rsnapshot: Auto Version Controlled Backup for Unix/Linux/Mac/BSD…

Red Had Enterprise Linux (RHEL) 6. I missed the ease of configuration and all the free tools that people smarter than me have created.

Systems that can take advantage of Rsnapshot

Systems that can take advantage of Rsnapshot

I would like to do a fast post on rsnapshot. I have seen ssh and rsnapshot scheduled in cron to automate backups of OSX to a Linux server. Since we didn’t want the wireless to slow down we only used the physical MAC address of the MAC. What makes rsnapshot so great is that it will wok on so many systems that are out there (Ubuntu, Debian GNU/Linux, Red Hat Linux, Fedora Linux, SuSE Linux, Gentoo Linux, Slackware Linux, FreeBSD, OpenBSD, NetBSD, Solaris, Mac OS X, and even IRIX) .

For now I’m using it for personal automated backups to my external hard drive. There are plenty of other advanced options and examples on the Internet. I just wanted to get out a fast an easy example.

  1. First – find and install rsnapshot. for Red Hat this was
    $ sudo yum install rsnapshot
    (rsynch is a dependancy that should already be installed).
  2. After install if you do not have this file /etc/rsnapshot.conf. Use the command:
    $ sudo cp /etc/rsnapshot.conf.default /etc/rsnapshot.conf
  3. Edit rsnapshot.conf – The defaults I changed from the default configuration file are below. These options allow me to back up everything in /etc/ and /home/. Backups kept will be twice a day, 7 days a week, 4 weeks, 12 months and 5 years (change this as you see fit).  Most important is that switch to make sure that the mount point will not be created and wrote to locally if the disk is not attached.
    1. WHERE TO PLACE BACKUPS
      # All snapshots will be stored under this root directory.
      #
      snapshot_root   /media/myexternal/rsnapshot/
    2. DO NOT CREATE IF DISK IS NOT CREATED
      # If no_create_root is enabled, rsnapshot will not automatically create the
      # snapshot_root directory. This is particularly useful if you are backing
      # up to removable media, such as a FireWire or USB drive.
      #
      no_create_root 1
    3. INTERVALS (make sure this is tabbed – do NOT use spaces)
      #########################################
      #           BACKUP INTERVALS            #
      # Must be unique and in ascending order #
      # i.e. hourly, daily, weekly, etc.      #
      #########################################
      interval        hourly  12
      interval        daily   7
      interval        weekly  4
      interval        monthly 12
      interval        yearly  5
  4. Time to configure cron. Most people will tell you to create your jobs using $ crontab e
    I prefer to use the root crontab using $ sudo vim /etc/crontab shown below:

    0 */12 * * * root /usr/bin/rsnapshot hourly # Every 12 hours
    30 23 * * * toot /usr/bin/rsnapshot daily   # Daily at 11:30PM
    20 2 * * 0 root /usr/bin/rsnapshot weekly   # Sunday at 2:20AM
    10 5 1 * * root /usr/bin/rsnapshot monthly  # First day of the month at 5:10AM
    01 8 1 1 * root /usr/bin/rsnapshot yearly   # January 1st at 8:01AM
  5. Test It – Following these steps you should have the basic setup needed to run rsnapshot on your personal computer to an external hard drive or usb. Just one last thing to do. Make sure that your hard drive is plugged in and  run:
    $ sudo rsnapshot -V hourly
    rsnapshot should give you plenty of verbose information as it creates your first hourly backup inside the location you specified. If there is a issue with the lock file, remove the lock file and try again.

Still stuck?

There are many other helpful documents out there  start with the rsnapshot how to:
http://www.rsnapshot.org/howto/1.2/rsnapshot-HOWTO.en.html#installation

If you want to learn how to do remote backup and use OSX? try this article:
http://blog.philippmetzler.com/?p=138

As I said in the beginning of this article, this was a fastpost and not meant to cove everything about rsnapshot. It took longer to write this article than it did to set up rsnapshot.
Good Luck – Adam M. Erickson

 

[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

Force Jenkins to connect to remote sites.

Problem:

  1. You created an awesome script on Linux that builds your application that will automatically upload to another server via sftp or ssh.
  2. You want to go a step further and have Jenkins run the same script.
  3. Every time Jenkins runs the script it fails.
  4. You Curse Jenkins/Hudson and start pricing Atlassian tools instead.

One possible reasons could be because you have already accepted the RSA fingerprint.

The authenticity of host ‘216.64.211.4 (216.64.211.4)’ can’t be established.CLI Root
RSA key fingerprint is 2c:78:0d:08:b7:06:ac:1a:be:5f:9a:4e:37:06:8f:53.
Are you sure you want to continue connecting (yes/no)?

You cannot get through to a remote sight for upload using Jenkins because even with Jenkins using your credentials, Jenkins still needs to accept the RSA Fingerprint to proceed.

Answer:

You need to have sudo rights
There is a user switch in sudo that will allow you to ssh as jenkins.

$ sudo  -u jenkins username@server

Manually accept the RSA fingerprint key.
Now test the script in Jenkins again. It should work unless there are other rights and directory paths that you need to work out.

JenkinsRemember:

Jenkins is a user with his own user directory. My Jenkin’s user directory was /var/lib/jenkins/
If you want to have Jenkins run a script, make sure it is in Jenkins directory.

Don’t name any of your Jenkin Items with spaces.
The Items you create are made into a directory inside Jenkin’s ~/workspaces/item-name

I am not a Linux expert, I am not certified in Linux. I have been using Linux systems for over 10 years now and love coming up with solutions using Open Source Software.

Digital Forensics

 forensics              Reviewing the concept of anti-forensics, which can be described as being:  “…more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you” (Berinato, 2007).  The ultimate fear is that the rise of anti-forensics tools and techniques could make any data collected suspect, and that it jeopardizes the validity of any forensic investigation (or at least makes them so cost-prohibitive that they will seldom be feasible).  Throughout this paper we will look at what these tools and techniques are – from new developments in the field intended to conceal illegal activity to traditional anti-forensic methods to wipe data when old equipment is sold or no longer needed.  We will likewise examine the potential impact to the future of forensic investigations, as this could make the probability of a conviction extremely low.

Case studies

     After painstakingly searching several sites in the attempts to find documentation of successful anti-forensics stories and tools that were used, attempt came up pretty empty. While there are a few stories that share how people have tried to fool digital forensic experts, the fact is that no one is going to report that they were successful in fooling digital forensic investigators because they want to be able to fool them again in the future. Even the digital forensic investigators are not willing to relinquish case stories on what they found and the conclusions that they were able to come to so that they can stay an expert in their field. Some of the following stories were what I was able to find. If you ever find any interesting stories like explosives rigged into computers, or magnetic doorways, I would be interested to hear about it. Lastly I included information on how anti-forensics could be useful for personal use, in order to keep your personal information safe.

     With the amount of digital forensic cases that have been posted after the initial commencement date of this research paper, suggests that the amount of information that will be available within the next year will be an exponential growth from the amount that is available at present.

     Additionally I have come to the conclusion from reading several discussions and online expert opinions that while EnCase is the chosen digital forensic tool of use to get a broad overview of the file system, it is only one of the primary tools in an arsenal of tools that usually has a few other tools dropped into the mix and only through suggestions of peers and trial and error will you be able to decide what are the best tools for you to use.

     Just like some people to use torrents to collect illegal free music, movies, and books, pedophiles are using the same technology to spread child pornography to other pedophiles. The city of Trenton, N.J. tracked the digital fingerprints of pornographic pictures as they left one person’s computer and followed it to the next IP address and was willing to follow pictures for a total of 27 adults. One of the adults was arrested promptly before the others when officers found out he lived above a daycare facility.

     Out of the 100 state troopers and 3 months of hard work, the time came to collect the computers from the felons and extract the digital forensics necessary to convict the 27 individuals for the federal offense of either creating or having possession of child pornography. The traceable factor was the electronic watermark that was imprinted on each image. Making each image traceable on individual’s computers and also the routes the images would take on the internet. Artifacts were left on computers that were proof that the images were downloaded and viewed even if the images were deleted, just like a fingerprint on a murder weapon, it should be easy to convict each person.

The most anti-forensic material that was used by one of the culprits was heavy duty magnets that were installed in the shoes to erase the hard-drive of incriminating evidence. Yet with all the networking detective work, the magnets in the shoes probably just helped proof his guilt.

     Because the images were shared on a peer-to-peer network, every person involved in the arrest will not only be charged with possession of child pornography but also of distribution of child pornography because most torrent downloads automatically start uploading to other users who request the same data(Fletcher, 2012).

     30 year old Higinio O. Ochoa, a member of the hacker group Cabincr3w an offshoot of anonymous, was arrested after he posted an image of his girlfriend from an iPhone to Twitter. What he neglected to take into account was the GPS tagging EXIF metadata that was imprinted on the image. When the FBI viewed the metadata on the image, it effortlessly pointed to his girlfriend’s house in the outer-Melbourne area. Because of the image, I cannot post the actual image to this research paper but I can tell you that there was a message on it that his girlfriend was displaying, it read, “PwNd by W0rmer & cabinCr3w <3 u B(commented out)’s!”. All EXIF data had been wiped from the photos posted online.

     I was not able to find any current digital forensics tools that would look for coded messages, just encrypted messages. One helpful post I found from a digital forensics expert suggests that by using Unicode escape sequence messages, that you could possibly circumvent most digital forensic tools, unless it is a professional smart enough to check for the. For an example, \u0048 \u0045 \u004c \u004c \u004f , spells out HELLO.

     Fortunately there are people that are trying to close the gap for digital forensic tools lie Pavel Gladyshev of the UCD School of Computer Science and Informatics located in Texas, is working on a project to develop tools that will not only search for raw binary data for keywords but also search for possible character encoding to include ASCII, UTF-8, UTF-16, and UTF-32 that might have escape sequences embedded in it.

Anti-forensics for Your Protection

     Some people might jump to conclusions that by using anti-forensics to protect your information imply that you’re trying to hide illegal information. That is not always the case, sometimes it is useful to use anti-forensic tools in ordinary daily activities to protect against malware that targets devices like smartphones (Storm, 2011). Take for example the mobile forensic solutions offered by the company Cellebrite that are able to extract deleted data from all smartphones and tablets. While most information gleaned is produced from a hardwired connection, it is possible for devices to attach wireless through infrared or Bluetooth signal. The ability to access data remotely from a smart device makes forensic devices dangerous for the general populace because they may be used for criminal activity or spying (Bloomberg 2012).

      Companies like WhisperSystems (www.whispersys.com), make it a little bit harder for government and criminals alike to easily take data from your smart device by providing full disk encryption, network security tools, encrypted backup to the cloud, and selective permissions. Not only will anti-forensics software encrypt you data but it can also encrypt your text messages and voice calls if the other person is using the same software, if they are not it will still encrypt the data on your phone. This protection is not just necessary from a direct attack but also by malware that might disguise itself as an application you really want on you device.

    In the near future, I will be testing mobile digital forensic tools at Ferris State University and will test to see how well at least one of the free anti-forensic tools work during class and plan to come back and add more on forensics and security.

Reference

Berinato, S. (2007, June 8). The rise of anti-forensics. Retrieved from http://www.csoonline.com/article/221208/the-rise-of-anti-forensics

Bloomberg Government, (March, 2012) IPhones to BlackBerrys Cracked by Cops Using Digital Forensics. Cellebrite mobile data secured. Retrieved 4/18/2012. From http://www.cellebrite.com/news-and-events/mobile-data-news/335-iphones-to-blackberrys-cracked-by-cops-using-digital-forensics.html

Fletcher, J. (April, 2012). N.J. investigators track digital ‘fingerprints’ on shared images to nab child pornographers. The republic of Columbus Indiana. Retrieved 4/18/201, from http://www.therepublic.com/view/story/CPT-CHILDPORN_7786030/CPT-CHILDPORN_7786030/

 

Open Source Software in Digital Forensics

The purpose of this research paper is to research information on open source digital forensic tools that are assess-able for free, usually online. To review types of digital forensic tools available and what they do. The basic definition of what open source and digital forensics is will be defined, and how Open Source Software (OSS) digital forensic tools can help accomplished data retrieval. The pros and cons of why OSS should be considering as a viable digital forensic tool-set is also covered.

Digital Forensics and Incident Response and Tools

Digital forensics and Incident Response (DFIR) is the method of investigating and analyzing data information for the purpose of presenting, an ordered report that shows a chain of evidence to find out what happened on a computer and who was responsible, to a court of law. SearchSecurity. (September 2004). DFIR is being more commonly used as more and more people use computers in their daily life, from smart phones, game stations, and laptops. DFIR can help convict anyone of any crime that involved a computer, wither it is prostitution, child pornography or a white collar crime like embezzlement.

DFIR Tools are the free and proprietary applications used by DFIR experts to retrieve the results to hand over to the legal system. They allow investigators the ability to examine the contents of the hard drive without making changes to the data held within. Information that is retrieved can come from deleted files, encrypted, or damaged files SearchSecurity. (September 2004).

Open Source Software

Open Source

Some things are priceless.

Open Source Software (OSS) is a set of practices used to collaborate with software source code that has been made freely available through copywriting laws. It is also commonly known as FOSS (Free Open Source Software), although most OSS is free, not all is but for this research paper I will be covering mostly the free version of OSS. Individuals separated can come from diverse cultural, corporate boundaries, language and other characteristics in order to work together to create complex, non-proprietary software. Software is open sourced when it is free to redistribute, the source code is redistributed with it as well as in compiled mode. The open source licensing was created to make the source code of a program readily available to anyone that requests it. By making the source code available for anyone, it helps in developing stable software because the whole community is able to create changes and redistribute their own version of the software. Open source software protects the original author of the software, does not discriminate in anyway on how it can be used, cannot be specific to a product or software, cannot restrict other software and has to be technology neutral (open source, n.d.). There are several variants of the open source licensing contract that can be reviewed at opensource.org (http://www.opensource.org/licenses/category).

Some of the more widely known open source licenses cover the GNU(Graphic environment of sever Linux desktops), Mozilla (Firefox, Thunderbird), MIT, BSD (like Unix), and Eclipse (Eclipse IDE). Because of the lack of dependency on software vendors, open source software allows the software to transform and morph into potentially anything the users and developers need the software to do. It gives users the freedom to use it when they want, how they want and on their own terms.

Why OSS DFIR Tools

Open Source digital forensic tools addresses specific gap in forensic capabilities of proprietary DFIR tools.  The tools range for analyzing memory dumps, disks, network traces, cell phones, and memory images from game consoles. Besides the fact that some of the tools focus on one specific area of digital forensics of the incident response building, make them invaluable to some investigators who find the complete packaging of some DFIR proprietary tools cumbersome and lacking in some areas.

Financially, companies and governments are always looking for ways to cut budget costs that is the same for DFIR investigators trying to find work. An investigator using DFIR tools can offer a lower price to customers than a person that has to forward the expensive cost of proprietary tools to the customer. Even law enforcement that has an easier time justifying expenses to budget reports in other departments like traffic enforcement, and drug trafficking. Because of the high cost involved in proprietary applications, the follow up cost for updates may be neglected, leaving the software antiquated and not viable in future investigations.

Legally procedures for finding digital evidence need to be defended in court as being testable, published under peer review, show the possible error rate, and are marginally accepted in the relevant scientific community. Because proprietary tools are closed source and the companies offering the tools do not what to acknowledge mistakes in their software, it makes a case all by itself for choosing OSS digital forensic tools during investigation. OSS allows the source code to be evaluated, tested and error rates to be traced. OSS tools are also greatly accepted by the DFIR community (Carrier, 2002). As Brian Carrier, (Carrier, 2002) reported, “The digital forensic market should not be approached in the same way that other software markets are. The goal of a digital forensic tool should not be market domination by keeping procedural techniques secret.” While Carrier may be a little bias since he developed most of the code in Sleuth Kit, Autopsy, and mac-robber, his experience in digital forensic just proves the fact that it is important to keep OSS DGIR tools in mind.

Counterproductive to this paper, it is important to note that there usually is a larger learning curve when dealing with OSS DFIR tools since some run from command prompts and from Nix (Linux, Unix, BSD) operating systems. Also since they usually focus on one component of DFIR, it requires several different applications that need to be tied together to build a report. Because some of the tools take a lot of time to college and arrange data for a report it is sometimes better to use in a lab then in the field.

Conclusion

While open source digital forensic  tools are abound, and you can take advantage of all of them while  avoiding paying fees for commercial products, there are several good commercial tools that are available also. Because digital forensics is such a vast field of study, it is important to not rely on just one set of tools and to research and test other methods to discover and fight anti-forensics.

Good luck with any future digital forensic test cases you attempt, please make sure that it is done ethically and legally.

More information on OSS DFIR tools can be found at sites like IEEE, open source references at the National Institute of Technology (NIST), the National Software Reference Library (NSRL) form NIST, and government studies and college studies on OSS alternatives in DFIR. Additionally there is a growing amount of information from personal websites and OSS developers on DFIR that may be useful. I totally agree with Schneier (2010), that we, “would encorage everybody to download and learn the tools not just because they can do forensics but because most of them can also be used for other things such as finding things in memory and hard drives that should not be there which many AV tools cannot do and to help put systems back together again.”


Future Note: I plan to compare and contrast some of the more common tools that I will continue to study.References

References

Carrier B, (2012). Slueth Kit. Retrieved 4/15/2012. From http://www.sleuthkit.org/sleuthkit/index.php

Cmihai. (October 2007). UNIX System Administration: Solaris, AIX, HP-UX, Tru64, BSD. Retrieved 4/27/2012, from http://blog.boreas.ro/2007/10/digital-forensic-tools-imaging.html

DFF (n.d.) Open Source Digital Investigation Framework. Retrieved 4/17/2012, from http://www.digital-forensic.org/

Forristal, J., Shipley G.. January 8, 2001. Vulnerability Assessment Scanners. Network Computing. http://www.nwc.com

LinuxLinks (n.d.) 6 of the Best Free Linux Digital Forensics Tools, retrieved 4/5/201. From http://www.linuxlinks.com/article/20110115103656314/DigitalForensics.html

Nikkel, B. (June 2012) Practical Computer Forensics using Open Source tools, retrieved 4/23/2012, from www.digitalforensics.ch/nikkel08.pdf

Open Source. (n.d.) The Open Source Definition. Open Source Initiative. Retrieved from http://www.opensource.org/docs/osd

Open Source Digital Forensics (n.d.) Tools, retrieved 4/5/2012 

Schneier B.. (December 2010), Open Source Digital Forensics. Retrieved 4/6/2012. From

SearchSecurity. (September 2004). computer forensics (cyberforensics). Retrieved 5/4/2012. From http://searchsecurity.techtarget.com/definition/computer-forensics

[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]