SystemWall Prototype Setup

Hardware Setup

Targer configuration:

  • FireWire card (connected to matching card on SystemWall computer)
  • Ethernet port, eth0 (connected to SystemWall computer)

SystemWall computer configuration:

  • FireWire card (connected to matching card on Target computer)
  • Ethernet port, eth0 (connected to Internet)
  • Ethernet port, eth1 (connected to Target computer)

Needed files

  • systemwall-pktqueue.py -- Netfilter packet processing script, calls into Volatility plugin
  • syswall.py -- Volatility plugin
  • DummyWhiteList.txt -- Sample white list of programs allowed to make connection, used by syswall.py

SystemWall computer setup

(Target) -- perform the tasks on the target computer, here 172.28.20.102

(SystemWall) -- perform the tasks on the SystemWall computer, here 172.28.20.103

Create a transparent bridge

(SystemWall) Create a transparent bridge through which all communication to target computer will go [1]. Install bridge utils and configure brige interfaces: 

 sudo apt-get install bridge-utils
 sudo vim /etc/network/interfaces

(SystemWall) Append the following to the network interfaces configuration file (this assumes eth0 is default interface, already connected to internet and getting IP from DHCP): 

 auto br0
 iface br0 inet dhcp
      bridge_ports eth0 eth1
      bridge_stp on

(SystemWall) Bring br0 up: 

 sudo ifup br0

Install NFQUEUE related packages

(SystemWall) Install netfilter queues code: 

 sudo apt-get install -y python-nfqueue
 sudo apt-get install -y python-dpkt

Set up packet detection / delay

(SystemWall) We're using iptables, show current rules 

 sudo iptables -x -v --line-numbers -L

(SystemWall) Add SYSTEMWALL chain (so we don't mess with rules in other chains), and add rules in FORWARD to send all TCP packets to or from target system to be processed in SYSTEMWALL chain: 

 sudo iptables -N SYSTEMWALL
 sudo iptables -A FORWARD -s 172.28.20.102 -j SYSTEMWALL
 sudo iptables -A FORWARD -d 172.28.20.102 -j SYSTEMWALL

(SystemWall) Add SYSTEMWALL chain rules for which prackets to process, we want to send all SYN/ACK packets going to target computer to the systemwall-pktqueue.py for processing. Note, while SystemWall is processing packets, remote host will flood us with duplicate SYN/ACKs, to prevent this we use the limit module and drop packets over the limt, adjust limit to your needs: 

 sudo iptables -A SYSTEMWALL -d 172.28.20.102 -p tcp --tcp-flags ALL SYN,ACK -m limit --limit 5/m --limit-burst 1 -j NFQUEUE --queue-num 0
 sudo iptables -A SYSTEMWALL -d 172.28.20.102 -p tcp --tcp-flags ALL SYN,ACK -j DROP

Set up Volatility framework with FireWire

(SystemWall) Install base Volatility 2.3.1 framework using script at bottom of page [2]: 

 cd ~
 wget https://raw.githubusercontent.com/gleeda/misc-scripts/master/get_plugins_2.0.bsh
 chmod u+x get_plugins_2.0.bsh
 ./get_plugins_2.0.bsh
 cd Volatility
 python vol.py --info

(SystemWall) Copy SystemWall plugin to volatility directory 

 cd ~
 cp syswall.py Volatility/volatility/plugins/linux/

(SystemWall) Copy DummyWhiteList.txt needed by SystemWall plugin (generate your own base on target system or manually add allowed programs): 

 cd ~
 cp DummyWhiteList.txt Volatility/

(SystemWall) Install forensic1394 library from https://github.com/wertarbyte/forensic1394.

(Target) Setup profile for target Linux system (following this page [3]), first on target system, generate profile: 

 sudo apt-get install dwarfdump 
 sudo apt-get install build-essential
 sudo apt-get install linux-headers-$(uname -r)
 
 cd ~
 svn checkout http://volatility.googlecode.com/svn/trunk Volatility
 cd Volatility/tools/linux
 make
 
 cd ~
 sudo zip Volatility/volatility/plugins/overlays/linux/Linux-$(uname -r).zip Volatility/tools/linux/module.dwarf /boot/System.map-$(uname -r)

(Target) Then, copy over to the SystemWall computer: 

 cd ~
 scp Volatility/volatility/plugins/overlays/linux/Linux-$(uname -r).zip $USER@172.28.20.103:/home/$USER/Volatility/volatility/plugins/overlays/linux/

Set up systemwall-pktqueue.py

(SystemWall) First, test that volatility is working with FireWire, for example with linux_arp plugin to show ARP table of the target computer 

 cd ~
 sudo python vol.py -l firewire://forensic1394//0 --profile=LinuxLinux-3_13_0-24-genericx64 linux_arp

(SystemWall) Now get things going: 

 cd ~
 cp systemwall-pktqueue.py Volatility/
 cd Volatility/
 sudo python systemwall-pktqueue.py

The End.