Accessing F-Response using Linux

Aug 18, 2009

While we haven't done any official testing of F-Response access using the Linux Open-iSCSI Initiator, AAron Walters of Volitile Systems (Makers of very impressive memory analysis software) sent us a very nice summary outlining using the Linux initiator with F-Response.

I've included it below, while we don't officially support Linux, we hope you find this useful!

Using Open-iSCSI Initiator with F-Response

This tutorial describes how you can use the F-Response target with a Linux initiator. This will allow you to remotely mount the read-only disks of a suspected Windows machine (192.168.1.100) on your Linux workstation for further analysis. In particular, this tutorial will focus on the open-iscsi implementation of the iscsi initiator defined in RFC3720, which can be found at the following URL:

http://www.open-iscsi.com/

The Open-iSCSI Initiator requires the system to be running atleast a 2.6.16 kernel. It is also important that the initiator system's kernel is configured to support "Cryptographic API" and "CRC32c CRC algorithm". These are found in the CONFIG_CRYPTO and CONFIG_CRYPTO_CRC32C kernel options.

Device Drivers --->

SCSI device support --->

[*]SCSI device support

<*> SCSI disk support

Cryptographic options --->

[*] Cryptographic API CRC32c CRC algorithm

It is also important that your kernel is compiled to support mounting Windows partitions.

File Systems ---> DOS/FAT/NT

Filesystems ---> MSDOS fs support VFAT (Windows-95) fs support NTFS file system support

Once the iscsi software has been downloaded and installed, we can start the Open-iSCSI daemon:

/etc/init.d/iscsid start

Once the Open-iSCSI daemon is started, we use the configuration utility, iscsiadm. This tool is used to manage the persistent database used to store configuration information. The Open-iSCSI configuration relies heavily on the notion of interface structures and for each network device that you plan to bind sessions to you must create an iface config. This configs are typically stored within the following directory:

/etc/iscsi/ifaces

These config files can be created by hand or using the configuration tool, iscsiadm's iface mode. For each F-Response target that you wish to bind a session to, you must create a separate iface config. A new iface config template file can be created using the following command:

iscsiadm -m iface -I iface0 --op=new

Using the ifconfig command we are able to determine the MAC address of the Ethernet card that will be used on the Linux workstation. Next we can set the hardware MAC address for the config file using the following command:

iscsiadm -m iface -I iface0 --op=update -n iface.hwaddress -v AA:BB:CC:DD:EE:FF

F-Response requires a username and password for authentication. In order to update this configuration, we edit the Open-iSCSI default configuration found in /etc/iscsi/iscsid.conf. In this file we update the following configuration parameters:

node.session.auth.authmethod = CHAP

node.session.auth.username = someuser1

node.session.auth.password = passwordpassword

We also need to enable CHAP authentication for the discovery session to the target. In the same file, we update the following configuration parameters:

discovery.sendtargets.auth.authmethod = CHAP

discovery.sendtargets.auth.username = someuser1

discovery.sendtargets.auth.password = passwordpassword

We are now able to use the iscsiadm command to do discovery. This will enable us to discover any targets that may be exported by the particular host based on it's IP address. In this example, we are querying a host with an IP address of 192.168.1.100.

iscsiadm -m discovery -t st -p 192.168.1.100 -P 1

Once you have enumerated a particular target that you are interested in connecting to, you can attach to that target.

iscsiadm -m node -T iqn.2008-02.com.f-response.test-xxxxxxxxxx:0 -l

If you want to mount the remote partitions, you first need to determine what their device names are reported as. This can be accomplished by running the following command as root:

fdisk -l

From the output of this command, you will notice a scsi drive formated as a Windows partition. From the Device column you will be able to find the particular device you are looking for. As root, you will also need to create a mount point where you will access your drive. This can be accomplished with the following command:

mkdir /mnt/ntfs

Finally, you will be able to mount the partition using the Linux mount command. The -t argument is used to specify the type of the filesystem that is being mounted (ntfs). We also pass the command the particular device which we previously extracted (/dev/sda1) and the mount point that will be used to access the file system (/mnt/ntfs).

mount -t ntfs /dev/sda1 /mnt/ntfs

Depending on your needs you could also update /etc/fstab to make the process a little easier in the future. Now you have read-only access to the filesystem on the remote Windows machine and you can explore the file system using you typical unix commands. Once you are done analyzing the system, simply umount the drive:

umount /mnt/ntfs

Then you disconnect the target from the host system using the following command:

iscsiadm -m node -T iqn.2008-02.com.f-response.xxxxxxxxxxxxxx:0 -u

This will logout all portals on a particular target that are set in the configuration database.

Enjoy!

-M. Shannon

Founder, F-Response

May 7, 2008