Tuesday, June 19, 2007

Installing CarvFS on Ubuntu 7.04

In place carving can save you a fair amount of space. There was a paper written about it and the Dutch National Police Agency also wrote a tool called CarvFS that does exactly this. What CarvFS allows you to do is mount an EWF image or raw 'dd' image and reference blocks of data by using a specific directory listing format. At it's simplest level, you could run 'strings' on a set of 1024 bytes beginning at the first byte by doing this:

root@azazel:/mnt/carvfs/524a4efcaa84cf7391705b2b292644a6# strings CarvFS/0:1024.crv
NO NAME FAT16
root@azazel:/mnt/carvfs/524a4efcaa84cf7391705b2b292644a6#



I'll leave you to work out why this is useful; alternatively you can also read my "Memory Card Forensics" post. Here is how I installed CarvFS:

Downloaded the source packages for CarvFS, libcarvpath, libewf and fuse. They can be found here:

CarvFS 0.2.1
libcarvpath 0.1.4
libewf-beta-20061223
fuse 2.6.5

There's no specific order, but make sure that libewf, fuse and libcarvpath are installed before CarvFS.

I believe fuse should already be running as a kernel module in 7.04, so the kernel module will not be built.

Then, once you install CarvFS, you're pretty much ready to go. I had one problem when I ran carvfs I received a library not found error for libfuse.so.2. The library itself was in /usr/local/lib, but there was no entry in /etc/ld.so.conf. So I added the entry and ran ldconfig and all was well.

How will you test CarvFS? First, you will need either a raw 'dd' image or an EWF image. libewf will install a tool called 'ewfacquire' which you can use to make EWF images. Here is an excerpt of one of my sessions:


sheran@azazel:~/Personal/research$ ewfacquire /dev/sdb1
ewfacquire 20061223 (libewf 20061223, zlib 1.2.3, libcrypto 0.9.8)
Information about acquiry required, please provide the necessary input
Image path and filename without extension: usbdisk
Case number: 1923
Description: USB Disk
Evidence number: 12
Examiner name: Sheran
Notes: 64Mb USB Disk used for Forensics tests
Media type (fixed, removable) [fixed]: removable
Use compression (none, fast, best) [none]: best
Use EWF file format (smart, ftk, encase1, encase2, encase3, encase4, encase5, linen5, ewfx) [encase5]:
Start to acquire at offset (0 >= value >= 65135616) [0]:
Amount of bytes to acquire (0 >= value >= 65135616) [65135616]:
Evidence segment file size in kbytes (2^10) (1440 >= value >= 2097152) [665600]:
The amount of sectors to read at once (64, 128, 256, 512, 1024, 2048, 4096) [64]: 512
The amount of sectors to be used as error granularity (1 >= value >= 512) [64]:
The amount of retries when a read error occurs (0 >= value >= 255) [2]:
Wipe sectors on read error (mimic EnCase like behavior) (yes, no) [yes]:
...
...
...
...


It goes on to acquire an EWF image of my 64Mb USB Disk.

The next step would be to mount it. Create a mount point for it first. I use /mnt/carvfs.


sheran@azazel:~/Personal/research$ sudo carvfs /mnt/carvfs ewf usbdisk.E01 /mnt/carvfs/fad545a8c4c86973eb0ae33da06e9c80
sheran@azazel:~/Personal/research$



Now that the image is mounted, switch to the root prompt (I wasted some time on this one) and then go into the mounted image:


root@azazel:/mnt/carvfs/fad545a8c4c86973eb0ae33da06e9c80# ls -alrt
total 63617
-rw-rw-rw- 1 root root 2545 1970-01-01 04:00 README
-r--r--r-- 1 root root 1397 1970-01-01 04:00 ocfa.xml
-r--r--r-- 1 root root 65135616 1970-01-01 04:00 CarvFS.crv
d--x--x--x 3 root root 0 1970-01-01 04:00 CarvFS
drwxr-xr-x 3 root root 0 1970-01-01 04:00 .
drwxr-xr-x 5 root root 4096 2007-06-18 17:43 ..


I then ran a strings on the first 512 bytes like so:

root@azazel:/mnt/carvfs/fad545a8c4c86973eb0ae33da06e9c80# strings CarvFS/0:512.crv
MSDOS5.0
NO NAME FAT32 3
f`f;F
fXfXfXfX
NTLDR
Remove disks or other media.
Disk error
Press any key to restart
root@azazel:/mnt/carvfs/fad545a8c4c86973eb0ae33da06e9c80#


That's about it.

I know my instructions probably suck big time, but I didn't want to waste too much time in actually telling you how to do some of the other things. Anyway, if you're sniffing around CarvFS you probably know how to do most of the stuff anyway. If, however, you still want to know stepwise details, drop me a comment or mail me.

Till then.

3 comments:

Anonymous said...

Hi, nice post! I've installed carvfs without any problems but when I try to launch it i'm getting:

"carvfs: error while loading shared libraries: libcarvpath.so.0: cannot open shared object file: No such file or directory".

Have you any ideas on how I can over come this? My email is mahoomeisterATgmail.com. Many thanks in advance :) Matthew.

Anonymous said...

Hi, nice post! I've installed carvfs without any problems but when I try to launch it i'm getting:

"carvfs: error while loading shared libraries: libcarvpath.so.0: cannot open shared object file: No such file or directory".

Have you any ideas on how I can over come this? My email is mahoomeisterATgmail.com. Many thanks in advance :) Matthew.

Sheran said...

Herro!

It looks as though the library is not found. I had a similar problem with libfuse.so. I did a find / -name "libfuse*" and located the file in /usr/local/lib. I then manually added the location to the /etc/ld.so.config file and ran ldconfig. Hope this helps.

Chopstick.