Post Mortem Analysis

There isn't a single way to perform an analysis. It depends on the target operating system, what you're looking for, the type of crime, what you know about the attacker, and so on. Here are some base cases. You can use just one of them (improbable), or you can mix different examples on one given case/computer.

Post Mortem Analysis (case 1)

This is a classic method. You mount your forensic image through loop devices to access internal filesystems. Using common UNIX commands (find, grep, awk, strings, hexdump), you can search the filesystem to retrieve all the data you need.

You can't really call this a "forensic examination," but hey—it's a starter-kit, right? You'll learn the 80/20 rule (or 70/30 depending on who you quote) using this approach. This forensic rule says that 80 percent of the evidence is floating on the dataset and will be recovered using a simple approach like this one. The next 10 percent will cost you twice as much to fish out, the next 5 percent twice as much again, and on and on and on...

The key is recognizing the sweet spot to stop on each case!


Inspect image partition table.

Use fdisk, sfdisk, or parted to see partition table structure.

Mount image in safe mode.

Perform filesystem analysis.

Search for logs. Correlate logs.


Use a loop device:

losetup /dev/[firstloopdevice] [image_file]

Remember to inspect image to see results in sectors.

Mount -o ro,loop,nodev,user,noexec,notime,of fset=[first_partition_cylinder*512] [image.file] [mount_point]

Search and retrieve all data you need for analysis (find, grep, awk, strings, hexdump), check for rootkits, and so on.

Use logsearch to find every interesting log file in the filesystem.

Correlate log files with tools like lire, octopussy, ADMLogger, sawmill, splunk, or your own choice. Log and MAC time correlation are the very first moves you should make in order to learn what has been going on in a given system during a given timeframe.

Post Mortem Analysis (case 2)

Sometimes you can find an unknown filesystem, a swap area, or a hibernation file, or you'll simply want to extend your reach into unallocated clusters. In these scenarios, you could use a file carver to retrieve data. File carvers are powerful beasts that must be used with care as they will easily overload you with information if you don't use them wisely.

File carving is the term used to analyze a given set of information (usually a large set) for known headers and footers of known file formats in order to be able to grab the data that sits in between and effectively "carve" it out. That's where the name comes from!

There are other techniques to enhance carving and you'll be seeing a lot of progress in this area in the very immediate future; soon file carving will eat as many resources as password cracking—just wait and see... but let's keep to simple header/footer carving for now.

At some point, you'll start developing your own headers and footers, but for the time being, tools are available that will automate this for you and allow you to retrieve deleted documents, which could be useful for your ongoing investigation.


Please remember one thing though! It's not always necessary to carve everything out! If you know what you're looking for and you know how that piece of data is stored in the file format that you're interested in, then don't carve! Just adapt to target format and search! It'll be so much quicker.



Identify file type.

Map every kind of file type you need.

Use a file carver to extract files from filesystem and swap partitions.

File carver program (foremost or scalpel) will retrieve every file it can recognize (from the types you choose). The file must not be fragmented. It works on every filesystem and swap file or partition.

Post Mortem Analysis (case 3)

You might want to inspect an image while the system is running. Virtual machines are perfect for this purpose. You only need to convert a copy of your forensic image into a vmdk file ready to be imported into a VMWare virtual machine.

This script will help you to automate and avoid some of the potential pitfalls you could run into if not done correctly:

# Simple script to generate the vmware's vmdk file for an image file

# Usage: create vmdk <image file>

# Copyright @PSS Trento Italy

# mail: <[email protected]> if [ $# -ne 1 ]

then echo "USAGE $0 <image file>" exit 1







#scan for the first loop device available ###

/sbin/losetup /dev/loop$i > /dev/null 2>&1


LOOPDEVICE=/dev/loop$i fi done if [ "$LOOPDEVICE" = "" ] then echo "FATAL: no loop devices available!" exit 1

fi echo "Using $LOOPDEVICE for image geometry scanning..." /sbin/losetup $LOOPDEVICE $FILENAME if [ $? -ne 0 ] then echo "FATAL: canot set \"$FILENAME\" on \"$LOOPDEVICE\"" exit 1

# read geometry from loop device via fdisk ###

echo "Scanning geometry..."

FDISKOUTPUT="/sbin/fdisk -lu $LOOPDEVICE 2>/dev/null| grep cylinders" echo "Releasing $LOOPDEVICE..." /sbin/losetup -d $LOOPDEVICE echo "Parsing geometry... "

TOTALSECTORS="echo "$FDISKOUTPUT" | awk '{print $8}'" TRACKSECTORS="echo "$FDISKOUTPUT" | awk '{print $3}'" CYLINDERS="echo "$FDISKOUTPUT" | awk '{print $5}'" HEADS="echo "$FDISKOUTPUT" | awk '{print $1}'"

# check geometry values ###

if [ "$TOTALSECTORS" = "" -o $TOTALSECTORS -eq 0 ] then echo "FATAL: invalid sectors value" exit 1

fi if [ "$TRACKSECTORS" = "" -o $TRACKSECTORS -eq 0 ] then echo "FATAL: invalid track/sectors value" exit 1

fi if [ "$CYLINDERS" = "" -o $CYLINDERS -eq 0 ] then echo "FATAL: invalid cylinders value" exit 1

fi if [ "$HEADS" = "" -o $HEADS -eq 0 ] then echo "FATAL: invalid heads value" exit 1

# building the vmdk file

echo "Writing $FILENAME.vmdk..." cat << VWMDK_EOF > $FILENAME.vmdk

# Disk DescriptorFile version=1 CID=76805586 parentCID=ffffffff createType="monolithicFlat"

# Extent description


# The Disk Data Base #DDB

ddb.adapterType = "ide" ddb.geometry.sectors = "$TRACKSECTORS" ddb.geometry.heads = "$HEADS" ddb.geometry.cylinders = "$CYLINDERS" ddb.virtualHWVersion = "4" ddb.toolsVersion = "0" VWMDK_EOF echo "Done!"

A virtual machine is the perfect environment to check a compromised system, to test new tools, or to inspect network data without any risk.


Copy image and build a vmdk disk.

Build a virtual machine.

Boot virtual machine to do some checking in a controlled environment.


Transform a dd image into a vmdk one. (You need only to build a small info file.)

Create a virtual machine with the new vmdk.

Use the virtual machine like a sandbox. You can take a snapshot, use the host machine to firewall net access, attach an IDS machine to the virtual net, and so on. Virtual machines are a good way to test compromised hosts and discover hidden network traffic.

Post Mortem Analysis (case 4)

When you inspect a compromised network, it might be useful to inspect all possible log data, simply to find a strange record, correlate logs from different sources, inspect suspect activities, and so on.

Checklist Description

Inspect image partition table. Use a loop device:

losetup /dev/[firstloopdevice] [image_file]


Use fdisk, sfdisk, or parted to see partition table structure.

Mount image in read-only mode.


Remember to inspect image to see results in sectors.

Mount -o ro,loop,nodev,user,noexec,notime,of fset=[first_partition_cylinder*512] [image.file] [mount_point]

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook

Post a comment