free client) and ssh into the virtual machine. At this point, one can download and install any of the forensic tools listed in the previous section. Details on how to install and compile some of these programs, such as scalpel or timeline, can be found in
Chapter 6.