LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-17-2009, 07:24 AM   #1
Completely Clueless
Member
 
Registered: Mar 2008
Location: Marbella, Spain
Distribution: Many and various...
Posts: 810

Rep: Reputation: 68
Question Forensic data recovery


Hi guys,

I've been browsing through the Knoppix Pocket Reference by Kyle Rankin (O'Reilly)and have come across this curious remark on page 36 concerning the use of the Grave-robber program: "conf_vault - a full copy of 'interesting' files such as ./etc configuration files."

So there's a feature in Grave-robber that enables one to grab config files from the /etc directory where they typically reside. The question is, why is the word "interesting" in inverted commas? The author himself doesn't go on to explain....

Any ideas?

cc.
 
Old 05-17-2009, 08:13 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Completely Clueless View Post
Hi guys,

I've been browsing through the Knoppix Pocket Reference by Kyle Rankin (O'Reilly)and have come across this curious remark on page 36 concerning the use of the Grave-robber program: "conf_vault - a full copy of 'interesting' files such as ./etc configuration files."

So there's a feature in Grave-robber that enables one to grab config files from the /etc directory where they typically reside. The question is, why is the word "interesting" in inverted commas? The author himself doesn't go on to explain....

Any ideas?

cc.
I haven't read the book but wouldn't the context indicate that interesting was placed in quotation marks to convey that they are files which could be valuable for intelligence and/or forensic purposes (instead of mainly for personal reasons)?

Last edited by win32sux; 05-17-2009 at 08:16 AM.
 
Old 05-17-2009, 08:38 AM   #3
Completely Clueless
Member
 
Registered: Mar 2008
Location: Marbella, Spain
Distribution: Many and various...
Posts: 810

Original Poster
Rep: Reputation: 68
Quote:
Originally Posted by win32sux View Post
I haven't read the book but wouldn't the context indicate that interesting was placed in quotation marks to convey that they are files which could be valuable for intelligence and/or forensic purposes (instead of mainly for personal reasons)?
Dunno. The only point I can see of examining config files for forensic purposes is if they have been altered from their defaults. This must self-evidently be true. But for what reason would anyone do so? Is it possible to hide evidence of wrongdoing by changing config files from their defaults? That's the only possibility that comes to my mind. :-/
 
Old 05-17-2009, 08:51 AM   #4
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I don't think he was implying anything out of the ordinary, just that you may want your config files back, that's all. They may be interesting to you, or important to you.
 
Old 05-17-2009, 09:20 AM   #5
Completely Clueless
Member
 
Registered: Mar 2008
Location: Marbella, Spain
Distribution: Many and various...
Posts: 810

Original Poster
Rep: Reputation: 68
Quote:
Originally Posted by H_TeXMeX_H View Post
I don't think he was implying anything out of the ordinary, just that you may want your config files back, that's all. They may be interesting to you, or important to you.
Hi again TM,
Well I just don't know for sure. It's hard for you guys to correctly infer the context where none is given. Short of posting a scan of the page in question (not possible at present) there's not much I can do. But I don't believe that's the case. The author was discussing the recovery of forensic data from a seized computer, which clearly implies it's nothing to do with system rescue in the usual sense, but rather gleaning vital evidence of criminality. I just don't see how such evidence could be uncovered from the configuration files. :-/
 
Old 05-17-2009, 09:40 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,709
Blog Entries: 54

Rep: Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965
Whatever grave-robber sucks up from the corpse is defined in grave-robber.cf. Vault specifics are defined in "save_these_files". If you'd check it you'd see shell regexes like "$CORPSE/etc/passwd", "$CORPSE/etc/group" and "$CORPSE/etc/*/*" meaning grave-robber should save at least some specifc, named files but basically everything in /etc.

As far as Forensics goes "interesting" may be defined by the scope of your investigation. Data in standalone mode may perhaps not be interesting but for instance being able to corellate local MAC times and data with say networked auth, DHCPd, router, proxy or sniffer logs may help you pinpoint the machine, and therefore an account, at a certain time and location.
 
Old 05-17-2009, 09:41 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,709
Blog Entries: 54

Rep: Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965
Quote:
Originally Posted by H_TeXMeX_H View Post
I don't think
No, you clearly didn't ;-p
 
Old 05-17-2009, 09:47 AM   #8
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by Completely Clueless View Post
The author was discussing the recovery of forensic data from a seized computer, which clearly implies it's nothing to do with system rescue in the usual sense, but rather gleaning vital evidence of criminality. I just don't see how such evidence could be uncovered from the configuration files. :-/
I see, well then in that context, he probably means data that is potentially useful or interesting to you as an agent. And you're right, in this case it wouldn't mean much, because in most cases config files won't really help you in making a case. Odd, maybe you should send the author an e-mail and ask him.
 
Old 05-18-2009, 04:14 PM   #9
Lowell1947
Member
 
Registered: May 2007
Location: Florida
Distribution: Ubuntu, SuSE10.2, LFS, Ubuntu Server (AMD64), Windows 7, Mac OSX
Posts: 30

Rep: Reputation: 16
Grave-Robber is a part of The Coroner's Toolkit. It is often used in the law enforcement community to uncover/recover data. You can read more here: http://staff.washington.edu/dittrich...-robber.1.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
data recovery tsaravan Linux - Networking 2 05-03-2007 08:04 AM
LXer: Linux Data Recovery on Windows - Is possible through Disk Doctors Linux Recovery Software LXer Syndicated Linux News 0 10-22-2006 01:21 PM
Data Recovery scbops Linux - Security 4 04-24-2006 06:51 AM
Need help with data recovery. A.C. Helm Linux - Newbie 2 10-15-2005 11:58 AM
need some help about data recovery! belkens Linux - Software 1 05-11-2005 05:16 AM


All times are GMT -5. The time now is 11:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration