1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
#!/usr/bin/perl
#
# This makes a directory ($CD) with the needed files to burn to
# a CD for live analysis
#
# Current limitations are that Perl needs to be on the suspect system and
# that it uses the untrusted Perl files.
require 'conf.pl';
use vars '$USE_STIMEOUT', '$STIMEOUT', '$CTIMEOUT', '$SAVE_COOKIE';
use vars '$GREP_EXE', '$TSKDIR';
my $CD = "./live-cd/";
# Make the directories
if (-d "$CD") {
print "Live CD directory already exists ($CD)\n";
print "Plese delete and run this again\n";
exit (1);
}
print "Making base directory ($CD)\n";
die "Error making Live CD directory ($CD)"
unless (mkdir "$CD", 0775);
die "Error making Live CD binaries directory ($CD)"
unless (mkdir "$CD/bin/", 0775);
print "Copying executables\n";
# Copy the executables
die "Missing grep executable ($GREP_EXE)"
unless (-x "$GREP_EXE");
`cp '$GREP_EXE' '$CD/bin/grep'`;
die "Error copying grep executable"
unless (-x "$CD/bin/grep");
# Sleuth Kit Binaries
die "Missing Sleuth Kit Directory ($TSKDIR)"
unless (-d "$TSKDIR");
foreach my $exec ("blkcalc", "blkcat", "blkls", "blkstat", "ffind", "fls", "fsstat",
"icat", "ifind", "ils", "istat", "md5", "sha1", "srch_strings", "img_stat", "mmls") {
die "Missing Sleuth Kit executable ($exec)"
unless (-x "$TSKDIR/$exec");
`cp '$TSKDIR/$exec' '$CD/bin/$exec'`;
die "Error copying Sleuth Kit executable ($exec)"
unless (-x "$CD/bin/$exec");
}
# Make a fake file
open FILE, ">$CD/bin/file" or die ("Error creating Live CD file exec");
print FILE "#!./bin/perl\n";
print FILE "print STDOUT \"File Type Not Supported During Live Analysis\n\";\n";
close FILE;
`chmod +x "$CD/bin/file"`;
# Copy the autopsy directories
print "Copying autopsy files\n";
`cp -r help "$CD"`;
`cp -r lib "$CD"`;
`cp -r pict "$CD"`;
# Get the path for Perl from the current autopsy
open AUT, "<./autopsy" or die ("Error opening normal autopsy exec");
my $perl;
while (<AUT>) {
$perl = $_;
last;
}
close AUT;
if ($perl =~ /^#!(\S+)/) {
$perl = $1;
} else {
die "Error parsing Perl location from autopsy"
}
# Copy the perl exec
# @@@ I'm not sure if just copying the bin is enough ...
die "Missing Perl executable ($perl)"
unless (-x "$perl");
`cp '$perl' '$CD/bin/perl'`;
die "Error copying perl executable"
unless (-x "$CD/bin/perl");
# Make a new autopsy
open AUT, ">$CD/autopsy" or die ("Error opening Live CD autopsy exec");
print AUT "#!./bin/perl -wT\n";
print AUT "use lib '.';\n";
print AUT "use lib './lib/';\n";
open BASE, "<./base/autopsy.base" or die ("Error opening base autopsy");
print AUT $_
while (<BASE>);
close (AUT);
close (BASE);
`chmod +x "$CD/autopsy"`;
print "Creating configuration file using existing settings\n";
# Make the configuration file
open CONF, ">$CD/conf.pl" or die ("Error opening Live CD Config file");
print CONF "# Configuration file for Live CD version of Autopsy\n";
print CONF "# http://www.sleuthkit.org/autopsy\n";
print CONF "# Created on ".localtime()."\n\n";
# Variables
print CONF "\$USE_STIMEOUT = $USE_STIMEOUT;\n";
print CONF "\$STIMEOUT = $STIMEOUT;\n";
print CONF "\$CTIMEOUT = $CTIMEOUT;\n";
print CONF "\$SAVE_COOKIE = $SAVE_COOKIE;\n";
print CONF "\n";
print CONF "\$INSTALLDIR = './';\n";
print CONF "\$NSRLDB = '';\n";
print CONF "\$LOCKDIR = './read-only-live-version/';\n";
print CONF "\n";
print CONF "# System Utilities\n";
print CONF "\$GREP_EXE = './bin/grep';\n";
print CONF "\$FILE_EXE = './bin/file';\n";
print CONF "\$TSKDIR = './bin/';\n";
close CONF;
print "\n";
|
