Making Copies of Forensic Evidence 379 share = Printer3 - Acrobat Distiller share = Printer2 - Acrobat PDFWriter User = Administrator, , , Built-in account for administering the computer/domain Admin is TONYVPRDESKTOP\Administrator User = Howlett, , , User = Guest, , , Built-in account for guest access to the computer/domain User = HelpAssistant, Remote Desktop Help Assistant Account, Account for Providing Remote Assistance User = SUPPORT_388945a0, CN=Microsoft Corporation,L=Redmond,S=Washington,C=US, , This is a vendor's account for the Help and Support Service User = Tony Howlett, In this listing you can see two users you don’t normally see in the User Accounts sec- tion on your Windows system: the HelpAssistant and SUPPORT users. These are system- level users for internal programs (the Remote assistance features and the annoying Notify Support feature that pops up every time a program bombs out). Other hidden users con- cealed by a skilled intruder could be revealed using this tool. This chapter is not meant to be a comprehensive listing of all possible forensic tools, but these tools should give you enough to get started with basic forensic activity on just about any system. If you are doing this as a career or have an involved investigation, there are many other tools available. For a good listing of open source forensic tools, visit www.opensourceforensics.org/. Howlett_CH11.fm Page 379 Friday, June 25, 2004 12:33 AM Howlett_CH11.fm Page 380 Friday, June 25, 2004 12:33 AM 381 C HAPTER 12 More on Open Source Software You know now how to keep your data safe inside and outside your network and how to detect and investigate attacks on your systems and networks. This book has reviewed doz- ens of open source security tools covering just about every aspect of information security. However, this just scratches the surface of what is available. For each category, I tried to pick the best tool (in my opinion) to showcase, but there were often scores of others to choose from. In addition, there are open source software alternatives for just about every type of application you can think of, including word processors, network management, multimedia, and more. The list goes on and on. This final chapter gives you some resources for further investigation of open source security tools and how to get involved in the open source community. Open Source Resources If you want to further explore the world of open source software, check out the many resources on the Internet. USENET Newsgroups USENET is a network of servers that hosts discussion lists on subjects as varied as poli- tics, hobbies, and of course computers. These forums are called newsgroups and they act as a sort of community bulletin boards for people interested in particular topics. USENET got its start as a technical discussion group, and there are still a wide variety of groups covering technical subjects. Although spammers and the use of Web-based forums have dulled the effectiveness of USENET, there are still a number of active USENET news- groups related to open source. Howlett_CH12.fm Page 381 Tuesday, June 29, 2004 3:19 PM 382 Chapter 12 • More on Open Source Software You need a USENET newsreader to access USENET. Most modern browsers have one built in. In Internet Explorer, from the Tools menu choose Mail and News, and then select Read News. You also need a valid USENET News Server to subscribe to. ISPs used to provide this service as part of their standard offering and many still do. If yours doesn’t, there are public USENET servers you can connect to. Check out www.newzbots.com to find public USENET feeds. Once you’ve subscribed to a server, here are a few of the gen- eral groups that might be of interest. There are many others related to specific operating systems or programs. • comp.sci.opensource • comp.os.linux.advocacy • comp.os.unix.bsd.freebsd.misc • comp.os.unix.bsd.openbsd.misc You can also go to the Google Groups site (click on Groups at www.google.com). In addition to having access to current postings and groups, it houses the former Dejanews site, which was an archive of USENET news discussions going to back to 1992. However, the use of USENET is declining and many forums are moving to Web-based forums or moderated mailing lists to cut down on the noise-to-signal ratio in the postings. Mailing Lists There are many mailing lists related to open source. Most are specific to a particular pro- gram. They are used to provide support and collaboration on the project. Check the Web site or documentation for your program to find out if it has a mailing list and how to sub- scribe. The tools discussed in this book have pertinent mailing lists shown at the beginning of each tool section. There are also some general discussion lists. • Linux general discussion: http://computers.rootsweb.com/ To subscribe, send an e-mail to LINUX-L-request@COMPUTERS.rootsweb.com and put SUBSCRIBE on the Subject line. • BSD mailing list archive: http://www.hu.freebsd.org/hu/arch/ Web Sites There are tons of Web sites about open source software. Any project of a decent size will have a Web site dedicated to it. There are also some good general information sites. The following are great sites to start if you are just getting into open source. SourceForge SourceForge (sourceforge.net) is a great Web site for support and infor- mation on open source projects (see Figure 12.1). It is run by the Open Source Develop- ment Network, which funds the site with ads and by selling its open source development Howlett_CH12.fm Page 382 Friday, June 25, 2004 12:38 AM Open Source Resources 383 software. SourceForge provides a forum for discussing open source software and has many resources for open source projects. If you have a budding open source program, SourceForge will provide you with a home page, forums, project management tools, a place to store your program for download, and many other resources. This is all provided for free, although there are some strings attached to your use of them. It is also a great place to look through the over 80,000 open source software projects cataloged there, and they are searchable by category and platform. Granted that some of them are probably half-baked ideas with minimal support, but there are also thousands of full-featured, time-tested programs. You can get involved with any of the projects or get feedback or support there. SourceForge attracts hundred of thousands of users and creators of the latest open source software. If you are starting up a project, it’s a great place to look for recruits. Slashdot Slashdot (www.slashdot.org) is a site for news on all things open source. It is written and maintained by and for hardcore coders, mostly open source based. Go there to get the latest scuttlebutt, rumors, and breaking news as well as all kinds of interesting arti- cles and opinions. It is part geek shoptalk, part hard news and articles, and part satire and commentary. In fact, it has become part of the techie lexicon to say a site has been “slash- dotted” when it receives an overwhelming amount of traffic from being mentioned on the site. Freshmeat Freshmeat (www.freshmeat.net) is a no-nonsense site for discussing and developing open source software. It is kind of a combination of Slashdot and SourceForge Figure 12.15 SourceForge Web Site Howlett_CH12.fm Page 383 Friday, June 25, 2004 12:38 AM 384 Chapter 12 • More on Open Source Software but on a smaller scale. This might be a plus for some who are intimidated by Source- Forge’s size and the number of options and resources. It also has articles and discussion groups as well as directly offering many projects for download. Open Source Initiative The Open Source Initiative (www.opensource.org) is an orga- nization dedicated to promoting and refining the concept of open source software develop- ment. It offers a formal definition of what open source software should consist of and offers certification of such status, even though many people may claim this is a moving target and open source by definition is constantly changing and indefinable. Only a hand- ful of programs so far bear their approval seal, but they are some of the bigger ones such as the Apache Web server and the Sendmail program. I feel that it’s a move in the right direc- tion for the future of open source: Only once the open source world organizes itself and agrees to certain standards will it gain a significant foothold in corporate America. Stan- dardization promotes adoption. Free Software Foundation This site (www.fsf.org) is the home base for one of the two major camps in the open source world. The FSF houses the GNU project as well as their official software products. It is also the place to find the GPL license and learn all about how it works. Some might see their view of advocating that all software should be free as radical, but they have certainly provided the base for much of the open source soft- ware available today. There are many, many other sites on open source software, and new ones are being established all the time. Use your favorite search engine and enter the terms “open source security” or “open source software” and see where it takes you. Joining the Open Source Movement Once you’ve used the open source security tools in this book and benefited from them, you may feel like you want to get more involved. In most cases, the software is free and you are not obligated to do anything in return for the benefit you receive. However, a lot of time and effort went into building and maintaining the software you are using, all of it by volunteers. The only way that open source continues to work and grow is by the collective effort. This may sound vaguely socialist to some, especially to employees of commercial software concerns, but it is not that different from your local PTA or little league baseball organization. It is the people involved who make open source software great. In doing so, you will not only help keep open source alive and growing, but also meet friends who have the same interests, make valuable business contacts in your field, and learn a lot in the process about project management, working with others, and of course technical knowledge and experience. You don’t have to be a coding guru to contribute. The key to helping the open source movement prosper is just to participate. There are a number of ways you can get involved, ranging from taking a few hours of your time to this work becoming a second job. Howlett_CH12.fm Page 384 Friday, June 25, 2004 12:38 AM Joining the Open Source Movement 385 Bug Finder/Beta Tester Even if you are just a user and have no interest in coding, you can help your favorite open source security tool. Most major projects have bug tracking mailing lists, and some have more complicated systems for reporting issues. If you are working with the program and find something that doesn’t work right, report it and see if it can be fixed. In the process of getting your problem fixed, you’ll help the developers track down bugs and improve the program. Of course, you will want to make sure that the problem you are having is a software bug and not an installation error on your part, but the people on the lists are usu- ally more than happy to set you straight. To report bugs properly, make sure that you gather all the environmental variables and try to duplicate the problem to figure out under exactly what conditions the error happens. Things like operating system, version of the program, settings, hardware, and so on are all important. Also make sure you have any error messages, log files, or core dumps for the developers to analyze. You can also be a beta tester of the latest code. Some projects offer you the ability to run either “stable” or “experimental” code. While most users will use the stable code, you can be a trailblazer and try the experimental or beta versions. Keep in mind that there may be hiccups while using this software, for example, sometimes the new code will break things that worked before. If you are going to run beta code, you will probably want to run it on a test machine before putting it into production. Other projects may distribute beta code to a limited list of testers. They will want the first users of the code to be experienced users who know they are using beta software. That way, they can rule out the usual newbie mistakes and have users who understand how the software works and can accurately describe their problems. So, you probably shouldn’t volunteer to be a beta user until you have some experience with the software. When you are ready, ask the key developers to be put on this list. This way you can help improve the software for future users. The side benefit of this is that you will be the first to get cutting- edge features and you can be instrumental in deciding what new features get added. Participate in Discussion Groups and Support Other Users Most open source projects have a mailing list for discussion and technical questions. You should subscribe to this list even if you don’t plan on participating right away. You don’t have to be an active poster to the list to gain some benefits. It’s okay to just “lurk” and read the questions and answers that are posted. I have learned a lot of things about the software that I never would have found out, just by casually following the mailing list discussions. A word of warning, though: Some of these lists are very active and have dozens of mes- sages posted a day. This can be overwhelming for some, especially if you are already over- worked like most system administrators. But even reading only an occasional message that interests you can be of value. If you feel you are getting too much e-mail, consider sub- scribing to a “digest” version of the list, which is a single message you get daily or weekly that contains a compilation of all the messages posted. This way you only get one message Howlett_CH12.fm Page 385 Friday, June 25, 2004 12:38 AM 386 Chapter 12 • More on Open Source Software and can sort through it when you have the time. Still, make sure you understand how to unsubscribe from a list before subscribing so you can get off the list easily if the volume is too much for you to handle. Most open source mailing lists use a software package called Major Domo to manage their lists (this is also an open source project!). The standard commands for subscribing and unsubscribing on this kind of system are as follows. • Subscribe: Send a message to the list manager address (usually found on the Web site) with the word “Subscribe” in the subject and body of your message. You may get a message to confirm that you do want to be on the list. Once you reply, you’ll start getting messages. • Unsubscribe: Send a message to the list manager address, and put the word “Unsub- scribe” in the subject and body of the message. Mailing lists can be operated as moderated or unmoderated forums. In the unmoder- ated format, anyone can post anything and the messages go up immediately. This is the best kind of list for getting information quickly. However, many unmoderated lists quickly fill up with off-topic conversations, arguments, and flame-wars. That’s why most lists are now moderated, which means that a person, the list moderator, must review each post, decide if it’s relevant to the list charter, and approves it to be posted. This makes for a much lower message volume that is always relevant, but it may mean your posts for help on a subject are delayed for several days until the moderator gets around to it. And moder- ators will usually shut down list activity for holidays (moderators deserve holidays too), so getting answers during a holiday may be spotty. Once you are confident that you can hang with the big dogs, begin making some posts, answer some easy questions, and provide an opinion here or there. This will take the load off of more technical developers by having others answer basic questions, and it will also provide a wider base of knowledge for the whole project. After all, you may have experience with a specific configuration or platform that no one else has—you may be operating in an unusual environment or you might have a different take on a particular question or issue. Chances are that someone out there can use your help. You will feel good about helping others and you’ll be amazed at how thankful and gracious the people you help will be. If only your internal users could be so nice and grateful! Provide Resources to the Project Here is something you can do even if you don’t have programming abilities or much expe- rience with the software. Open source projects generally don’t have any revenue to support any expenses incurred in the development and maintenance of the software. While most of the labor is provided by the volunteers, there are still the issues of where to host the Web site for the project, what hardware to put it on, and many others. Again, the participants usually donate most of this. If you have an old machine that could be used as a Web server, let the key people know. You’d be surprised what an old machine can do running Linux Howlett_CH12.fm Page 386 Friday, June 25, 2004 12:38 AM More Open Source Security Tools 387 and Apache. If your company is amenable to it, see if you could offer to host the project Web site on company bandwidth. Your company might not want to do it if it’s a big project, but for small projects just getting off the ground bandwidth utilization will proba- bly be minimal and most of it will be during non-office hours. If you have Web design skills, offer to put up a Web site. If your personal ISP provides free Web site space, offer to use that for the project. A nonprofit endeavor usually falls under your terms of service for personal Web space. Finally, some open source packages even accept good old green backs as a “donation” for using the software. You might be able to convince your company to put up a few bucks as an alternative to paying retail for off-the-shelf software. Anything you can think of will usually come in handy for an open source project. Graphic design skill to design a logo, e-mail accounts to support the mailing lists, legal help in crafting the licenses—all these things represent creative ways to help your favorite open source project. Patronize Companies That Use or Support Open Source Products While you don’t have to spend your budget dollars on the software, you do spend money on other things. When buying hardware, software, or services, make it a point to give ven- dors who use or support open source software special consideration. After all, if compa- nies can be commercially viable by using open source software as a key part of their offerings, it only strengthens the cause. Companies such as Sun, IBM, and Dell are heavily promoting open source. More Open Source Security Tools You should now understand the basic concepts of information security and how to apply them to your company using open source security tools. Using the programs and informa- tion in this book, you can make your systems and network much more secure from the dangers of computer crime. We have covered programs that will bring greater confidenti- ality, integrity, and availability to your networks, systems, and data, all for a price that should fit into everyone’s budget. Hopefully, you understand that good information security is more than just programs and technology. It is also about processes and people. It takes a combination of good peo- ple, processes, and technology to truly secure your network. Open source security tools can give you best-of-breed software to build a solid foundation for information security. The open source movement is growing every day, increasing its visibility and legiti- macy. I hope that this book encourages you to become more involved and contribute to the effort of creating quality security tools using the open source framework. It is a lot of fun, you will learn a lot, and you will feel good about making the Internet and networks more secure. Perhaps a future edition of this book will feature an open source security tool writ- ten by you. Howlett_CH12.fm Page 387 Friday, June 25, 2004 12:38 AM Howlett_CH12.fm Page 388 Friday, June 25, 2004 12:38 AM . resources for further investigation of open source security tools and how to get involved in the open source community. Open Source Resources If you want to further explore the world of open source. heavily promoting open source. More Open Source Security Tools You should now understand the basic concepts of information security and how to apply them to your company using open source security tools. . and enter the terms open source security or open source software” and see where it takes you. Joining the Open Source Movement Once you’ve used the open source security tools in this book and