bitscout

bitscout 接続先サーバの準備

bitscoutは、基本的に事前設定したVPNサーバに接続し、接続先サーバから操作を行います。

まずは、接続先となるサーバを用意しましょう。

OpenVPNの主要な設定は、bitscoutを作成する際、自動生成されるので、bitscoutの起動イメージを作成する環境をOpenVPN接続先にすると、構成が楽だと思います。

今回は、bitscout起動イメージ作成環境と、OpenVPNサーバ環境は分離しています。

OpenVPNの導入

OpenVPNで利用する証明書は、Easy-rsaを使って作成するのが定番らしいから、これも同時にインストールします。

user01@ubuntu-sv:~$ sudo apt -y install openvpn easy-rsa
[sudo] user01 のパスワード:
~~~~~~~~~~~~~~~~~
Created symlink /etc/systemd/system/sockets.target.wants/pcscd.socket → /lib/systemd/system/pcscd.socket.
ureadahead (0.100.0-20) のトリガを処理しています ...

systemd (237-3ubuntu10.3) のトリガを処理しています ...
user01@ubuntu-sv:~$

git関連

githubで公開されている bitscoutを入手するため、git の準備をします。

gitをインストール

user01@ubuntu1804:~$ sudo apt -y install git

user01@ubuntu1804:~$ dpkg -l git

要望=(U)不明/(I)インストール/(R)削除/(P)完全削除/(H)保持

| 状態=(N)無/(I)インストール済/(C)設定/(U)展開/(F)設定失敗/(H)半インストール/(W)トリガ待ち/(T)トリガ保留

|/ エラー?=(空欄)無/(R)要再インストール (状態,エラーの大文字=異常)

||/ 名前 バージョン アーキテクチ 説明

+++-==============-============-============-================================= ii git 1:2.17.1-1ub amd64 fast, scalable, distributed revis

user01@ubuntu1804:~$

bitscout の clone

user01@ubuntu1804:~$ git clone https://github.com/vitaly-kamluk/bitscout.git

bitscout Cloning into 'bitscout'...

remote: Enumerating objects: 24, done.

remote: Counting objects: 100% (24/24), done.

remote: Compressing objects: 100% (18/18), done.

remote: Total 355 (delta 11), reused 15 (delta 6), pack-reused 331

Receiving objects: 100% (355/355), 530.06 KiB | 976.00 KiB/s, done.

Resolving deltas: 100% (163/163), done.

user01@ubuntu1804:~$

bitscout のセットアップ

automake.sh の実行

automake.sh を実行し、bitscoutの起動イメージファイルを作成します。

user01@ubuntu1804:~$ cd bitscout/

user01@ubuntu1804:~/bitscout$ ./automake.sh


Welcome to bitscout builder!

Host OS info:

Linux ubuntu1804 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 18.04.2 LTS

Release: 18.04

Codename: bionic Using git commit aeb21db4a4c9c004c9b357f5e2d14f087749b6c9

It seems that you are at fresh build environment.

We need to populate the config with some essential data.

Please answer the following questions or put your existing build config to config/bitscout-build.conf.

Proceed to interactive settings? [Y/n]: y

bitscout may be built to be compact or normal.

Please choose option number:

1. compact - minimal size, less tools and drivers.

2. normal - includes most common forensic tools, drivers, etc.

3. maximal - includes maximum of forensic tools and frameworks.

Your choice (1|2|3): 2

If you are going to deal with badly unmounted filesystems, software RAID or LVM, it is recommended to apply kernel write-blocker patch for extra care of the evidence. However, please note that it may take 3-4 hours to rebuild the kernel on a single core CPU. Would you like to build and use kernel with write-blocker? [Y/n]: n

To use bitscout remotely you will need a VPN server.

Please enter your designated VPN server protocol (udp/tcp), host and port. You can change it later.

Examples:

udp://127.0.0.1:2222

tcp://myvpnserver:8080

Your input: udp://127.0.0.1:2222


You have an option to build this image in the following architecture

1. 64-bit architecture (amd64)

2. 32-bit architecture (i386)

Please make your choice [1 or 2]: 2

Saving configuration..

Configuration saved. Continue? [Y/n]: y

Updating submodules..

Submodule 'resources/apt-fast' (https://github.com/vitaly-kamluk/apt-fast) registered for path 'resources/apt-fast'

Submodule 'resources/kernel/writeblocker' (https://github.com/vitaly-kamluk/Linux-write-blocker) registered for path 'resources/kernel/writeblocker'

Cloning into '/home/user01/bitscout/resources/apt-fast'...

Cloning into '/home/user01/bitscout/resources/kernel/writeblocker'...

Submodule path 'resources/apt-fast': checked out '3a6bd771bdbbacb21527d593f9fb54909dc1a56f'

Submodule path 'resources/kernel/writeblocker': checked out 'a5dba61a0a5f22acab1ca4796eb57a26af1bf6e9'

Checking base requirements..

dpkg-query: no packages found matching debootstrap

debootstrap was not found your system. It is required to continue.

Please authorize installing debootstrap..

[sudo] password for user01:


WARNING: apt does not have a stable CLI interface. Use with caution in scripts.


Reading package lists...

Building dependency tree...

Reading state information...

Suggested packages:

ubuntu-archive-keyring

The following NEW packages will be installed:

debootstrap

0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.

Need to get 35.7 kB of archives.

After this operation, 270 kB of additional disk space will be used.

Get:1 http://jp.archive.ubuntu.com/ubuntu bionic-updates/main amd64 debootstrap all 1.0.95ubuntu0.3 [35.7 kB] Fetched 35.7 kB in 1s (50.4 kB/s)

Selecting previously unselected package debootstrap.

(Reading database ... 164650 files and directories currently installed.)

Preparing to unpack .../debootstrap_1.0.95ubuntu0.3_all.deb ...

Unpacking debootstrap (1.0.95ubuntu0.3) ...

Processing triggers for man-db (2.8.3-2ubuntu0.1) ...

Setting up debootstrap (1.0.95ubuntu0.3) ...

Downloading bionic:i386..

Building base root filesystem..

Fetching the list of essential packages..


~~~~~~


'./config/ssh/scout' -> 'exports/expert/etc/ssh/scout'

'./config/ssh/scout.pub' -> 'exports/expert/etc/ssh/scout.pub'

user01@ubuntu1804:~/bitscout$

利用方法

https://github.com/vitaly-kamluk/bitscout/wiki

githubのwikiでは、 dc3dd を使ったevidence採取方法が例示されていますが、今回導入したbitscoutに dc3dd は入っていませんでした。代わりに、 dcfldd がありますので、こちらを使いましょう。

イメージ採取例

$ dcfldd split=4096M ds=512 conv=noerror,sync hash=md5 hashlog=/mnt/hozen/image.md5 if=/dev/host/evidence0 -f=/mnt/hozen/image.dd