You are on page 1of 4

Forensic Cop Journal Volume 1(3), Oct 2009

http://forensiccop.blogspot.com

Forensically Sound Write Protect on Ubuntu


by Muhammad Nuh Al-Azhar, CHFI
MSc in Forensic Informatics from the University of Strathclyde, UK
Forensic Investigator at Forensic Laboratory Centre of Indonesian National Police HQ.

Introduction
The first principle according to ACPO (Association of Chief Police Officers) in the UK is “No
action taken by law enforcement agencies or their agents should change data held on a
computer or storage media which may subsequently be relied upon in court” (ACPO, p4).
This principle which is applied and used by forensic investigators in the world requires the
investigators to pay more attention when dealing with data stored in computer storage
media. Once it is changed, the next phases of examination will be considered weak and
doubt, even the results of examination could be rejected by court. However the changes are
still allowed when the investigators can know exactly their actions and its implications such
as when performing live imaging.
In order to accommodate this principle, the investigators apply write protect during their
examination process, particularly when making forensic imaging at the first time. This write
protect can be in the form of either software or hardware. In Ms Windows OS, there are
many forensically sound write protect tools offered to users. Most of them are commercial.
Write protect is also available on Ubuntu, but this is for free. We just make a little
modification on fstab file to configure Ubuntu machine becomes forensically sound write
protect. This journal discusses about it including the experiments performed and the results
obtained.

Experiments Preparation
The 4GB flash disk is used as the object of these experiments. It is set up by using GParted in
order to configure the partition, so that it has 4 partitions with different file systems. Below
is the specification of each partition with the operating system installed within it by using
Unetbootin.

Partition 1: size=996.19 MB and file system of ntfs.


Partition 2: size=996.22 MB and file system of fat16 with BartPE as operating system.
Partition 3: size=996.19 MB and file system of ext2 with Helix 3.0 as operating system.
Partition 4: size=847.15 MB and file system of ext3 with Ubuntu 8.10 as operating system.

Particularly for partition 1, there is no OS installed in it because it is designed for storing


files. This configuration is intended to make a condition of flash disk becomes closely similar
with a real hard disk having some partitions with different file systems.

1
Forensic Cop Journal Volume 1(3), Oct 2009
http://forensiccop.blogspot.com

fstab Configuration
Before configuring /etc/fstab, firstly some subdirectories are made in the directory /media
as mounting points of flash disk when it is attached to the experimental machine. In /media,
there are 7 new subdirectories made, namely:

/media/sdb1ro
/media/sdb2ro
/media/sdb3ro
/media/sdb4ro
/media/sdb5ro
/media/sdb6ro
/media/sdb7ro

The reason why the number of new subdirectories is 7 is in order to cover the number of
partitions in one hard disk. It usually has 2 to 4 partitions. fstab containing descriptive static
information about the file systems is only read by programs, and not written. Each line
describing file system on separated partition comprises 6 fields, namely file system, mount
point, type, options, dump and pass. Below is revised configuration in /etc/fstab which is
edited using Text Editor.

/dev/sdb1 /media/sdb1ro auto noauto,user,ro,nosuid,nodev,uhelper=hal 0 0

/dev/sdb2 to /dev/sdb7 have same configuration as /dev/sdb1, except mount point, for
instance /dev/sdb2 has /media/sdb2ro as location of mounting. Below is the explanation of
selected configuration quoted from manual pages of mount and umount.

auto : mount will try to guess the desired type of file system.
noauto : it can only be mounted explicitly.
user : only the user that mounted a file system can umount it again.
ro : mount the file system read only
nosuid : do not allow set-user-identifier or set-group-identifier bits to take effect.
nodev : do not interpret character or block special devices on the file system.
uhelper=hal : The uhelper (unprivileged umount helper) is possible to used when non-root
user wants to umount a mountpoint which is not defined in the /etc/fstab file (e.g devices
mounted by HAL).
After this configuration finished, it was saved in /etc/fstab.

2
Forensic Cop Journal Volume 1(3), Oct 2009
http://forensiccop.blogspot.com

Comparative Analysis
The 4 GB flash disk above is plugged into the experimental machine having reconfigured
fstab, and then it is mounted over command console, then run md5sum to check hash value
of each partition. Below is the first result:

/dev/sdb1 94bb79d86726636c015df89e274df644
/dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0
/dev/sdb5 b665c813c2db0aaca3c20cfa38a30023
/dev/sdb6 0578121443c16b0721857a19441d2da0

/dev/sdb5 and /dev/sdb6 refer to partition 3 and 4 because both partitions are logical. On
each partition, the file browser is run to access it and also opened some files, after that I
calculated again the md5 value of each partition. Below is the second result:

/dev/sdb1 94bb79d86726636c015df89e274df644
/dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0
/dev/sdb5 b665c813c2db0aaca3c20cfa38a30023
/dev/sdb6 0578121443c16b0721857a19441d2da0

md5 value from the first result is same as the second, it means that the reconfigured fstab
works well for forensically sound write protect which is automatically set when a removable
media attached to the machine at the first time.

Checking the Changes


In order to check the changes which might happen when a removable media attached into a
computer, all configurations of write protect in fstab are disabled. The fstab is recovered
back to the original state with automount and read-write. The experimental flash disk is
plugged in again to the machine, and then md5 value for each partition is directly
calculated. Below is the third result:

/dev/sdb1 94bb79d86726636c015df89e274df644
/dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0
/dev/sdb5 9fffeaa755ebf36ef6285fb3272ed420
/dev/sdb6 db2b32be1a9d5de156787241f2413c5d

It is found that md5 value of sdb1 and sdb2 remain the same, but sdb5 and sdb6 have
changed without accessing it at all. On each partition, it is accessed by using the file browser
twice without opening or accessing files, then md5sum is run to check the hash value. Below
is the fourth result:

3
Forensic Cop Journal Volume 1(3), Oct 2009
http://forensiccop.blogspot.com

/dev/sdb1 94bb79d86726636c015df89e274df644
/dev/sdb2 9077f2c533bb50992bd0828b7f56d7c0
/dev/sdb5 eb891ff58ad46540758cada117cb4983
/dev/sdb6 2043eaa09cc47b1f0743584151b87316

It is noticed that sdb1 with ntfs and sdb2 with fat16 are still unchanged on md5 value, but
sdb5 with ext2 and sdb6 with ext3 experienced changed because of being accessed via file
browser.

Conclusion
It is too risky running acquisition of a removable media via usb port of an analysis machine
without reconfiguring fstab because the original state of fstab allows changes on removable
media when it is attached at the first time. If this is still performed, so the acquisition for
forensics imaging is questionable and doubt. This can affect the next steps of forensics
analysis. To avoid this, it is suggested to reconfigure /etc/fstab as explained above because
so far, it is fully protection from the first time a removable media attached via usb port,
therefore it fits with forensically sound write protect.
From the description above, the experiment of 'forensically sound write protect' on Ubuntu
is essential to applied by forensic investigators in order to avoid changes which might
happen accidentally. Reconfiguring fstab file for this purpose is reliable to keep the contents
of a storage medium. With this technique, they become more flexible to analyse any
computers without worrying to make accidental changes.

Bibliography
ACPO. (2008). Good Practice Guide for Computer-Based Electronic Evidence. Available:
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.p
df. Last accessed 30 September 2009.
Ferguson, I. (2008). Lab Session Guidance of CS936: Media Imaging. Glasgow: CIS
Department of University of Strathclyde.
Ferguson, I. (2008). Stage 2: Preservation. Glasgow: CIS Department of University of
Strathclyde.
Department of Justice, US. (2001). Electronic Crime Scene Investigation: A Guide for First
Responders. Available: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf. Last accessed
30 September 2009.

You might also like