Digital Forensics
Due Thursday, February 17th

Assignment: Looking Around in Linux, Copying Volatile Data

If you haven't installed to the hard disk, please go ahead and do so. It is necessary for this assignment.

I want you to extract volatile information from your own desktop. You can modify your home directory and that of root, but please avoid making system-wide changes (e.g., changes to files located in /etc or /usr.) However, if you tackle the bonus points section, you may make some system-wide changes as outlined in the bonus section.

I am looking here for text data retrieved from (1) use of standard Linux tools installed on the machine (2) use of any scripting that you can devise on this particular machine and (3) use of binaries that you have put in your own space, but not in system space to your machine (however, finding useful statically linked binaries is not a trivial task in the Linux/Unix world.) The use of scripting will strongly be weighted since scripting is quite easy in the Unix/Linux environment.

You should not need to change any system settings, and will not need to enable any new services.

I expect two work products: a flat text file called "results.txt", and a printed write-up. Use the file "results.txt" to save all of your collected results. Make sure that the "results.txt" collection text file starts with your name, and the times when your collection began and ended.

BONUS Section: In addition to a results.txt file, create a SQLITE3 database of the data that you collect. While I will leave the design of the tables to hold your data to your imagination, my criteria for grading the bonus section will be:

  1. Is original raw output/data available from your database?
  2. Are the fields in your record structure(s) amenable to easy searches? (for instance, keeping a source file's pathname in a field in your record structure(s) would be a very useful item to be able to search for.)
  3. Is it self-documenting? Are the times of collection and the person(s) doing the collection documented? The name of your SQLITE3 database should be "results.sqlite3".

In order to accomplish the bonus section, you may install SQLITE3 components onto your machine. While it's possible to accomplish this section without installing the SQLITE3 components on a system-wide basis, I don't want you spending time on solving the non-trivial problems involved with keeping all of this local to your home directory.

Deliverables: For the write-up, create a short narrative of your experiences, and make sure to describe each program that you called.

(1) Email the "results.txt" file to me at "langley AT". (2) Please also attach any scripts that you write for this assignment. (3) If you submit an answer on the bonus section, please also attach a copy of your results.sqlite3 file.

(2) Print out a write-up of your experiences, and give that to me at the beginning of class on Feburary 17th.