Bitscout is not forensically sound

Question

Bitscout is not forensically sound

msuhanov opened this issue 7 years ago · comments

The following issue has been discovered: when an unclean (dirty) Ext4 file system is present on a fixed drive, it is recovered by Bitscout during the boot; see the attached screenshot and a sample file system image.

ext4-dirty.raw.gz

The issue can be also reproduced when running Bitscout on real hardware, and when a sample file system is inside a partition.

Vitaly Kamluk · Answer 1 · Mon Jul 10 2017 20:12:19 GMT+0800 (China Standard Time)

Valuable finding! Can you suggest a fix?

Vitaly Kamluk · Answer 2 · Mon Jul 10 2017 23:24:20 GMT+0800 (China Standard Time)

Thanks for reporting this!
I fixed that by modifying Ubuntu casper system used in Bitscout. Now casper finds the livefs media via unique disk label rather than by mounting all available filesytems. The unique disk label is chosen randomly when the first build process starts.

Confirmed behavior before patch:

After patch was applied and ISO was rebuilt:

The risk of tampering unclean filesystems by the expert shall not be present, because the expert has access only to the read-only loop block devices.

msuhanov · Answer 3 · Tue Jul 11 2017 18:42:20 GMT+0800 (China Standard Time)

The risk of tampering unclean filesystems by the expert shall not be present, because the expert has access only to the read-only loop block devices.

It seems that the guest container doesn't have permission to mount a block device. But if you ever allow the guest container to mount a loop device (for example, to preview file systems on a suspect machine), the read-only loop device won't protect against modifications in some cases.

Vitaly Kamluk · Answer 4 · Wed Jul 12 2017 13:49:38 GMT+0800 (China Standard Time)

Yes, correct. Right now guest container is allowed to use fuse filesystem drivers only (i.e. ntfs-3g), but we need a better mechanism to moount some rare filesystems which has no fuse drivers. Do you suggest to apply kernel patch for write blocking? If so, can certain devices be unlocked for modification if the system owner asks for malware removal?

msuhanov · Answer 5 · Sun Jul 23 2017 22:40:20 GMT+0800 (China Standard Time)

Do you suggest to apply kernel patch for write blocking? If so, can certain devices be unlocked for modification if the system owner asks for malware removal?

Yes (to both questions). I saw that you have noticed my kernel patch and userspace tools, they provide a way to control the write blocker through the blockdev tool.

Vitaly Kamluk · Answer 6 · Mon Jul 24 2017 15:45:10 GMT+0800 (China Standard Time)

Awesome job with that kernel patch and tools, Maxim! I am integrating it into the build process and let people use it in Bitscout. Thank you for your research in this field!