[ This is a reposting of my teaching blog post previously hosted on http://users.ox.ac.uk/~coml0454.
NOTE: I no longer teach at University of Oxford and this is a description of how I used to teach the course.]
In this post I outline how to install and use Sleuthkit to conduct computer forensic analysis on an Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. The EC2 instance is used in classroom exercises by students using the Linux command line to investigate and analyze forensic evidence.
This post is a follow on to my Using Amazon Web Services in Teaching post. This post covers the creation of the master EC2 instance for use in the teaching environment, labeled “1” in the figure below.
Cloud infrastructure offers the ability to rapidly obtain additional computing resources and storage without having to purchase the physical computers and storage yourself. The additional cloud computing resources and storage can be used for a specific task and then released. Computer forensic investigations are often characterized by the need to store large amounts of data and then analyse it rapidly. Therefore computer forensic analysis serves as a good demonstration of what cloud computing can offer.
I teach the forensics (FOR) module on the Software and Systems Security programme. The week long module includes a number of classroom exercises associated with the extraction and analysis of computer system artifacts. The assignments may also involve the extraction and analysis of computer system artifacts. To encourage understanding of the extraction and analysis process the exercises use Linux and Sleuthkit utilities run from the command line. Linux and Sleuthkit have been chosen as there are no licensing issues associated with their distribution.
Create An AWS EC2 instance
In this case I have created an Ubuntu 14.04 LTS instance. In this case I used the AMI “Ubuntu Server 14.04 LTS (HVM), SSD Volume Type - ami-864d84ee”. I set the instance parameters including the type, protection against accidental termination, 30GB general purpose SSD volume, tags, security group and a key pair. The Ubuntu instance creates an 30GB EBS volume. The security group allows access from any IP address to port 22.
Connect using SSH
Launch the instance and log in via ssh.
ssh -i <YOUR_KEYS.pem> ubuntu@<INSTANCE_PUBLIC_DNS_NAME>
Don’t forget to use your keys and remember that the username is ubuntu.
Enable The UFW Firewall
Once you have logged in to the instance use the ufw firewall to secure the instance. REMEMBER to allow ssh before enabling the firewall.
sudo ufw allow ssh sudo ufw enable sudo ufw status
Set A Color Prompt
I like to turn on the color command line prompt so I tell easily if I’m at my local command line or have accessed a remote host. Edit .bashrc and uncomment the appropriate line. In this case I have set the system name color to red (01;31) and added a carriage return (\n) so the $ prompt appears on a new line.
To force the immediate use of the new prompt, at the command line type:
Update & Upgrade The Ubuntu Packages
Update the package repositories and upgrade the instance packages to the latest versions. This is quite fast as the AWS region has its own Ubuntu package repositories.
sudo apt-get -y update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade sudo reboot
Set The Instance Local Time
Set your instance’s local time, as appropriate, using:
sudo dpkg-reconfigure tzdata
Install Build Essential Tools & Headers
sudo apt-get -y install build-essential linux-headers-$(uname -r) sudo apt-get autoremove
Install Sleuthkit Dependencies
cd ~ sudo apt-get install zlib1g-dev libssl-dev libncurses5-dev sudo apt-get install libcurl4-openssl-dev libexpat1-dev libreadline-gplv2-dev sudo apt-get install uuid-dev libfuse-dev bzip2 libbz2-dev git sudo apt-get -y install automake1.9 autoconf libtool
Download libewf from Google Drive.
wget -v https://googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/libewf-20140608.tar.gz
Once the libewf tarball is downloaded:
tar -xvf libewf-20140608.tar.gz cd libewf-20140608/ ./configure make sudo make install
cd ~ git clone git://github.com/simsong/AFFLIBv3.git cd AFFLIBv3/ ./bootstrap.sh ./configure make sudo make install
cd ~ git clone git://github.com/sleuthkit/sleuthkit.git cd sleuthkit ./bootstrap ./configure make sudo make install
Download the NSRL from NIST
As Autopsy can be configured to use the NIST National Software Reference Library (NSRL), download and install the NSRL before installing Autopsy. The NIST NSRL download page is here. The full NSRL is over 18GB which will use a significant portion of our 30GB EBS volume. So in this instance we just download the reduced set which only uses 4.7GB. (There is also a unique set that occupies an even smaller amount of space.)
In the commands detailed below the zip file is downloaded into ~/NSRL as a temporary location for the zip. The contents of the zip are unzipped into ~/NSRL. Then the zip is deleted.
cd ~ mkdir NSRL cd ~/NSRL wget http://www.nsrl.nist.gov/RDS/rds_2.45/rds_245m.zip md5sum rds_245m.zip gunzip -c rds_245m.zip > NSRLFile.txt chmod -R 444 NSRLfile.txt rm RDS_245m.zip
Install Autopsy v2
Autopsy can be downloaded from github or from http://www.sleuthkit.org/autopsy/v2/download.php. Here it is downloaded from github. For this instance I create a folder evidence_locker in the user ubuntu home directory for Autopsy to use.
cd ~ mkdir evidence_locker git clone -b autopsy-2 git://github.com/sleuthkit/autopsy.git cd autopsy ./configure
One way of organizing the evidence is to create a directory for evidence with subdirectories for different cases. Any output from the analysis can be stored in the associated evidence directory. In the instance the evidence directory is place at: ~/evidence.
A special mount point is needed to mount the images for analysis via the file system. The mount point separates evidence’s file system system for the host file system where the evidence processing is performed. A mount point is created in the instance at /mnt/analysis.
cd ~ mkdir evidence sudo mkdir /mnt/analysis
Now copy the evidence from its current location into ~/evidence on AWS instance. For example, using scp to copy a local directory holding previously captured forensic images on your local machine:
scp -vr -i <YOUR_KEYS.pem> <LOCAL_EVIDENCE_DIRECTORY> ubuntu@<INSTANCE_PUBLIC_DNS_NAME>:/home/ubuntu/evidence/
Once the evidence is copied into the instance it should be set to read-only access using the chmod command. For example:
chmod 444 able2.tar.gz
Use Sleuthkit To Analyze Evidence
Once the evidence files have been uploaded return to the AWS instance to start the analysis using Sleuthkit. For example to identify and extract all the files in a forensic image use sorter:
cd ~ mkdir workspace cd ~/evidence sorter -d ~/workspace/ -f <FILE_SYSTEM_TYPE> -md5 -m <MOUNT_POINT_OF_IMAGE> -s <FORENSIC_IMAGE_FILE>
As the analysis may take some time it is prudent to use screen to create a shell within which you can run the analysis commands, such as sorter. That way, you can detach from the screen shell and log out of the AWS instance. You can log in later and use screen to reattach the shell that is being used for the analysis.
Linux Directory Structure
As this instance has the evidence and the NIST NSRL preinstalled the evidence and NSRL directories are under the user ubuntu home directory. The analysis mount point has been placed in the /mnt/analysis/ directory. An explanation for the Ubuntu Linux directory tree structure is here.
I have written additional posts that give more detail on the different aspects associated with using the AWS environment for my particular course. In the Using Amazon Web Services in Teaching post I give an overview of the AWS environment I created for my course, shown in the figure below.
1. [This Post] In Setting Up Sleuthkit and Autopsy on an AWS EC2 Instance I describe how I create a master EC2 instance that holds the software and data for the exercises.
2. In Creating an AMI for Classroom Use I outline how I created an AMI for sharing with the students.
3. The instructions Creating and Accessing the FOR2014 EC2 Instance for the FOR Course detail how the students should create an EC2 instance from the AMI.
4. The instructions Accessing Autopsy v2 on the FOR2014 EC2 Instance detail how to configure Autopsy on the FOR2014 EC2 instance for access from the student’s local computer.