10-23 On-Scene Investigator
From MyLinuxNotes
Contents |
[edit] Introduction
This toolkit was created for the non-technical first responder to a computer incident involving a Windows computer. It is remastered from Knoppix a bootable distribution of Linux. The toolkit runs completely off of the CD and out of RAM and does not touch the suspect hard drive(s). This was verified by SHA256 hashes of before and after the toolkit was used on a Windows system. As reported by Ernie Baca here there is an issue with Linux (and therefore KNOPPIX) where a bit is changed on journaling filesystems when mounted (even read-only). Therefore caution should be exercised when using 10-23 on a Linux system.
***BEFORE USING 10-23 IN THE FIELD CONDUCT YOUR OWN VALIDATIONS TO VERIFY MY FINDINGS!! 10-23 COMES WITH NO GUARANTEE!!***
All searches work on 2k, XP and Vista. Image & movie searches work on any drive that 10-23 OSI can see.
10-23 OSI will:
- Find images and movies on the suspect drive and make them easily viewable by the investigator
- Find all users "recent" files and display their last know location
- Lists the files on each users Desktop
- Extracts user information from the registry
- Displays the Internet Explorer history
- Displays Firefox history
- Displays Google Toolbar searches (working on an update as it may not work in some cases)
- Displays information about USB storage devices
- Gather P2P (Limewire) Evidence
This is all done through a point-and-click interface in a web browser. 10-23 OSI is not designed to make anyone a forensic examiner, but it allows the non-technical first responder to gather PC to seize the computer.
[edit] Download
You can get the 10-23 OSI from here. Make sure you grab the one with the latest date.
[edit] Installation
Once you have downloaded the ISO image from the link above you need to burn (NOT copy) it onto a CD. In your CD writing software you need to find the option to "burn a CD image", "burn an ISO image" or something similar.
Once the CD writing process has been finished you can use the CD to boot up a suspect computer. Many computers have their BIOS set to boot to a CD by default, but it should be checked anyway.
[edit] Entering the BIOS
DO NOT TRY THIS FOR THE FIRST TIME ON THE SUSPECT COMPUTER!!!! MAKING ERRORS IN THE BIOS CAN SEVERELY MESS UP A COMPUTER. You should practice these steps on your own computer until you are familiar with what needs to be done before attempting this in the field. If you are at all wary of this procedure you should just try the CD. If you see the Windows boot screen instead of the blue 10-23 screen pull the plug from the back of the computer and get help from a more technically minded co-worker.
Consult the table(s) below to get the correct key press to enter the computers BIOS. Then put the CD in the CD Drive and turn on the computer as soon as some something shows up on the screen (e.g., no longer black) repeatedly hit the key until you see the BIOS screen or you see a message that the system in entering the BIOS. If you see the Windows boot screen pull the plug from the back of the computer as you have the wrong key or you didn't press it at the correct time.
| Computer Vendors | Keyboard Commands |
|---|---|
| Acer® | F1, F2, CTRL+ALT+ESC |
| ARI® | CTRL+ALT+ESC, CTRL+ALT+DEL |
| AST® | CTRL+ALT+ESC, CTRL+ALT+DEL |
| Compaq® 8700 | F10 |
| CompUSA® | DEL |
| Cybermax® | ESC |
| Dell® 400 | F3, F1 |
| Dell 4400 | F12 |
| Dell Dimension® | F2 or DEL |
| Dell Inspiron® | F2 |
| Dell Latitude | Fn+F1 (while booted) |
| Dell Latitude | F2 (on boot) |
| Dell Optiplex | DEL |
| Dell Optiplex | F2 |
| Dell Precision™ | F2 |
| eMachine® | DEL |
| Gateway® 2000 1440 | F1 |
| Gateway 2000 Solo™ | F2 |
| HP® (Hewlett-Packard) | F1, F2 (Laptop, ESC) |
| IBM® | F1 |
| IBM E-pro Laptop | F2 |
| IBM PS/2® | CTRL+ALT+INS after CTRL+ALT+DEL |
| Intel® Tangent | DEL |
| Micron® | F1, F2, or DEL |
| Packard Bell® | F1, F2, Del |
| Seanix | DEL |
| Sony® VAIO | F2 |
| Sony VAIO | F3 |
| Tiger | DEL |
| Toshiba® 335 CDS | ESC |
| Toshiba Protege | ESC |
| Toshiba Satellite 205 CDS | F1 |
| Toshiba Tecra | F1 or ESC |
| Bios Suppliers | Keyboard Commands |
|---|---|
| ALR Advanced Logic Research, Inc. ® PC / PCI | F2 |
| ALR PC non / PCI | CTRL+ALT+ESC |
| AMD® (Advanced Micro Devices, Inc.) BIOS | F1 |
| AMI (American Megatrends, Inc.) BIOS | DEL |
| Award™ BIOS | CTRL+ALT+ESC |
| Award BIOS | DEL |
| DTK® (Datatech Enterprises Co.) BIOS | ESC |
| Phoenix™ BIOS | CTRL+ALT+ESC |
| Phoenix BIOS | CTRL+ALT+S |
| Phoenix BIOS | CTRL+ALT+INS |
[edit] Troubleshooting
error “unable to find Knoppix, dumping you to a limited command shell.”
This has to do with your machine having a SATA CD/DVD drive. You have to change a setting in the BIOS to get it to boot. You need to look (probably in the "Advanced" tab) for a setting like "SATA Configuration" or "Drive Configuration" that is set to "AHCI". It needs to be set to "RAID" for it to boot 10-23.
Desktop size to big for the monitor and I can't see the submit button.
When you are booting 10-23 and you see the blue splash screen hit the F3 key. That will open a window that will show many boot options. If you look towards the bottom you will see framebuffer options. I would suggest you try booting with the following command (just type it in and hit enter):
fb1024x768
If that doesn't work try:
fb1280x1024
[edit] Change Log
10-23_v1.1-06122008:
- Modified the P2P Evidence gathering functionality to also gather all the files that FTK's PRTK needs for cracking passwords.
10-23_v1.1-06052008:
- Added P2P Evidence gathering functionality. Extracts all the registry files and the limewire.props file to a thumb drive. Places symlinks to all the shared folders in a folder on the Desktop so the examiner can quickly view the files.
- Fixed the Gool Toolbar feature so it reports Firefox and IE search terms.
- Setup proper linking of directories for Vista drives
- Other minor bug fixes
10-23_01252008:
- Added functionality to display information on attached USB devices and whether they had been used on the suspect machine. Also lists rough descriptions of previously attached USB devices.
10-23_12062007:
- Fixed informational message about Recent Files
- Added informational message to Registry page
- Changed /bin/sh to /bin/bash in all bash files
- Made Vista compatable
- Added .mov to extensions to look for in Find Images & Movies
- Added shortcut to 10-23 main screen on Desktop
- Added short HOWTO on saving data to a thumb drive
- Changed Firefox icon mouseover comment to "10-23 Home Page"
10-23_11202007:
- Put Recent Files output in a HTML table and included the files last known location
- Added bash/fileLoc.sh to retrieve the files last known location
- Added informational message about the files last known location
- Added table headers for the Recent Files output
- Put the directories on their own line and highlighted them in blue for Recent Files output
- Quoted special characters in the last known location
- Fixed grep expression to show network drives in Recent Files output
10-23_11152007:
- Added VLC as the default movie player
- Disabled removable storage media action prompts. If the user chose to mount the device would be mounted RW
10-23_11022007:
- Added titles for IE History and Firefox History pages
- Added informative messages to the IE History, Firefox History, Registry, and Google Toolbar pages
- Made partition reporting more user friendly on the Drive Info page
- Dumped bash errors into /dev/null so as to not confuse the average user
- Added error checking for user lookup
- Removed debug message in findRecent()
- Added more information to index.cgi
- Added error checking to make sure a drive and search are selected
