Thursday, November 26, 2009

Google ChromeOS First Impressions

Along with echosix I got my interest raised in the GoogleChromeOS from a forensic prospective and thought I would take a very basic quick look under the hood.

The default install boots to a tabbed GUI interface and if you have network connectivity then you can login with an existing gmail account. If not then the default username name is chronos and the default password is chronos.

Once at the GUI you can use crtl/alt/T to bring up a shell and root access can be gained using the sudo command.

The terminal is actually really really slow to type and run commands in, so I invoked ssh and used putty /etc/init.d/ssh start did the trick.

Using putty the terminal surprisingly quick to use.

The new OS is based on Ubuntu 9.10;

image

image

The root partition of the drive was mounted read only, which I found to be interesting and mounted with the data=writeback option, which after some googling translated to mean.

“does no journaling of data; metadata only. fastest. data corruption possible in system crash”.

It appears the root partition is always mounted as  read only upon boot and the user data is encrypted under the /home directory.

image

image

I logged in as test with my gmail account and located  a directory under the default user account “chronos” named after my gmail account that contained further folder structure.

image

Navigating through the gmail account directory I found that most of the account information for my gmail account was located at the location of home/chronos/dougee652\@gmail.com/.config/google-chrome/Default/

image

From the tabbed GUI interface I saved an attachment from an email message and this file was saved locally to the Downloads directory.

I am going to look at the GoogleChromOS in a lot more detail and look at what user information is saved locally and what is stored in the cloud, stay tuned…………………….

Posted by dougee at 5:34 PM 0 comments

Imaging a GoogleChromeOS with F-Response

After downloading the VMware image of the new released Beta version of GoogleChromeOS, I thought what can I use to image the new operating system?

clip_image002

So I figured F-Response would be my tool of choice to connect to the GoogleChromeOS running system and then use the great MAC Forensic Imager tool by Ryan Kubasiak.

Upon boot ChromeOS gives you a tabbed interface and not much else, but after a bit of digging I found access to the shell using ctrl/alt/T and up popped the shell. I guessed the root password “chronos” and logged in.

I had previously emailed the F-Response Field Kit Linux script to my gmail account and saved the attachment to the Downloads folder.

To get the F-Response Linux script to run I had to copy it to /tmp and run it using the command;

sudo ./f-response-fk-lin –u andyandy –p 12345678901234 –i 3260

Issue 1 IPtables

I then had some connection issues as GoogleChromeOS comes with IPtables configured so I removed all the iptables rules and changed the policy from Deny to Accept;

Comands;

iptables -L INPUT -n –linenumbers

iptables -D INPUT [line number here]

iptables -P INPUT ACCEPT

clip_image004

Now with connectivity I was able to reach my Macbookpro and start the connection process.

clip_image006

I then used the Globalscan ISCSI client on the Macbookpro to establish the connection.

clip_image008

The F-Response status then showed me that the connection was established;

clip_image010

The F-Response status then showed me that the connection was established;

clip_image012

The GoogleChromeOS disk showed up on my Mac as rdisk4 and contained 3 partitions;

Fdisk output from the shell on the Mac.

clip_image014

Output from the GUI Disk Util Tool

clip_image016

Mounted Partions on my Desktop;

clip_image017

File explorer view of each partition;

Root Partition;

clip_image019

Second Partition;

clip_image021

I then used the great MAC Forensic Imager tool by Ryan Kubasiak, to create an image of the GoogleChromeOS physical drive.

clip_image023

The imaging took no time at all to complete and successfully completed to E01 file format. The log recorded the imaging as follows;

Physical Disk Infoscheme: fdisk

block size: 512

_ ## Type_________________ Name_________________ Start___ Size____

+ MBR Master Boot Record 0 1

1 Linux_Ext2FS 1 1945600

2 Linux_Swap 1945601 1945600

3 Linux_Ext2FS 3891201 1945600

+ synthesized

ewfacquirestream 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.7)

Using the following acquiry parameters:

Image path and filename: /Users/dougee/Desktop/GCOS-FRes.E01

Case number: 652

Description: GoogleChromeOsF-Response

Evidence number: 652

Examiner name: Dougee

Notes: GoogleChromeOs with F-Response Field Kit

Media type: fixed

Volume type: physical

Compression used: none

Compress empty blocks: no

EWF file format: EnCase 5

Acquiry start offet: 0

Amount of bytes to acquire: 0 (until end of input)

Evidence segment file size: 1.4 GiB (1572864000 bytes)

Block size: 64 sectors

Error granularity: 64 sectors

Retries on read error: 2

Wipe sectors on read error: no

Acquiry started at: Thu Nov 26 11:28:30 2009

Posted by dougee at 5:00 PM 2 comments

Monday, November 9, 2009

F-Response and using MAC for Analysis

A short document that I created to show how to connect your mac to F-Response.

Posted by dougee at 11:22 AM 0 comments

Sunday, November 8, 2009

Installing Volatility Framework on the MAC

I recently had success with installing Volatility on my MacBookPro and have shared the process in a VDP Document. The document can be found on the VDP Project Page at;

Posted by dougee at 6:06 PM 0 comments

Sunday, October 18, 2009

MAC OSX Leopard/Snow Leopard File System Counting

With the launch of Snow Leopard Apple has changed the way in which is counts file sizes in mega-bytes.

In the previous version of Leopard, Apple counted a giga-byte as 1024 MB's or 1,073,741,824 bytes, but in Snow Leopard Apple nows counts a giga-byte as 1000 MB's.

For example a file size of 252,916,507 bytes in Leopard appeared as 241.2 MB and in Snow Leopard it appears as 252.9 MB.

Posted by dougee at 2:42 PM 0 comments

Tuesday, September 22, 2009

Windows Firewall control from the CMD line

One of the key things we do in Incident Response is avoid using the GUI if at all possible, we can also fall victim to the Windows Firewall blocking our remote connections. More as an memory jogger I thought I would publish the below list of Windows Firewall commands that will allow us to control the Firewall from the command line.

Windows XP

Show Firewall Status

netsh firewall show opmode (Can be redirected to record current state using > fw_state.txt)

Turn off Firewall

netsh firewall set opmode disable

Open Port for Imaging Tool

netsh firewall add portopening TCP 8888 netcat enable subnet

Delete Opened Port

netsh firewall delete portopening protocol=TCP port=8888

Turn Firewall on

netsh firewall set opmode enable

Windows Vista/Windows Server 2008

Show Firewall Status

netsh firewall show opmode

Turn Firewall Off

netsh advfirewall set currentprofile state off

Open Port for Imaging Tool

netsh advfirewall firewall add rule name=netcat dir=in action=allow protocol=TCP localport=8888

Delete Opened Port

netsh advfirewall firewall delete rule name=netcat protocol=TCP localport=8888

Turn Firewall on

netsh advfirewall set currentprofile state on

Posted by dougee at 7:58 AM 0 comments

Thursday, August 20, 2009

Happy 40th Birthday Unix

I would like to wish the UNIX Operating System a happy 40th birthday. It's been a good four decades with spin offs like SCO, Solaris, AIX. HP/UX, Irix, OSX, BSD and GNU/Linux to name just a few. As the true God of the OS world may you reign eternally!



Link
Posted by dougee at 2:04 PM 0 comments
Subscribe to: Posts (Atom)