Michael Hamm, Operator & Analyst at CIRCL gave a presentation at Pass the SALT 2021 on “Forensics Low Level - Having fun with Linux onboard tools” on 5th July 2021.
In his presentation, he covered some curiosities he stumbled over while working in forensics. One goal was to show that you can not always relay on tools and should be able to read the data on byte level to understand what’s going wrong.
The presentation consisted out of 3 live demos. All the demos were based on Linux standard tools like ‘dd’, ‘hexedit’ and alike.
- In Forensics a HW write-blocker is necessary. Just mounting the device in RO mode is not sufficient. He will connect a USB stick to my laptop and mount it RO. After this he will modify some data on the USB stick.
- He has a standard USB stick and simply modify some (3) bytes on it. The result, Linux will mount up to 250 partitions. Some tools either hang or simply display wrong information. You need to read the bytes of the partition table to understand whats going wrong.
- If you connect another USB stick to a Windows, file A, B and C have content X, Y and Z. If you connect the same USB stick to Linux, file A, B and C have content U, V, W. Analyzing and understanding the Master Boot Record will reveal the secret.
Watch the replay here.