Kamis, 24 April 2008

Tactical Forensics Platform

12.49    No comments

Earlier I wrote about my proposed Tactical Network Security Monitoring Platform. Today I finally sat down and installed the operating systems I need on this system to create a portable tactical forensics and investigation platform. I did not want to use my main work laptop for this sort of work because I do not administer it. I needed my forensics platform to be separate from the corporate domain and totally under my control. I only feel comfortable attesting to the configuration of a system doing forensics if I built it from the ground up and I am the sole administrator.

For operating systems, I had three needs. I wanted Windows XP because the majority of commercial forensics software runs on Windows. I wanted Ubuntu Hardy Heron so I could have access to Linux forensics software and VMware Server. (Windows is also a possible VMware Server candidate, but I might install a copy of VMware Workstation on the Windows side.) I wanted FreeBSD 7.0 in case I needed to do packet capture and related network security monitoring tasks.

I decided to triple-boot these three operating systems. The box has three logical hard drives. Two are physical (147 GB each) and the third is a RAID 0 array resulting in a single HDD of 447 GB.

Before I got the following to work I had to experiment with various setups. The following is what I settled upon. I'm posting this information for future reference and for those who might want to try the same setup.

First I installed Windows XP on the only HDD it could see, one of the 147 GB HDDs. I thought this a little odd, but it suited my purposes. I rebooted and Windows started without incident.

Next I changed the default boot drive in the BIOS from the Windows HDD to the next HDD. I installed Ubuntu Hardy Heron Desktop on that second 147 GB HDD. I selected the "Advanced" option and told Ubuntu to install its bootloader into one of the drives (/dev/sdc, which turned out to be a problem) I was using for Linux.

When I tried rebooting, GRUB had created entries for Linux and Windows but neither worked. I realized for some reason the way the drives were ordered on the Ubuntu live CD/installer wasn't the same way they were seen by GRUB (or by Linux, once booted). I figured out this was the problem and manually changed the GRUB command line to boot properly into Linux. I needed to implement a similar fix for Windows. I'll show what the result was shortly. I made the changes to GRUB permanently before going to the next step.

Finally I installed FreeBSD 7.0, which saw the remaining 447 GB HDD as /dev/da0 and the other HDDs as /dev/ad4 and /dev/ad6. I didn't touch /dev/ad4 or /dev/ad6 but installed the FreeBSD bootloader into /dev/da0.

After a reboot I had to try various combinations to get GRUB to properly boot FreeBSD 7.0, but eventually I got that working too.

Here is how Linux's fdisk -l saw the computer:


root@nextcom01:~# fdisk -l

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f8004b1

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       19456   156280288+   7  HPFS/NTFS

Disk /dev/sdb: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x8f8004b1

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         249     2000061   83  Linux
/dev/sdb2   *         250         747     4000185   82  Linux swap / Solaris
/dev/sdb3   *         748        3237    20000925   83  Linux
/dev/sdb4            3238       19457   130287150    5  Extended
/dev/sdb5            3238        4482    10000431   83  Linux
/dev/sdb6            4483        6972    20000893+  83  Linux
/dev/sdb7            6973        7221     2000061   83  Linux
/dev/sdb8            7222       19457    98285638+  83  Linux

Disk /dev/sdc: 479.9 GB, 479965741056 bytes
255 heads, 63 sectors/track, 58352 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f800000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1   *           1       58352   468712408+  a5  FreeBSD

Here is the GRUB menu I got working:
$ grep -v ^# /boot/grub/menu.lst 
default         0
timeout         10

title           Ubuntu 8.04, kernel 2.6.24-16-generic
root            (hd0,0)
kernel          /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro quiet splash
initrd          /boot/initrd.img-2.6.24-16-generic
quiet

title           Ubuntu 8.04, kernel 2.6.24-16-generic (recovery mode)
root            (hd0,0)
kernel          /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro single
initrd          /boot/initrd.img-2.6.24-16-generic

title           Ubuntu 8.04, memtest86+
root            (hd0,0)
kernel          /boot/memtest86+.bin
quiet

title           Other operating systems:
root

title           Microsoft Windows XP Professional
root            (hd2,0)
savedefault
map             (hd0) (hd2)
map             (hd2) (hd0)
chainloader     +1

title           FreeBSD 7.0
root            (hd1,a)
savedefault
chainloader     +1

I'll probably resize the Windows partition and add a D: drive. I just noticed I devoted the whole drive to C: during installation.

Update: I wasn't able to use the version of GParted available through Ubuntu (0.3.5 I think) to resize the C: partition but I did use the latest stable liveCD (0.3.6-7) to resize C: and create E: (D: was already the optical drive).

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)