22 10 2012
DFIR with NBDServer
UPDATE: Jeff’s tool now supports memory acquisition. You can find out more here.
So I was getting my morning dose of DFIR reading on the train this morning and couldn’t help but notice Jeff Bryner’s email message to the SANS mailing list about a tool he modified to help us DFIR guys – You can find out more about his version of the Network Block Device Server tool here.
It’s, “Modified to allow you to specify a whitelist IP address that can connect to the NBD Server, defaults to read only access to the partition, provide optional debug messages, and compiles via mingw on windows.”
One individual on the mailing list commented that it looks like a cheaper version of F-Response. On the surface, with a few modifications, it does look similar although I don’t see that it supports mounting memory, etc (I could be wrong). I’ve never used F-Response so I wont get into debating the differences, or which one is better, etc. In either case I like the idea and decided to take a look at Jeff’s new NBDS tool.
My setup is going to be a local Windows 7×64 machine and I will be running an Ubuntu 12.04 Server install for the nbd-client out on Amazon’s EC2 cloud. I’m using the EC2 cloud just to demonstrate the versatility if you were in a pinch without your laptop, and only had access to a buddies system, etc.
First we need to download the NBDServer files from here: https://github.com/jeffbryner/NBDServer
Once it’s downloaded you will want to get the server portion running. The -c is the client that you want to allow inbound. In this case it’s the IP address of my Amazon EC2 Ubuntu server. -n is the partition number (starts at 0). So this is my C: partition (-n1). -n0 would be my 100mb System Recovery partition that’s created during the Windows 7 install.
Configure port forwarding. In this case I used an old Linksys switch that I had laying around. I didn’t feel like editing my pfsense firewall so I went the quick route.
At this stage I am logged into my Ubuntu server on Amazon’s EC2. You will need to use apt-get and install nbd as it wasn’t installed by default on the image I selected. I assume it’s not installed by default on most of them.
I also didn’t take a snapshot here, but you should run# sudo modprobe nbd before using the nbd-client per the instructions on Jeff’s github page.
As you can see it was successful and now we are connected. It also provides the byte sector number, which in this case it 1024.
Now I will go ahead and create a folder in /mnt/company_a where I will mount it. As you can see we successfully listed the contents of /mnt/company_a and you can see we are looking at the root of C:\
These are pretty self explanatory, but I will provide a couple anyway. Basically you would just analyze like you would any other mounted image.
This one is running pasco (has to apt-get) remotely against index.dat. I run DeepFreeze on this Windows box so you’re not seeing much traffic here.
Here is an example using TSK’s fls (used apt-get) command building a body file, which could then be processed using log2timeline, etc.
As you can see right out of the box this provides some really nice features for DFIR folks out there. The best part is it’s free, and hopefully people build upon it and create additional features. Creating a simple batch file and tossing this inside a thumb drive might be useful for some DFIR folks.
As i’m sure you’re aware this works equally as easy within a LAN environment, but I wanted to show its WAN capabilities. I don’t see any functionality for encryption and didn’t have any tools to test it, but I am going to assume there is none. Please correct me if I am wrong.
Thanks go out to Jeff Bryner and Folkert van Heusden for their time and effort.