2011-12-17

LUKS + LVM + Backups

Using LVM for storing data is easy, cool and sexy - especially if you come to point you need to resize the partitions as the projects grow. And what about backups? I keep dd bit copy of my drive for the case something bad happens with the master drive. When I wanted to restore just some bits from the drive I came to issues how to mount it because of duplicities. This is how I solved.


Just to check we are fighting in similar dojo:

  • /dev/sda9 - partition marked with type 8e (LVM)

  • partition is encrypted with LUKS

  • LVM contains volume group vgdata

  • vgdata contains several logical volumes

  • whole disk sda cloned to sdb (external usb drive) using dd if=/dev/sda of=/dev/sdb. Side effect is that all UUIDs are same




Boot rescue CD, disconnect the backup drive, change UUIDs on the master drive to avoid duplicities. Of course you can do change UUIDs on the backup drive on different machine for example:

#mount luks device
cryptsetup luksOpen /dev/sdb9 luks-backup
#Change UUIDs on the master drive (disconnect the backup drive)
pvchange -u /dev/mapper/luks-backup
vgchange -u vgdata




Boot back to primary system - rest can be done online as UUIDs of the physical volumes and vggroups are different now.

pvs
WARNING: Duplicate VG name vgdata: zCyBsK-5oAX-fk1T-ZtKu-bJsq-V32U-jefWxT (created here) takes precedence over bM4h3v-C22d-yKLg-k21k-vhaq-VyN4-zxOVtN
WARNING: Duplicate VG name vgdata: Existing zCyBsK-5oAX-fk1T-ZtKu-bJsq-V32U-jefWxT (created here) takes precedence over bM4h3v-C22d-yKLg-k21k-vhaq-VyN4-zxOVtN
PV VG Fmt Attr PSize PFree
/dev/mapper/luks-1c37deed-13d9-4364-bbda-944a4ae42618 vgdata lvm2 a-- 316.70g 136.70g
/dev/mapper/luks-backup vgdata lvm2 a-- 316.70g 91.70g

#This will not work - need to use the UUID
vgrename vgdata vgdata-bak
WARNING: Duplicate VG name vgdata: zCyBsK-5oAX-fk1T-ZtKu-bJsq-V32U-jefWxT (created here) takes precedence over bM4h3v-C22d-yKLg-k21k-vhaq-VyN4-zxOVtN
Found more than one VG called vgdata. Please supply VG uuid.

#Rename the volume group for the backup
vgrename zCyBsK-5oAX-fk1T-ZtKu-bJsq-V32U-jefWxT vgdata-bak

#Make the volume active
lvchange -a y /dev/vgdata-bak/lvdat1

#Mount
mkdir /mnt/bak
mount /dev/vgdata-bak/lvdat1 /mnt/bak



2011-10-03

Fedora 16 Alpha - issues with encrypted drives

Here is the list of issues I was facing when upgrading from Fedora 15 to Fedora 16 Alpha.
First of all - have your backup ready for everything you have on the disk. Having bit backup of whole disk saved my ass really.

I do have multiple encrypted systems installed on my machine:

/dev/sda1 50GB Truecrypt - Windows
/dev/sda2 3GB Unencrypted - Grub boot partition
/dev/sda3 16GB LUKS - Backtrack5
/dev/sda4 Extended
/dev/sda5 16GB LUKS - Fedora root
/dev/sda6 16GB LUKS - home
/dev/sda7 4GB LUKS - swap
....


Issue #1 - LUKS device of the other system


I asked installator to format and install to sda5. Anaconda installator formatted sda5, but actually mounted luks device on sda3 as the /mnt/sysimage and tried to install there (this is the Backtrack partition on my computer) - and it failed. Changing the partition type to something insane didn' help. I had to delete partition sda3 from the partition table and return it after the installation.

Issue #2 - LUKS device with ext3


I do have "home" partition encrypted for quite some long time. It was with ext3 filesystem when I started, but installator failed with error. The anaconda installer assumes during the installation that the filesystem on LUKS encrypted disk needs to be ext4 and fails if it is ext3.

I wanted to migrate already for a while to ext4. So I didn't investigated much, why is anaconda throwing an error. I just flushed home to secondary disk, recreated luks device, formated with ext4 and restored the data from backup using conventional weapons.

Issue #3 - Truecrypt vs Grub2



After installation of Fedora 16 and realcrypt from rpmfusion I have found I am unable to mount the windows partition encrypted with TrueCrypt. After investigation it turns out that Fedora 16 Alpha is using grub2 as boot loader, which is the source of the issues.

Both truecrypt and grub2 use not only MBR to store boot loader, but these in fact use much more sectors to store the necessary information (64 sectors?). With grub it was enough to have backup of the MBR (1 sector of size 512 bytes) to boot the Truecrypt bootloader doing chainloading of the truecrypt MBR. Rest of Truecrypt remained untouched on the disk. With grub2 the truecrypt boot loader and volume header is overwritten completely.

I used to boot the truecrypt boot loader from the MBR saved directly after Truecrypt installation with:

dd if=/dev/sda of=/boot/win/truecrypt.mbr

#Old Grub configuration
title Windows XP
root (hd0,1)
chainloader (hd0,1)/win/truecrypt.mbr

#New Grub2 configuration form grub2-menulst2cfg
menuentry 'Windows XP' {
set root='(hd0,2)'; set legacy_hdbias='0'
chainloader '(hd0,2)/win/truecrypt.mbr'
}



Unfortunately this doesn't work anymore with grub2. Truecrypt boot loader reports this error:

TrueCrypt Boot Loader
Loader damaged! Use Rescue Disk: Repair Options > Restore Truecrypt Boot Loader


Trying to mount it from linux using realcrypt will fail as well:

# realcrypt --text --filesystem=none -m system -k "" --protect-hidden=no /dev/sda1
Enter password for /dev/sda1:
Incorrect keyfile(s) and/or password or not a RealCrypt volume.

Note that pre-boot authentication passwords need to be typed in the pre-boot environment where non-US keyboard layouts are not available. Therefore, pre-boot authentication passwords must always be typed using the standard US keyboard layout (otherwise, the password will be typed incorrectly in most cases). However, note that you do NOT need a real US keyboard; you just need to change the keyboard layout in your operating system.


You can boot from Truecrypt Rescue CD ISO image. The trick is to use the memdisk from the syslinux package:

yum install syslinux
cp /usr/share/syslinux/memdisk /boot/memdisk

cat /etc/grub.d/20_windows_truecryptiso
#!/bin/sh

echo "Adding entry for Windows/Truecrypt ISO" >&2

cat << EOF
menuentry 'WindowsXP/Truecrypt ISO' {
set root='(hd0,2)'; set legacy_hdbias='0'
linux16 /memdisk iso raw
initrd16 /win/tcrescue2011.iso
}
EOF


To regenerate the grub configuration:

grub2-mkconfig -o /boot/grub2/grub.cfg



I tried to restore the Truecrypt Boot Loader and it (as expected) obviously breaks grub2. So you have to reinstall grub2, which breaks the Truecrypt loader - chicken and egg problem right?:

# grub2-install /dev/sda
Installation finished. No error reported.





Only compromise between these two bootloaders, which I have found on the internet is to setup the grub2, boot from the truecrypt rescue cd iso using memdisk in grub2 and have only the key+data structure restored on the disk. This apparently doesn't overwrite grub2. Press F8 from when booted from the truecrypt rescue CD and choose option 3:




Not restoring the key+data will as a result mean that the disk can't be booted even from rescue CD and it won't be possible to mount it from linux. The error will not be obvious for the first sight as only the "Incorrect Password" is reported despite the fact you are sure the password is right:



Testing the configuration with qemu:

sync ; echo 3 > /proc/sys/vm/drop_caches ; qemu -hda /dev/sda

2011-08-24

Recovery of disk with badblocks


There are some specifics recovering the disk with badblocks.
Let's say there is badblock on sector 2550302 of /dev/sda.

This should fail because this is the bad sector:
# dd if=/dev/sda of=/dev/null bs=512 count=1 skip=2550302

This should be OK because this is the sector before:
# dd if=/dev/sda of=/dev/null bs=512 count=1 skip=2550301

But actually even this fails:
# dd if=/dev/sda of=/dev/null bs=512 count=1 skip=2550298

Reason is that the block of the block device /dev/sda is not 512 but actually (most probably) 4k:
# blockdev --getbsz /dev/sda
4096


This can cause you to loose some more data from the forensic image, than really necessary. Setting the block size on active device will most probably fail. Solution is to use O_DIRECT flag when opening the device - or rather to use tools which are capable of using direct mode.

This should really work:

# dd if=/dev/sda of=/dev/null bs=512 count=1 skip=2550301 iflag=direct
# dd if=/dev/sda of=/dev/null bs=512 count=1 skip=2550303 iflag=direct
# dc3dd if=/dev/sda of=/dev/null bs=512 count=1 skip=2550301 iflag=direct
# dc3dd if=/dev/sda of=/dev/null bs=512 count=1 skip=2550303 iflag=direct
# ddrescue -d ....

2011-07-28

Xrandr script for Gnome 3 - Fn+F4

As I am running gnome 3 and quite common in dualhead mode I was missing some easy way how to cycle between the Randr video modes.

So here is the result: xrandr_cycle


xrandr_cycle ... cycle between the display modes using the xrandr
Syntax: xrandr_cycle [--install|--help|-r]
xrandr_cycle ... cycle modes in forward order
xrandr_cycle -r ... cycle modes in reverse order
xrandr_cycle --help ... print this help
xrandr_cycle --install ... install ctrl-alt-3 and ctrl-alt-4 shortcuts


xrandr_cycle --install
By default it will install as metacity shortcut
Mod4-P (* Fn-F3) ... cycle modes in primary direction
ctrl-alt-4 (* Win-4) ... cycle modes in primary direction
ctrl-alt-3 (* Win-3) ... cycle modes in reverse direction


2011-04-22

Fedora 15 Snippets

These steps are inspired by
http://www.mjmwired.net/resources/mjm-fedora-f15.html


#-------------Download from nearest mirror
yum -y install yum-plugin-fastestmirror


#-------------Other repositories
#Rpmfusion for FC15 not stable at the time of FC15 release - needed to use rawhide originally
#rpm -Uhv http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-rawhide.noarch.rpm
#rpm -Uhv http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-rawhide.noarch.rpm

sudo rpm -ivh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm
sudo rpm -ivh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm


#----------------- Citrix -----------------------
#http://webmail.scatterpated.net:10080/index.php?name=News&file=article&sid=5
yum -y install openmotif
#http://www.citrix.com/English/SS/downloads/details.asp?downloadID=3323&productID=-1#top
rpm -Uhv ICAClient-11.100-1.i386.rpm


#------------------Adobe ---------------------
rpm -Uhv http://linuxdownload.adobe.com/adobe-release/adobe-release-i386-1.0-1.noarch.rpm

#Reader + flash
yum -y install AdobeReader_enu flash-plugin


#----------------- Java -------------------------
#wget http://javadl.sun.com/webapps/download/AutoDL?BundleId=35674
#http://www.oracle.com/technetwork/java/javase/downloads/index.html
http://download.oracle.com/otn-pub/java/jdk/6u25-b06/jdk-6u25-linux-i586-rpm.bin
#http://download.oracle.com/otn-pub/java/jdk/6u25-b06/jre-6u25-linux-i586-rpm.bin
#

sh jre-6u25-linux-i586-rpm.bin
sh jdk-6u25-linux-i586-rpm.bin
/usr/sbin/alternatives --install /usr/bin/java java /usr/java/default/bin/java 20000
/usr/sbin/alternatives --install /usr/bin/keytool keytool /usr/java/default/bin/keytool 20000

sudo /usr/sbin/alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so libjavaplugin.so /usr/java/default/lib/i386/libnpjp2.so 20000

sudo /usr/sbin/alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so libjavaplugin.so /usr/java/default/jre/lib/i386/libnpjp2.so 30000

#Pulse audio plugin for java
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/ext/pulse-java.jar /usr/java/default/jre/lib/ext/
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/i386/libpulse-java.so /usr/java/default/jre/lib/i386/
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/ext/pulse-java.jar /usr/java/jre*/lib/ext/
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/i386/libpulse-java.so /usr/java/jre*/lib/i386/

mv /usr/java/default/jre/lib/i386/libjsoundalsa.so /usr/java/default/jre/lib/i386/libjsoundalsa.so.bak
mv /usr/java/jre*/lib/i386/libjsoundalsa.so /usr/java/jre*/lib/i386/libjsoundalsa.so.bak

/usr/sbin/alternatives --config java
/usr/sbin/alternatives --config libjavaplugin.so



#----------------- Font MS Core Fonts -------------------------
wget http://www.mjmwired.net/resources/files/msttcore-fonts-2.0-3.spec
rpmbuild -ba msttcore-fonts-2.0-3.spec
rpm -Uhv msttcore-fonts-2.0-3.noarch.rpm



#----------------- Font Google Webfonts -------------------------
cd /tmp
wget http://joemaller.com.nyud.net/googlewebfonts.tgz
tar xzvf googlewebfonts.tgz
cd googlefontdirectory
mkdir /usr/share/fonts/googlefontdirectory/
find ./ -type f -name *.ttf |xargs -i cp '{}' /usr/share/fonts/googlefontdirectory/
/usr/bin/fc-cache -f /usr/share/fonts/googlefontdirectory/


#----------------- Skype -------------------------
wget http://www.skype.com/go/getskype-linux-beta-fc10
rpm -Uhv skype-2.1.0.81-fc10.i586.rpm


#----------------- Additional packages -------------------------
#Gnome
yum -y install gconf-editor dconf-editor gnome-tweak-tool

#Photo
yum -y install gqview gthumb

#Audio
yum -y install audacity-freeworld xmms xmms-mp3 xmms* xmms2*

#Video
yum -y install mplayer xine vlc xine-lib-extras-freeworld kino transcode ffmpeg ffmpeg-devel
yum -y install gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg

#CD/DVD Burning
yum -y install k3b k3b-extras-freeworld

#Wine
yum -y install wine
yum -y install stardict.i686 stardict-dic-cs_CZ.noarch stardict-dic-en.noarch
yum -y install alacarte #gnome menu editor
yum -y install dia-*

#GPS
yum -y install gpsbabel viking gpscorrelate

#internet
yum -y install galeon psi
yum -y install firefox thunderbird
yum -y install lftp ncftp ftp tftp tftp-server dhcping ethtool wol net-tools tor polipo iptraf
cntlm wireshark-gnome wireshark-devel tcpdump
yum -y install tftp-server xinetd dhcp httpd php php-mysql php-cli php-pgsql php-ldap ppp kismet
umit


#kernel
yum -y install dkms
yum -y install kernel-headers-`uname -r` kernel-devel-`uname -r`

#RPM dev
yum -y install rpm-build rpmlint rpmdevtools expect rpm-sign

#----------------- Crypto ------------------------
yum -y install keepassx realcrypt john

#------------------ File tools ---------------------
yum -y install cabextract p7zip p7zip-plugins unrar unace

#devel
yum -y install qmake rpm-build rpm-sign

#----------------- Forensics ------------------------
yum -y install sharutils #uuencode uudecode
yum -y install sleuthkit
yum -y install squashfs-tools ufdtools ocfs2-tools nfs4-acl-tools
yum -y install guestfish libguestfs-*

sudo rpm -Uhv http://www.cert.org/forensics/tools/fedora/cert/14/i386/cert-forensics-tools-release-14.noarch.rpm
yum install CERT-Forensics-Tools

#----------------- Networking ------------------------
#Servers
chkconfig --level 12345 xinetd off
chkconfig --level 12345 dhcpd off
chkconfig --level 12345 avahi-daemon off
chkconfig --level 12345 tor off
chkconfig --level 12345 polipo off

# Wake on lan
cat >> /etc/rc.local <<EOF
ethtool -s eth0 wol g > /dev/null 2>&1
ethtool -s eth1 wol g > /dev/null 2>&1
EOF

#-------------------- Gnome 3 Hints -------------------------------
yum -y install gnome-shell-extension* gnome-shell-theme*

#gsettings list-recursively org.gnome.shell
#opt-out extensions I do not like
gsettings set org.gnome.shell disabled-extensions "['alternate-tab@gnome-shell-extensions.gnome.org', 'righthotcorner@fpmurphy.com', 'noripple@fpmurphy.com',

#I fail to keep track what the date is :)
gsettings set org.gnome.shell.clock show-date true

#still I like to see 3 buttons when there is vasted 1280x20 space not good for anything else
gconftool-2 -s /desktop/gnome/shell/windows/button_layout --type str ":minimize,maximize,close"

#It was wery annoying to me to not be able to move spell checker window away to see what is bellow
gconftool-2 -s /desktop/gnome/shell/windows/attach_modal_dialogs --type bool "false"

#Nautilus
gsettings set org.gnome.nautilus.desktop home-icon-visible true
gsettings set org.gnome.desktop.background show-desktop-icons true
gsettings set org.gnome.shell.calendar show-weekdate true

#Icons
gsettings set org.gnome.desktop.interface menus-have-icons true
gsettings set org.gnome.desktop.interface menus-have-tearoff true

#Notebook lid
# I preffer to not shutdown notebook on lid close, rather I preffer to controll manually
#http://fedora.rasmil.dk/blog/?p=208
#setting ::= nothing|blank|suspend|hibernate|shutdown

#gsettings list-recursively org.gnome.settings-daemon.plugins.power
gsettings set org.gnome.settings-daemon.plugins.power lid-close-ac-action blank
gsettings set org.gnome.settings-daemon.plugins.power lid-close-battery-action blank

#Favourite keyboard shortcuts
#Run Terminal on Win+t
gconftool-2 -s /apps/metacity/global_keybindings/run_command_terminal --type string 't'

#Show Desktop on Win+d
gconftool-2 -s /apps/metacity/global_keybindings/show_desktop --type string 'd'

#Show window menu on Alt+space
gconftool-2 -s /apps/metacity/window_keybindings/activate_window_menu --type string 'space'

#Run Firefox on Win+f
gconftool-2 -s /apps/metacity/global_keybindings/run_command_1 --type string 'f'
gconftool-2 -s /apps/metacity/keybinding_commands/command_1 --type=string 'firefox'

#Lock the screen on Win+l
gconftool-2 -s /apps/metacity/global_keybindings/run_command_2 --type=string 'l'
gconftool-2 -s /apps/metacity/keybinding_commands/command_2 --type=string 'gnome-screensaver-command -l'

#I preffer dark background in the terminal - set the dark background in vi
echo ":set background=dark" >> ~/.vimrc


2011-04-13

Run Elluminate Live Webcasts under Fedora 14

I was up to listen some SANS webcasts when I found that my java installation on Fedora 14 is totally mute. Everything looked fine, but no sound. The root case was that SUN java I was using was supporting alsa, but not pulse audio. Solution was to use the library from openjdk and disable the alsa library.

#Pulse audio plugin for java
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/ext/pulse-java.jar /usr/java/default/jre/lib/ext/
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/i386/libpulse-java.so /usr/java/default/jre/lib/i386/
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/i386/libpulse-java.so /usr/java/jre1.6.0_22/lib/i386/
cp /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0/jre/lib/ext/pulse-java.jar /usr/java/jre1.6.0_22/lib/ext/

mv /usr/java/default/jre/lib/i386/libjsoundalsa.so /usr/java/default/jre/lib/i386/libjsoundalsa.so.bak



Sources:
http://www.linuxquestions.org/questions/linux-newbie-8/elluminate-live-on-linux-641328/
http://ubuntuforums.org/showthread.php?p=10659231

2011-03-25

Data Sanitization

I found some interesting materials to the topic of data sanitization:

Magnetic Media - (Peter Gutmann - oldies but interesting):
- note the old drives, low density, MFM/LCC - able to recover complements by osciloscipe reading
- read epilogue - 35-vodoo overwriting scheme not necessary for modern drives, radom data would do the trick

Semiconductors (Peter Gutmann - SRAM, DRAM,EEPROM, FLASH ...)

And recommended tools :D by Peter:

Data remanence
- Feasibility of recovery

Microscopy of HDD data
- micro imaging would take at least weeks on todays high density high volume drives

-------------

DoD 5220.22-M NISPOM
8-306. Maintenance - Clearing and Sanitization Matrix
d. Overwrite all addressable locations with a character, its complement, then a random character and verify. THIS METHOD IS NOT APPROVED FOR SANITIZING MEDIA THAT CONTAINS TOP SECRET INFORMATION.

AR380-19

Degausser for HDD - maybe we could use one for broken drives:
http://www.mediaduplicationsystems.com/Degausser_Hard_Drive_Degaussers_s/103.htm
http://www.datalinksales.com/detail/Model%201100.html/1100%20degauss%20wand

Additional topics:
HPA and DCO protected areas on ATA drives

-------------
My personal conclusions:
Working drives:
- even one verified zero overwrite the drive should be good enough for "For Internal Use" data.
- actually this is what "ATA Secure Erase" does
- even one random data overwrite the drive should be good enough for pretty much everything
- I find it highly non-economical to invest so much money and effort to read overwritten data
- DoD 5220.22-M with 3 overwrites - to be on safe side from audit


Broken drives:
- if suffering from badblocks "ATA Enhanced Secure Erase" still might help - although no fancy logs or reports of results
- hammer and drill is your friend :) for completely non-working discs
- I was surprised that HDD degaussers are quite affordable

2011-03-02

Using java keytool to import private key into JKS java keystore

I got question how to import the private key to JKS keystore.
According to some resources it is not possible with standard tools.

Answer is to use the -importkeystore option of java keytool. Keytool allows conversion between the different keystore types which are currently known to your java virtual machine.
For example you can import key+certificate from PKCS12 format (extensions .p12 or .pfx in Windows world).

keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -destkeystore server.jks -deststoretype jks


If you have key and certificate in PEM format you can easily convert it to pkcs12 with openssl
#Join key, certificate and certs of certification authority to one file
cat server_key.pem server_cert.pem server_cacert.pem > server.pem
#Convert to PKCS12
openssl pkcs12 -export -out server.p12 -in server.pem



Relevant links:
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
http://www.herongyang.com/crypto/Key_Formats_PKCS8_PKCS12_4.html
http://mindprod.com/jgloss/keytoolexe.html#EXPORTING
http://www.agentbob.info/agentbob/79-AB.html

2011-02-28

Dualboot - Windows (Truecrypt) + Linux (LUKS) *

Split disk

Assuming this split of disk:
  1. sda1 - >250MB Boot partition (unencrypted)
  2. sda2 - partition for Windows (will be encrypted by truecrypt)
  3. sda3 - Linux system partition (will be LUKS encrypted)
  4. extended partition
    1. sda5 - swap (will be LUKS encrypted)
    2. sda6 - home (will be LUKS encrypted)
    3. .... rest

Install Windows XP

Install windows to the second partition.

Install Linux + LUKS

During installation of the linux (assuming the Fedora), install grub to boot partition (sda1).
Do not bother with putting it to sda at this point as the next step would rewrite it anyway.

Next step is to install realcrypt (truecrypt package for Fedora)

sudo rpm -ivh http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-stable.noarch.rpm
sudo rpm -ivh http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-stable.noarch.rpm
yum install realcrypt

Take backup of the bootsector - to use it in windows boot loader later on. Copy the file to some flash disk or other computer to have it handy when you will be in windows.

cd /boot
dd if=/dev/sda of=sda_grub.mbr bs=512 count=1

Install Truecrypt to Windows

This will reinstall the TrueCrypt to the master boot.
Copy the Grub master boot record to some direcotry in windows partition and configure the C:\boot.ini to be able to boot to grub from windows.
C:\BOOT\SDA_GRUB.MBR="Grub Master Boot"

Restore the Grub bootloader domination

Reboot the machine and use the Grub line in NTloader to boot GRUB
Backup the Windows/Truecrypt boot sector
dd if=/dev/sda of=/boot/grub/sda_truecrypt.mbr bs=512 count=1
Modify Grub - /boot/grub/grub.conf - option for Windows truecrypt
title Windows XP
rootnoverify (hd0,1)
chainloader (hd0,0)/grub/sda_truecrypt.mbr

Reinstall Grub to master boot (sda=hd0) and to the boot partition (sda1=hd0,0)
#grub
root (hd0,0)
setup (hd0,0)
setup (hd0)

WebFonts causing Firefox to crash

Due to some error in pango the firefox / galeon ... etc keeps crashing when there is too many webfonts loaded on one page. As example of such site would be http://www.google.com/webfonts or
Template Designer/Advanced/Page here on blogger.com .

Workaround would be to install the webfonts locally:

cd /tmp
wget http://joemaller.com.nyud.net/googlewebfonts.tgz
tar xzvf googlewebfonts.tgz
cd googlefontdirectory
mkdir /usr/share/fonts/googlefontdirectory/
find ./ -type f -name *.ttf |xargs -i cp '{}' /usr/share/fonts/googlefontdirectory/
/usr/bin/fc-cache -f /usr/share/fonts/googlefontdirectory/



Fedora bug 673830

2011-02-26

Installing Avast antivirus to Fedora 14

I wanted to try the linux version of the Avast antivirus, but I came to some trouble after running update. It seems that the default chunk of shared memory, which has got Fedora 14 set is just enough to run avast with old signatures. With new signatures it is not able to start.
Solution is to increase kernel.shmmax parameter.
$ sudo sysctl -w kernel.shmmax=100000000
Relevant Links
http://forum.avast.com/index.php?topic=57764.15

Using device mapper to mount the sliced partition

Let's say you have taken image of a drive and sliced it to several pieces.
How to mount it as a single partition for forensic investigation?

Sliced image might have been prepared with tool like dcfldd . To slice the image to smaller chunks might be usefull for example to be able to store files on a filesystem with poor support for large files or burn it to DVD media later on.
Example on acquire the image:
$ dcfldd if=/dev/sda1 split=4G of=img_sda1 bs=8M hash=md5,sha1 hashlog=img_sda1.sum hashwindow=1G
Outline 
  1. Acquire sliced disk image
  2. Setup files as loopback devices
  3. Set devices read only 
  4. Prepare description table for the device mapper (dmtable)
  5. Create the device based on the layout in dmtable
  6. Set the mapped device readonly
  7. mount read-only the filesystem

Caveats
  • when creating the image use chunks dividable by 512 (default sector size to use with device mapper). If you use human readable units like k, M, G - everything is super green :).
  • by default the loop module is loaded (Fedora 14) with 8 loop devices enabled.
  • keep the right order of the image slices
  • keep the created device read only to not compromise the data

Test scenario
Let's prepare 2 slices for testing. One full of zeroes and the second one full of ones.
$ #Create one image full of 0
$ dcfldd pattern=00 of=img_sda1.000 bs=8M count=1

$ #Create second image full of 1
$ dcfldd pattern=FF of=img_sda1.001 bs=8M count=1

$ ls -l img_sda1.00*
-rw-rw-r--. 1 rebus rebus 8388608 Feb 26 01:52 img_sda1.000
-rw-rw-r--. 1 rebus rebus 8388608 Feb 26 01:53 img_sda1.001

$ #Hex dump will show one file full 0 and second full of ones
$ od -x img_sda1.000
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
40000000
$ od -x img_sda1.001
0000000 ffff ffff ffff ffff ffff ffff ffff ffff
*
40000000

Increase number of loop devices 
RedHat EL4 way
In case you will need to utilize more than the default number of loop devices (8) there is possibility to  establish more loop devices (up to 255) by unloading the loop kernel module an reloading with the right number of parameter max_loop=12.
$ sudo rmmod loop
$ sudo modprobe loop max_loop=128

Alternatively it is possible to place the option to the /etc/modprobe.conf
echo "options loop max_loop=128" >> /etc/modprobe.conf
Fedora 14 way
In new Fedora 14 the loop module is in the kernel and not in separate module. By default only 8 loopback devices appears in /dev.
It is possible to create the devices manually:
$ sudo mknod /dev/loop8 b 7 8
sudo mknod /dev/loop9 b 7 9
sudo mknod /dev/loop24 b 7 24


Or you can make it easy:
$ sudo yum install MAKEDEV
$ MAKEDEV loop

Setup Loopback devices
$ sudo losetup /dev/loop0 img_sda1.000
$ sudo losetup /dev/loop1 img_sda1.001

$ #Check the device sizes in sectors (needed for dmtable)
$ blockdev --getsize /dev/loop0
16384
$ sudo blockdev --getsize /dev/loop1
16384

$ #set devices read only
$ sudo blockdev --setro /dev/loop0
$ sudo blockdev --setro /dev/loop1

Generate suitable dmtable
$ cat > dmtable.txt << EOF
#offset  size    mode   device seek
0       16384 linear /dev/loop0 0
16384   16384 linear /dev/loop1 0
EOF

Map the device of using the dmsetup
$ sudo dmsetup create img_sda1 dmtable.txt
$ sudo blockdev --setro /dev/mapper/img_sda1

Check
Check that the device is really mapped and that everything works as expected. In our testing case we can use od to print the content of the image and compare it to original results.
$ ls -l /dev/mapper/img_sda1
lrwxrwxrwx. 1 rebus rebus 7 Feb 26 06:34 /dev/mapper/img_sda1 -> ../dm-6
$ sudo od -x /dev/mapper/img_sda1
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
40000000 ffff ffff ffff ffff ffff ffff ffff ffff
*
100000000

Alltogether
Now let's put everything to some nice script which will do all together for dozens of image slices. Do not forget you need enough of the loop devices.

#!/bin/bash
#############################################
# Name: mount_slices.sh
# Author: Michal Ambroz
# Copyright: GPLv2+
#############################################
export PATH=$PATH:/usr/sbin:/sbin

TARGET="img_sda1"
IMAGES=`ls ${TARGET}.[0-9]*`
ICOUNT=`echo $IMAGES | wc -w `

DMTABLE=/tmp/dmtable
STARTLOOP=2
TOTALSIZE=0

sudo dmsetup remove "$TARGET"

#Loop devices
rm -f dmtable.$$
I=$STARTLOOP
echo "$IMAGES" | grep -v "^$" |\
while read IMAGE ; do
sudo losetup -d /dev/loop${I} > /dev/null
sudo losetup /dev/loop${I} $IMAGE
sudo blockdev --setro /dev/loop${I}
LSIZE=`sudo blockdev --getsize /dev/loop${I}`
echo "$TOTALSIZE $LSIZE linear /dev/loop${I} 0 " >> $DMTABLE.$$
TOTALSIZE=$(( $TOTALSIZE + $LSIZE))
I=$(( $I + 1 ))
done

echo sudo dmsetup create "$TARGET" $DMTABLE.$$
sudo dmsetup create "$TARGET" $DMTABLE.$$
echo sudo blockdev --setro "/dev/mapper/$TARGET"
sudo blockdev --setro "/dev/mapper/$TARGET"


Relevant links
http://linuxgazette.net/114/kapil.html
http://www.generationip.com/documentation/mini-howto/78-howto-create-loop-device-on-redhat-centos-or-fedora
http://sourceware.org/dm/
http://sources.redhat.com/lvm/
http://adam.younglogic.com/2010/12/mounting-a-kvmqemu-vm-root-partition-in-fedora-14/
http://www.forensicswiki.org/wiki/Mounting_Disk_Images