Tactical Forensics Platform

Earlier I wrote about my proposed Tactical Network Security Monitoring Platform. Today I finally sat down and installed the operating systems I need on this system to create a portable tactical forensics and investigation platform. I did not want to use my main work laptop for this sort of work because I do not administer it. I needed my forensics platform to be separate from the corporate domain and totally under my control. I only feel comfortable attesting to the configuration of a system doing forensics if I built it from the ground up and I am the sole administrator.

For operating systems, I had three needs. I wanted Windows XP because the majority of commercial forensics software runs on Windows. I wanted Ubuntu Hardy Heron so I could have access to Linux forensics software and VMware Server. (Windows is also a possible VMware Server candidate, but I might install a copy of VMware Workstation on the Windows side.) I wanted FreeBSD 7.0 in case I needed to do packet capture and related network security monitoring tasks.

I decided to triple-boot these three operating systems. The box has three logical hard drives. Two are physical (147 GB each) and the third is a RAID 0 array resulting in a single HDD of 447 GB.

Before I got the following to work I had to experiment with various setups. The following is what I settled upon. I'm posting this information for future reference and for those who might want to try the same setup.

First I installed Windows XP on the only HDD it could see, one of the 147 GB HDDs. I thought this a little odd, but it suited my purposes. I rebooted and Windows started without incident.

Next I changed the default boot drive in the BIOS from the Windows HDD to the next HDD. I installed Ubuntu Hardy Heron Desktop on that second 147 GB HDD. I selected the "Advanced" option and told Ubuntu to install its bootloader into one of the drives (/dev/sdc, which turned out to be a problem) I was using for Linux.

When I tried rebooting, GRUB had created entries for Linux and Windows but neither worked. I realized for some reason the way the drives were ordered on the Ubuntu live CD/installer wasn't the same way they were seen by GRUB (or by Linux, once booted). I figured out this was the problem and manually changed the GRUB command line to boot properly into Linux. I needed to implement a similar fix for Windows. I'll show what the result was shortly. I made the changes to GRUB permanently before going to the next step.

Finally I installed FreeBSD 7.0, which saw the remaining 447 GB HDD as /dev/da0 and the other HDDs as /dev/ad4 and /dev/ad6. I didn't touch /dev/ad4 or /dev/ad6 but installed the FreeBSD bootloader into /dev/da0.

After a reboot I had to try various combinations to get GRUB to properly boot FreeBSD 7.0, but eventually I got that working too.

Here is how Linux's fdisk -l saw the computer:

root@nextcom01:~# fdisk -l

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f8004b1

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1       19456   156280288+   7  HPFS/NTFS

Disk /dev/sdb: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x8f8004b1

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         249     2000061   83  Linux
/dev/sdb2   *         250         747     4000185   82  Linux swap / Solaris
/dev/sdb3   *         748        3237    20000925   83  Linux
/dev/sdb4            3238       19457   130287150    5  Extended
/dev/sdb5            3238        4482    10000431   83  Linux
/dev/sdb6            4483        6972    20000893+  83  Linux
/dev/sdb7            6973        7221     2000061   83  Linux
/dev/sdb8            7222       19457    98285638+  83  Linux

Disk /dev/sdc: 479.9 GB, 479965741056 bytes
255 heads, 63 sectors/track, 58352 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0f800000

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1   *           1       58352   468712408+  a5  FreeBSD

Here is the GRUB menu I got working:

$ grep -v ^# /boot/grub/menu.lst 
default         0
timeout         10

title           Ubuntu 8.04, kernel 2.6.24-16-generic
root            (hd0,0)
kernel          /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro quiet splash
initrd          /boot/initrd.img-2.6.24-16-generic
quiet

title           Ubuntu 8.04, kernel 2.6.24-16-generic (recovery mode)
root            (hd0,0)
kernel          /boot/vmlinuz-2.6.24-16-generic root=UUID=a3bc8e2b-0678-440d-877f-cecedce8fa9b ro single
initrd          /boot/initrd.img-2.6.24-16-generic

title           Ubuntu 8.04, memtest86+
root            (hd0,0)
kernel          /boot/memtest86+.bin
quiet

title           Other operating systems:
root

title           Microsoft Windows XP Professional
root            (hd2,0)
savedefault
map             (hd0) (hd2)
map             (hd2) (hd0)
chainloader     +1

title           FreeBSD 7.0
root            (hd1,a)
savedefault
chainloader     +1

I'll probably resize the Windows partition and add a D: drive. I just noticed I devoted the whole drive to C: during installation.

Update: I wasn't able to use the version of GParted available through Ubuntu (0.3.5 I think) to resize the C: partition but I did use the latest stable liveCD (0.3.6-7) to resize C: and create E: (D: was already the optical drive).

Read More

New Hakin9 Released

The latest issue of Hakin9 has been released. Several articles look interesting, including Javascript Obfuscation Techniques by David Sancho and an interview with Marcus Ranum. Hakin9 briefly interviewed Harlan Carvey and me. I've uploaded the one page of the interview if you'd like to read it.

Read More

First Issue of BSD Magazine Released

I received a copy of the new BSD Magazine yesterday by air mail from Poland, and I have to say it looks pretty cool. It contains an article I wrote explaining how to install Sguil 0.7.0 on FreeBSD 7.0. At the time I used a CVS version of Sguil and FreeBSD 7.0-BETA4, but the article is still relevant.

One caution: I discovered a bug in MySQL, which I logged as Optimizer does table scan for select count(*) w/5.1.22, .23, not 5.0.51, 5.1.11. You will encounter this bug if you follow the instructions in my magazine article. The work-around is to use MySQL 5.0.51a instead of 5.1.22, as shown in the magazine.

Dru Lavigne does a nice job detailing the magazine's table of contents.

Read More

NoVA Sec Meeting 1930 Thursday 24 April 2008

The next NoVA Sec meeting will take place 1930 (7:30 pm) Thursday 24 April 2008 at Fishnet Security:

13454 Sunrise Valley Dr. Suite 230
Herndon, VA 20171
703.793.1440

Aaron Walters from Volatile Systems will discuss memory forensics.

Thank you to Fishnet and Aaron for their last-minute cooperation! I'm cross-posting this notice to get as many people notified as possible in the day before the meeting.

Read More

CloudSecurity.org

What a great idea for a blog -- CloudSecurity.org:

This blog is dedicated to “Cloud Computing” from an IT security perspective.

Cloud Computing is a nebulous term covering an array of technologies and services including; Grid Computing, Utility Computing, Software as a Service (SaaS), Storage in the Cloud and Virtualization. There is no shortage of buzzwords and definitions differ depending on who you talk to.

The common theme is that computing takes place ‘in the cloud’ - outside of your organisations network.

Semantics aside, there is a much bigger question: what does it all mean from an IT security perspective?

One day (during my working career, I am positive) we will all either 1) be cloud customers or 2) work in the cloud. I am glad to see someone take a stand now to try to understand what that means from a security perspective.

You might also find Craig's other blog -- SecurityWannabe -- to be interesting. He did an interview with one of my Three Wise Men, Ross Anderson, to mark the publication of the likely candidate for Best Book Bejtlich Read in 2008: Security Engineering, 2nd Ed.

Read More

Looking for Security-Assesor Friendly, Debian Dedicated Server

I'm looking for a dedicated server company that could provide a Debian environment suitable for running VMware Server. As a bonus it would be helpful to contract with a company that permits authorized outbound network scanning.

As an alternative, I may try colocation. I am looking for a box for security testing, and VMware may not be suitable. I may need a box that can run Xen, for example.

If you have any recommendations for dedicated server or colocation providers, please leave a comment or email me directly -- taosecurity at gmail dot com. Companies situated close to northern Virginia would be excellent. Thank you.

Read More

Run Apps on Cisco ISR Routers

Earlier this month we joked that the Sguil project was acquired by Cisco, such that Sguil would be integrated into Cisco platforms. Cisco routers already run Tcl, but now thanks to Cisco's new Application eXtension Platform, other possibilities are developing. According to Optimize Branch Footprint with Application Integration, Cisco says:

• Linux-based integration environment with downloadable Software Development Kit (SDK)


• Multiple applications support with the ability to segment and guarantee CPU, memory, and disk resources


• Certified libraries to implement C, Python, Perl, and Java applications


• Supported by Cisco 1841, 2800, and 3800 Series Integrated Services Route

Sun used to say The Network is the Computer. Cisco now states The Network as a Platform. In other words, why deploy another server or appliance if you can just run it on your Cisco router?

I am unsure how this will play out. I figure Cisco just wanted to add to the confusion caused by virtualization with their own take on consolidating platforms. At some point I see one giant box (labelled Skynet probably) with a massive antenna to which we all connect our dumb terminals via wireless.

I'd like to get a Cisco 2800 series ISR router to try this out... donations are welcome. :)

Read More