Bitscout is not forensically sound
msuhanov opened this issue · comments
The following issue has been discovered: when an unclean (dirty) Ext4 file system is present on a fixed drive, it is recovered by Bitscout during the boot; see the attached screenshot and a sample file system image.
ext4-dirty.raw.gz
The issue can be also reproduced when running Bitscout on real hardware, and when a sample file system is inside a partition.
Valuable finding! Can you suggest a fix?
Thanks for reporting this!
I fixed that by modifying Ubuntu casper system used in Bitscout. Now casper finds the livefs media via unique disk label rather than by mounting all available filesytems. The unique disk label is chosen randomly when the first build process starts.
Confirmed behavior before patch:
After patch was applied and ISO was rebuilt:
The risk of tampering unclean filesystems by the expert shall not be present, because the expert has access only to the read-only loop block devices.
The risk of tampering unclean filesystems by the expert shall not be present, because the expert has access only to the read-only loop block devices.
It seems that the guest container doesn't have permission to mount a block device. But if you ever allow the guest container to mount a loop device (for example, to preview file systems on a suspect machine), the read-only loop device won't protect against modifications in some cases.
Yes, correct. Right now guest container is allowed to use fuse filesystem drivers only (i.e. ntfs-3g), but we need a better mechanism to moount some rare filesystems which has no fuse drivers. Do you suggest to apply kernel patch for write blocking? If so, can certain devices be unlocked for modification if the system owner asks for malware removal?
Do you suggest to apply kernel patch for write blocking? If so, can certain devices be unlocked for modification if the system owner asks for malware removal?
Yes (to both questions). I saw that you have noticed my kernel patch and userspace tools, they provide a way to control the write blocker through the blockdev tool.
Awesome job with that kernel patch and tools, Maxim! I am integrating it into the build process and let people use it in Bitscout. Thank you for your research in this field!