Along with echosix I got my interest raised in the GoogleChromeOS from a forensic prospective and thought I would take a very basic quick look under the hood.
The default install boots to a tabbed GUI interface and if you have network connectivity then you can login with an existing gmail account. If not then the default username name is chronos and the default password is chronos.
Once at the GUI you can use crtl/alt/T to bring up a shell and root access can be gained using the sudo command.
The terminal is actually really really slow to type and run commands in, so I invoked ssh and used putty /etc/init.d/ssh start did the trick.
Using putty the terminal surprisingly quick to use.
The new OS is based on Ubuntu 9.10;
The root partition of the drive was mounted read only, which I found to be interesting and mounted with the data=writeback option, which after some googling translated to mean.
“does no journaling of data; metadata only. fastest. data corruption possible in system crash”.
It appears the root partition is always mounted as read only upon boot and the user data is encrypted under the /home directory.
I logged in as test with my gmail account and located a directory under the default user account “chronos” named after my gmail account that contained further folder structure.
Navigating through the gmail account directory I found that most of the account information for my gmail account was located at the location of home/chronos/dougee652\@gmail.com/.config/google-chrome/Default/
From the tabbed GUI interface I saved an attachment from an email message and this file was saved locally to the Downloads directory.
I am going to look at the GoogleChromOS in a lot more detail and look at what user information is saved locally and what is stored in the cloud, stay tuned…………………….
After downloading the VMware image of the new released Beta version of GoogleChromeOS, I thought what can I use to image the new operating system?
So I figured F-Response would be my tool of choice to connect to the GoogleChromeOS running system and then use the great MAC Forensic Imager tool by Ryan Kubasiak.
Upon boot ChromeOS gives you a tabbed interface and not much else, but after a bit of digging I found access to the shell using ctrl/alt/T and up popped the shell. I guessed the root password “chronos” and logged in.
I had previously emailed the F-Response Field Kit Linux script to my gmail account and saved the attachment to the Downloads folder.
To get the F-Response Linux script to run I had to copy it to /tmp and run it using the command;
sudo ./f-response-fk-lin –u andyandy –p 12345678901234 –i 3260
I then had some connection issues as GoogleChromeOS comes with IPtables configured so I removed all the iptables rules and changed the policy from Deny to Accept;
Comands;
iptables -L INPUT -n –linenumbers
iptables -D INPUT [line number here]
iptables -P INPUT ACCEPT
Now with connectivity I was able to reach my Macbookpro and start the connection process.
I then used the Globalscan ISCSI client on the Macbookpro to establish the connection.
The F-Response status then showed me that the connection was established;
The F-Response status then showed me that the connection was established;
The GoogleChromeOS disk showed up on my Mac as rdisk4 and contained 3 partitions;
Fdisk output from the shell on the Mac.
Output from the GUI Disk Util Tool
Mounted Partions on my Desktop;
File explorer view of each partition;
Root Partition;
Second Partition;
I then used the great MAC Forensic Imager tool by Ryan Kubasiak, to create an image of the GoogleChromeOS physical drive.
The imaging took no time at all to complete and successfully completed to E01 file format. The log recorded the imaging as follows;
Physical Disk Infoscheme: fdisk
block size: 512
_ ## Type_________________ Name_________________ Start___ Size____
+ MBR Master Boot Record 0 1
1 Linux_Ext2FS 1 1945600
2 Linux_Swap 1945601 1945600
3 Linux_Ext2FS 3891201 1945600
+ synthesized
ewfacquirestream 20080501 (libewf 20080501, zlib 1.2.3, libcrypto 0.9.7)
Using the following acquiry parameters:
Image path and filename: /Users/dougee/Desktop/GCOS-FRes.E01
Case number: 652
Description: GoogleChromeOsF-Response
Evidence number: 652
Examiner name: Dougee
Notes: GoogleChromeOs with F-Response Field Kit
Media type: fixed
Volume type: physical
Compression used: none
Compress empty blocks: no
EWF file format: EnCase 5
Acquiry start offet: 0
Amount of bytes to acquire: 0 (until end of input)
Evidence segment file size: 1.4 GiB (1572864000 bytes)
Block size: 64 sectors
Error granularity: 64 sectors
Retries on read error: 2
Wipe sectors on read error: no
Acquiry started at: Thu Nov 26 11:28:30 2009
