Home

Design and Implementation of a Documentation Tool for

1. NULL if i 0 if ret chunkwhK0x12 lt 0 return ret if ret chunkwdK unsigned char environ i strlen environ i 1 lt 0 return ret i if i 0 if ret chunkwfK lt 0 return ret return 1 Defines chunk12 used in chunk Uses chunkwd 27 chunkwf and chunkwh 22d 0x13 Locale Settings seven C strings Is written at session start Contains the string values of several locale settings namely LC_ALL LC_COLLATE LC_CTYPE LC MESSAGES LC MONETARY LC_NUMERIC and LC TIME in that order each terminated by a null byte chunks 17a lt 19a 20b gt int chunki3K int cat 7 LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME char loc int ret if ret chunkwhK0x13 lt 0 return ret for int i 0 i lt 7 i if loc setlocale cat i NULL return 1 if ret unsigned char loc 19 20b strlen loc 1 lt 0 return ret if ret chunkwf lt 0 return ret return 0 Defines chunk13 used in chunk Uses chunkwd 21 chunkwf and chunkwh 22d setlocale requires locale h includes 8b include lt locale h gt 0x16 Delay two 4 byte values 15b dISa D22cb Contains the number of seconds and nanoseconds that have passed since the last delay chunk or if this is the first one since the session started advancing further in the transcrip
2. Oe Oe 16 00 00 00 00 00 79 ef 3c Of 65 Sew y lt e The user now continues to type the characters echo 1 which will be echoed as well Oe Oe zal 16 00 00 00 00 05 b9 48 10 10 Of Oe 63 Of Oe Oe His Gags 16 00 00 00 00 00 79 a5 09 Of 63 Oe Oe 16 00 00 Werth Cr Myers 00 00 Oa 7d bf 1e Of Oe 68 Of Oe Oe 16 00 00 00 b h 00 00 79 db 51 Of 68 Oe Oe 16 00 00 00 00 Ob 71 y Q h q c4 94 Of Oe 6f Of Oe Oe 16 00 00 00 00 00 79 fc 0 y 54 Of 6f Oe Oe 16 00 00 00 02 09 89 aa al Of Oe T O 20 Of Oe Oe 16 00 00 00 00 00 79 f2 83 Of 20 0e NG Oe 16 00 00 00 01 2f 35 2a bc Of Oe 2d Of Oe Oe B 16 00 00 00 00 00 79 bb 20 Of 2d Oe Oe 16 00 00 yno eres 00 00 14 fb 28 4d Of Oe 6c Of Oe Oe 16 00 00 00 00 00 7a 01 3d Of 6c Oe Oe 16 00 00 00 00 2b 64 z 1 d b7 45 Of s Since typing the 1 was a mistake the user presses the backspace key ASCII value 127 to remove the last character Oe 7f Of l Er l After the usual delay the shell will send two things to the terminal First an ASCII backspace character 08 to position the cursor on the 1 then the ANSI code CSI K represented by the bytes 1b 5b 4b which will cause the terminal to make all characters at or right of the cursors position disappear Oe Oe 16 00 00 00 00 00 79 c2 3 yal Te Of 08 ib 5b 4b 17 K 12 The user now enters the letter n and hits the
3. NULL ldie localtime failed O if strftime date sizeof date 4c lt lt 1 strftime failed or if printf msg date lt 0 perror status a cue diel statusmsg stdout failed 0 y if fprintf OUTF msg date OUTN lt 0 perror status transcript die statusmsg transcript failed O Defines statusmsg used in e and HEN Uses die 23b OUTF 22a and OUTN 26b A 8 Initialization A 8 1 Determining the Binarys Name To be able to output its own name e g in error messages forscript deter mines the name of the binary that has been called by the user This value is stored in argv 0 The global variable MYNAME will be used to reference that value from every function that needs it set my name 24c 25a gt argel Uses MYNAME 24a 24 If forscript was called using a path name e g usr bin forscript everything up to the final slash needs to be cut off This is done by moving the pointer to the character immediately following the final slash set my name 24c char lastslash if lastslash strrchr MYNAME NULL MYNAME lastslash 1 Uses MYNAME 24a A 8 2 Processing Command Line Arguments Since forscripts invocation tries to mimic scripts as far as possible com mand line argument handling is designed to closely resemble scripts behavior Therefore like in script the command line switches version and V are treated
4. The transcript starts with a file version chunk specifying that version 1 is used Oe Oe 01 01 OF hae Then a start of session chunk follows Oe Oe 02 4b 82 dO 3 04 4d 8b e3 Ra yM 00 3c Of lt Its first eight bytes 4b to e3 tell you that the time is 1266864371 072190947 seconds after the epoch which is February 22 2010 18 46 11 UTC The next two bytes 00 3c represent a timezone of 60 which translates to UTC 01 00 After this chunk the environment variables are listed These are name value pairs separated by null bytes This information is important to interpret the actual terminal data For example different control codes are used depending on the TERM variables setting Oe Oe 12 53 53 48 5f 41 47 45 4e 54 5f SSHL_AGENT 50 49 44 3d 31 36 33 30 00 47 50 47 5f 41 47 45 PID 1630 GPG_AGE 4e 54 5f 49 4e 46 4f 3d 2f 74 6d 70 2f 67 70 67 NT_INFO tmp gpg 2d 4b 50 62 79 65 43 2f 53 2e 67 70 67 2d 61 67 KPbyeC S gpg ag 65 6e 74 3a 31 36 33 31 3a 31 00 54 45 52 4d 3d ent 1631 1 TERM 72 78 76 74 00 53 48 45 4c 4c 3d 2f 62 69 6e 2f rxvt SHELL bin 62 61 73 68 00 57 49 4e 44 4f 57 49 44 3d 32 37 bash WINDOWID 27 32 36 32 39 38 34 00 55 53 45 52 3d 73 63 79 00 262984 USER scy 53 53 48 5f 41 55 54 48 5f 53 4f 43 4b 3d 2f 74 SSH_AUTH_SOCK t 6d 70 2f 73 73 68 2d 64 63 74 77 4b 42 31 36 30 mp ssh dctwKB160 37 2f 61 67 65 6e 74 2e 31 36 30 37 00 50 41 54 7 agent 1607 PAT 48 3d 2f 68 6f 6d 65 2f 73 6
5. forensic script The main advantages of this tool are e forscript has the same command line user interface as script i e users used to script can seamlessly switch to forscript e forscript defines a portable and extensible file format that contains all user input timing information and detailed information about the envi ronment The file format allows appending of files in a natural way e Following the paradigm of literate programming 4 and using the pro gramming tool noweb 5 forscript comes with its own user manual and documentation In fact this version of the paper contains the entire C source code in a well readable way i e this document is the program and vice versa 1With more recent versions of Linux and Bash terminals which have the ECHOCTL bit set for example via stty will show C at the end of an interrupted line which fixes this problem to some degree Similar issues like finding out whether the user entered or tab completed some text still persist Literate programming A is a technique invented by Knuth when developing the TEX typesetting system Instead of writing more or less commented source code it propagates writing a continuous text with embedded code fragments The tool noweb 5 is used to reassemble these code fragments so that they can be compiled into an executable program Because of its advantages in creating readable source code we feel that there is much potential for the use of l
6. 65 el 78 69 74 Od Oa 66 6f 72 73 63 72 69 70 74 20 64 xit forscript d 6f 6e 65 20 6f 6e 20 4d 6f 6e 20 32 32 20 46 65 one on Mon 22 Fel 62 20 32 30 31 30 20 30 37 3a 34 36 3a 32 31 20 b 2010 07 46 21 50 4d 20 43 45 54 2c 20 66 69 6c 65 20 69 73 20 PM CET file is 74 72 61 6e 73 63 72 69 70 74 Od Oa transcript Finally the exit status 0 of the shell is recorded in an end of session metadata chunk and the transcript file ends Oe Oe 03 00 of 6 Conclusions and Future Work We presented why script although often used for digital investigations lacks features that are crucial for reliable documentation A new software forscript has been designed and implemented the weaknesses of script have been elim inated 13 The primary reason to develop forscript was the need to create a software that enables a forensic investigator to convert an interactive command line ses sion into a version suitable for inclusion in a printed report While thinking about possible approaches it became apparent that the output generated by script does not suffice to provide such a software with the information it needs to unambigously reconstruct what the user did A tool that records the re quired information had to be developed first Next a tool that is able to parse the output forscript generates must be written We leave this for future work forscript will be released by the third author as free software available at a special web
7. done 37d 37d Badh if qflg statusmsg STOPMSG Uses statusmsg and STOPMSG constants 16a 15b d35bl const char jSTOPMSG forscript on ys file is s r n Defines STOPMSG used in chunk 38b Uses done 37d Finally it will write an end of session chunk close open file descriptors reset the terminal and exit done 37d 38D if chunk03Kstatus lt 0 die NULL 0x03 fclose close PTM close PTS if tcsetattr STDIN_FILENO TCSADRAIN amp TT lt O perror tcsetattr on exit ldie tcsetattr on exit failed 0 y exit EXIT_SUCCESS Uses chunk03 die OUTF 22a and PTM 28c 38 Chunk Index change the terminal 31d chunks 17a constants declarations and d o determine the shell 32b execute the shell 32d Fw Ed finish 37bp fork subprocesses 8c forscript c i functions further a input processing 35e globals sa main loop body 35d open new pseudo terminal 28e open Wl file 26c openpt 31b preparations of main loop 34a process command line options 25b register signal handlers 8a resized 30a set my name a 24b swrite 22b the main Ta winsize di i 39 Identifier Index _POSIX_C_SOURCE _XOPEN_SOURCE aflg Did Boa cflg CHILD chunk01 chunk02 chunk03 chunk11 chunk12 chunk13 chunk16
8. 3 return escaped 21 Defines chunkwd used in chunks 19 and 36c Uses DLE 16a ESCMAX 16b ESCMIN OUTF 22a and swrite OUTF is the already opened transcript file and a global variable globals 8a dal Blab FILE 40UTF Defines OUTF used in chunks and The swrite O function safe write that is being used here will return zero if the number of items written is not egual to the number of items that should have been written CE int const void ptr size_t size size_t nmemb FILE stream return fwrite ptr size nmemb stream nmemb y Defines swrite used in chunks 21 and To be able to use fwrite stdio h has to be included includes 8b 23cl gt include lt stdio h gt There are functions to write chunk headers and footers chunkwhf 22d int unsigned char id int ret for int i 0 i lt 2 i ret swrite SO sizeof SO 1 OUTF if ret return 1 return swrite amp id sizeof unsigned char 1 DUTF 1 1 int return swrite ST sizeof SI 1 JOUTF 1 1 Defines chunkwf used in chunks chunkwh used in chunks Uses OUTF sI 16a SO and and and swrite 22 There is also a convenience function that writes a meta chunks header and footer as well as the actual data chunkwm 23a int unsigned char id unsigned char data int count int ret if chunkwh id return 11 if ret data c
9. 19 46 is a rather complicated colored one and therefore contains lots of ISO 6429 control codes also known as ANSI escape codes to define the visual appearance However before the prompt is written to the data file forscript writes a delay meta chunk It took 0 065087679 seconds before the prompt was printed Oe Oe 16 00 00 00 00 3b 73 63 79 40 62 69 6a 3b 33 32 6d 73 63 79 1b 5b 31 3b 33 32 6d 62 69 03 e1 28 bf Of 1b 5d 30 61 7a 3a 7e 07 1b 5b 31 5b 30 3b 33 32 6d 40 1b 6a 61 7a 1b 5b 31 3b 33 11 gees roa O scy bijaz 1 32mscy 0 32m 1 32mbijaz 1 3 34 6d 20 7e 20 ib 5b 30 3b 33 36 6d 6d 61 73 74 4m 0 36mmast 65 72 20 3f 20 1b 5b 31 3b 33 30 6d 30 2e 31 31 ler 1 30m0 11 20 1b 5b 30 3b 33 37 6d 31 39 3a 34 36 20 1b 5b 0 37m19 46 30 3b 33 33 6d 1b 5b 31 3b 33 32 6d 24 1b 5b 30 0 33m 1 32m O 6d 20 m Next 1 291995750 seconds after the prompt has been printed the user types the letter e on the keyboard The letter is enclosed by Oe and Of in order to mark it as input data Oe Oe 16 00 00 00 01 11 67 80 66 Of Oe 65 m g f el Of After the letter has been typed the kernel will usually echo the character that is put it into the terminals output stream to make it appear on screen It will take a small amount of time in this case 0 0079911 seconds until forscript receives the character and write it to the transcript file this time declaring it as output
10. 38 00 65 6e 5f 55 53 2e 55 54 46 2d UTF 8 en_US UTF 38 00 65 6e 5f 55 53 2e 55 54 46 2d 38 00 Of 8 en_US UTF 8 The terminal forscript is running in is 168 characters wide 00 a8 and 55 characters high 00 37 as the terminal size chunk shows Oe Oe 11 00 a8 00 37 Of After all these metadata chunks this is where actual terminal output starts Since the q flag was not used forscript writes a startup message both to the terminal and the transcript containing date and time and the file name The final two bytes Od Oa represent the control codes carriage return and line feed Note that in contrast to the Unix convention of using just line feed n to designate new line in text files a terminal or at least the terminal the authors machine is using requires both bytes to be present 66 20 73 74 61 72 74 65 64 32 32 20 46 65 62 20 32 36 3a 31 31 20 50 4d 20 65 20 69 73 20 74 72 61 Oa 6f 72 73 63 72 69 TO 74 20 6f 6e 20 4d 6f 6e 20 30 31 30 20 30 37 3a 34 43 45 54 2c 20 66 69 6c 6e 73 63 72 69 70 74 Od forscript started on Mon 22 Feb 2010 07 4 6 11 PM CET fill Je is transcript Now the shell is started It requires some time to read its configuration files and initialize the environment therefore forscript has to wait for it and starts measuring the time until the next piece of data arrives After the shell has initialized it prints out its prompt On this machine the prompt scy bijaz master 0 11
11. again there is no visible distinction whether the command was run or not e Metadata about the environment script runs in is not logged This leads to a high level of uncertainty when interpreting the resulting typescript because even important information like the character set and encoding but also the terminal size and type is missing e Typescript and timing are separate files but one logical entity They should reside in one file to protect the user from confusion and mistakes e Appending to a typescript file is possible but ambigious since the be ginning of a new part is determined only by the string Script started on Also appending to a typescript and recording timing information are incompatible because scriptreplay will only ignore the first header line in a typescript file Subsequent ones will disturb the timings byte counter e Ina sense script is a typical Unix utility written in a single C file with hardly any code documentation beyond the manual page Therefore it is rather cumbersome to read and requires some effort to understand We believe that software used in digital investigations should strive for better readability such that it is easier to quickly convice an expert that the code actually does what it promised 1 3 Forensic script forscript Overall script has severe deficiencies when used in digital investigations In this paper we report on the design and implementation of a successor tool forscript
12. chunkwd chunkwf chunkwh chunkwm 23a 20 20c DA BODY TA 07a Bal AG 05c BD done 33c 37d 38c doshell 9 31c ESCMAX ESCMIN finish main MYNAME 3D Dal FI 25a 25b Poa Bod 22 2 27c PTA B14 00c Bea 375 Bed 6c 27 ST 8a 54 2 06 HA 8 NO resized SI 6a SO TTSET UNUSED winsize 40
13. file name to be typescript the chance that replacing script with forscript will break their functionality anyway is quite high If the file already exists and is a symbolic or hard link forscript refuses to overwrite the file as long as the file name is not explicitly provided There are several command line switches that modify forscript s behavior For example using a it is possible to append the output of forscript toa transcript file If the target transcript file already exists and is non empty it has to start with a valid and supported file version header that will be explained below Normally forscript displays a message when it starts or quits and also it records its startup and termination time in the typescript file With the parameter g all of these messages will not appear quiet This is similar to the behavior of script only that no startup message will be written to the transcript file This is because scriptreplay unconditionally discards the first line in a typescript file and so writing the startup message Script started on cannot be disabled in script By default forscript will launch the shell specified by the environment variable SHELL If SHELL it is not set a default shell selected at compile time bin sh see page is used The shell will be called with i as its first parameter making it an interactive shell However if forscript is called with the c option followed by a command it will launch th
14. may not be called to avoid blocking main loop body 35d 36dl gt if drain FD_ZERO amp fds FD SET STDIN_FILENO amp fds FD_SET PTM amp fds sr select highest amp fds NULL NULL NULL further standard input processing 35e y Uses PTM 28c If the child process has terminated there may still be data left in the buffers therefore the terminals file descriptor is set to non blocking mode Reading will then continue until no more data can be retrieved If drain mode is already active this code will not be executed further standard input processing 35e 36a gt if CHILD lt 0 int flags fcntl PTM F_GETFL if fcnt1 PTM F_SETFL flags O_NONBLOCK 0 drain 1 35 36b 36d continue Uses CHILD Bd and PTM 28c If select returns 0 or less none of the file descriptors are ready for reading This can for example happen if a signal was received and should be ignored If the signal was SIGCHLD notifying the parent thread of the childs termination the signal handler will have set CHILD to 1 and the loop will finish after the buffers have been drained If drain mode is already active select will not have been run therefore this test is not needed then further standard input processing 35e 35d 36b gt if sr lt 0 continue Execution does not reach this point if none of the file descriptors had data available Thus it can be assumed that data wil
15. purpose of script is to record everything printed to the users terminal into a file According to its manual i t is useful for students who need a hardcopy record of an interactive session as proof of an assignment I But is it suitable for digital investigations 1 2 Motivation Deficiencies of script The original script software consists of two programs script and scriptreplay Both are now part of the util linux ng package 8 that is under active devel opment The most recent log entry within the source code of script and scriptreplay however dates back to July 2000 when Andreas Buer added g option Technically script creates a new pseudo terminal PTY which is a virtual software based representation of a terminal line and attach itself to the master side of it thereby being able to send and receive data to and from an application connected to the slave side of the PTY It launches a subprocess also known as child which launches the actual client application as its own subchild and then records the client applications output stream The parent process forwards the users input to the client application Recording terminates as soon as the child process exits Script uses a very simple file format to save the typescript Everything the client application sends to the terminal i e everything printed on screen will be written to the file byte by byte including control characters that are used for various tasks lik
16. return key represented as ASCII byte 0d in order to execute the command echo n After executing the command which produces no output the shell displays the prompt again Oe Oe 16 00 00 00 00 37 50 74 3 7Pt a3 Of Oe 6e Of Oe Oe 16 00 00 00 00 00 79 c4 67 n y gl Of 6e Oe Oe 16 00 00 00 00 2e bb 20 01 Of Oe Od n RSE Of Oe Oe 16 00 00 00 00 00 79 f9 df Of Od Oa Oe NE Oe 16 00 00 00 00 02 25 be d3 Of ib 5d 30 3b 73 A O sl 63 79 40 62 69 6a 61 7a 3a 7e 07 1b 5b 31 3b 33 cy0bijaz 1 3 32 6d 73 63 79 1b 5b 30 3b 33 32 6d 40 1b 5b 31 2mscy 0 32m6 1 3b 33 32 6d 62 69 6a 61 7a 1b 5b 31 3b 33 34 6d 32mbijaz 1 34m 20 7e 20 1b 5b 30 3b 33 36 6d 6d 61 73 74 65 72 0 36mmaster 20 3f 20 1b 5b 31 3b 33 30 6d 30 2e 31 30 20 1b 1 30m0 10 5b 30 3b 33 37 6d 31 39 3a 34 36 20 1b 5b 30 3b 0 37m19 46 O 33 33 6d 1b 5b 31 3b 33 32 6d 24 1b 5b 30 6d 20 33m 1 32m 0m Note that without recording the users input it would be impossible to deter mine whether the user pressed return to actually run the command or whether entering the command was cancelled for example by pressing C 1 587984366 seconds later the user decides to end the current session by pressing D which is equivalent to the byte value 04 Oe Oe 16 00 00 00 01 23 Ob ed ee Of Oe 04 Of ating Gas Fornire The shell reacts by printing exit and terminating Then forscript prints its shutdown message
17. 28c Then access to the slave is granted open new pseudo terminal 28e 29c gt if grantpt PTM lt 0 perror grantpt die grantpt failed O if unlockpt PTM lt O perror unlockpt die unlockpt failed 0 y Uses die 23b and PTM 28c The slaves device file name is requested using ptsname Since the name is not needed during further execution the slave will be opened and its file descriptor stored open new pseudo terminal 28e 29dl gt char pts NULL if pts ptsname PTM NULL if PTS open pts O_RDWR lt 0 perror pts dieK pts open failed 0 y else perror ptsname die ptsname failed O Uses die 23b and PTM 28c The parent terminal will be configured into a raw mode of operation script does this by calling cfmakeraw which is a nonstandard BSD function For portability reasons forscript sets the corresponding bits manually thereby emulating cfmakeraw The list of settings is taken from the termios 3 Linux man page 3 and should be equivalent Afterwards the settings of the terminal forscript was started in will be copied to the new terminal This means that in the eyes of the user the terminals behavior will not change but forscript can now document the terminals data stream with maximum accuracy open new pseudo terminal 28e struct termios rtt TT 29 30b rtt c_iflag amp IGNBRK BRKINT P
18. 3 79 2f 62 69 6e 3a H home scy bin 2f 75 73 72 2f 6c 6f 63 61 6c 2f 62 69 6e 3a 2f usr local bin 75 73 72 2f 62 69 6e 3a 2f 62 69 Ge 3a 2f 75 73 usr bin bin us 72 2f 67 61 6d 65 73 00 50 57 44 3d 2f 68 6f 6d r games PWD hom 65 2f 73 63 79 00 4c 41 4e 47 3d 65 6e 5f 55 53 e scy LANG en_US 2e 55 54 46 2d 38 00 43 4f 4c 4f 52 46 47 42 47 UTF 8 COLORFGBG 3d 37 3b 64 65 66 61 75 6c 74 3b 30 00 48 4f 4da 7 default 0 HOM 45 3d 2f 68 6f 6d 65 2f 73 63 79 00 53 48 4c 56 E home scy SHLV 4c 3d 32 00 4c 4f 47 4e 41 4d 45 3d 73 63 79 00 L 2 LOGNAME scy 57 49 4e 44 4f 57 50 41 54 48 3d 37 00 44 49 53 WINDOWPATH 7 DIS 50 4c 41 59 3d 3a 30 2e 30 00 43 4f 4c 4f 52 54 PLAY 0 0 COLORT 45 52 4d 3d 72 78 76 74 2d 78 70 6d 00 5f 3d 75 ERM rxvt xpm _ u 6e 69 2f 62 61 63 68 65 6c 6f 72 2f 66 6f 72 73 ni bachelor fors 63 72 69 70 74 00 Of cript 10 The next chunk contains the locale settings the C library uses for messages number and currency formatting and other things Although the user may choose different locales for either category they are usually all the same This example makes no difference The system is configured for US English and a character encoding of UTF 8 Oe Oe 13 65 6e 5f 55 53 2e en_US 55 54 46 2d 38 00 65 6e 5f 55 53 2e 55 54 46 2d UTF 8 en_US UTF 38 00 65 6e 5f 55 53 2e 55 54 46 2d 38 00 65 6e 8 en_US UTF 8 en 5f 55 53 2e 55 54 46 2d 38 00 65 6e 5f 55 53 2e _US UTF 8 en_US 55 54 46 2d
19. ARMRK ISTRIP INLCR IGNCR ICRNL IXON rtt c_oflag amp OPOST rtt c_lflag amp ECHO ECHONL ICANON ISIG IEXTEN rtt c_cflag amp CSIZE PARENB rtt c_cflag CS8 if tcsetattr STDIN_FILENO TCSANOW amp rtt lt O perror tcsetattr stdin ldie tcsetattr stdin failed 0 if tcsetattr PTS TCSANOW amp TT lt O perror tcsetattr pts die tcsetattr pts failed 0 y Uses die 23b A 9 1 Managing Window Size If the size of a terminal window changes the controlling process receives a SIGWINCH signal and should act accordingly forscript handles this signal in the resized function by writing the new size to the transcript and forwarding it to the client terminal Defines resized used in chunk 8a Uses UNUSED 37c and winsize 30b The actual reading and writing of the window size is done by winsize which takes a mode parameter If the mode is 1 the client applications terminal size will be set If the mode is 2 the terminal size will be written to the transcript If the mode is 3 both operations will be done which is the usual case winsize 30b void unsigned int mode struct size ioct1l STDIN_FILENO TIOCGWINSZ amp size if mode amp 2 if chunki1 amp size lt 0 die writing window size 0x11 if mode amp 1 amp amp PTM ioctl PTM TIOCSWINSZ amp size Defines 30 winsize used in chen E BOS Ene 31b
20. Design and Implementation of a Documentation Tool for Interactive Commandline Sessions Andreas Dewald Felix C Freiling Tim Weber University of Mannheim Technical Report TR 2010 005 December 30 2010 Abstract In digital investigations it is important to document the examination of a computer system with as much detail as possible Allthough never designed for digital investigations many experts use the software script to record their whole terminal session while analyzing a target system We analyze script s deficiencies and present the design and implementation of forscript forensic script a software providing additional capabilities and mechanisms for digital investigations 1 Introduction 1 1 Motivation Documentation of Terminal Sessions During a digital investigation many actions are still performed on the command line Especially in live response or during complicated manual operations it is useful that the investigator keeps a detailed record of his actions while analyzing a system Such a log can help the investigator understand his motivations in retrospect and can help prove to other experts that certain actions were or were not performed during the investigation In principle interactive command line sessions can be documented quite easily by creating a piece of software that records everything typed on the keyboard and everything sent to the screen Many digital investigators still use a program called script The
21. SI used in chunks and SO used in chunks and It is by design that the three special characters have consecutive byte num bers This allows us to define a minimum and maximum byte value that requires special escape handling constants 16a 35bb gt const unsigned char ESCMIN Ox0e const unsigned char ESCMAX 0x10 Defines ESCMAX used in chunk ESCMIN used in chunk A 3 Metadata Chunk Types We now describe the available metadata chunk types Integers are unsigned and big endian except where noted otherwise In the resulting file numbers are represented in binary form not as ASCII digits For better understanding the code forscript uses to write each meta chunk appears after the chunks explanation The three functions chunkwh O chunkwf and chunkwdK that are used for actually writing the data to disk will be explained in section A 5 To be able to understand the code it is suffi cient to know that chunkwh takes one parameter the chunks type and writes the header bytes chunkwf writes the footer byte and takes no parameters while chunkwd writes the payload data escaping it on the fly and requires a pointer and byte count There is an additional convenience function chunkwm that takes all three parameters and will write a complete metadata chunk All chunk functions return a negative value if an error occured for example if an environment setting could not be retrieved or if writing to the tr
22. and 34c Uses chunx11 18c die 23b and PTM 2 Retrieving the window size reguires ioctl h for ioctl includes 8b 4281 33b gt include lt sys ioctl h gt The client PTYs window size will be initialized now This needs to take place before the client application is launched because it probably reguires an already configured terminal size when starting up Writing the size to the transcript however would put the window size meta chunk before the start of session chunk therefore winsize s mode 1 is used openpt 31b 1 Uses winsize 30b A 10 Running the Target Application The doshellK function is run in the child process whose only task is to set up all required PTY redirections and then execute the client command Therefore open file descriptors from the parent process which are no longer needed are closed early doshell 31ch 15c void close PTM fclose A change the terminal 31d determine the shell 32b execute the shell 32d y Defines doshell used in chunk 9 Uses OUTF and PTM Changing the Terminal Next the child process changes its controlling terminal to be the PTY slave In order to do that it has to be placed in a separate session change the terminal 31d 32a gt setsid if ioctl PTS TIOCSCTTY 0 lt 0 perror controlling terminal die controlling terminal failed 0 Uses die 23b 31 Standard input output and error are bound t
23. anscript file failed Since only a partial metadata chunk may have been written to the transcript the file is no longer in a consistent state Therefore forscript should terminate whenever a chunk function returns a negative value A transcript file needs to begin with a file version meta chunk followed directly by the first start of session chunk 16 17b 0x01 File Version 1 byte The transcript file must start with a meta chunk of this type there may be no other data before it Denotes the version of the forscript file format that is being used for this file In order to guarantee a length of exactly one byte the version numbers 0 14 15 and 16 are not allowed therefore no escaping takes place This document describes version 1 of the format therefore currently the only valid value is 0x01 chwer 17bl gt int chunk01 unsigned char ver 0x01 return chunkwm 0x01 amp ver sizeof ver y Defines chunk01 used in chunk Uses chunkwm 23a 0x02 Begin of Session 10 bytes Denotes the start of a new forscript session The first four data bytes represent the start time as the number of seconds since the Unix Epoch The next four bytes contain a signed representation of the nanosecond offset to the number of seconds If these four bytes are set to 0Oxffffffff there was an error retrieving the nanoseconds The last two bytes specify the machines signed time zone offset to UTC in minutes If these two bytes ar
24. c99 Wl lrt g o forscript Wall Wextra pedantic fstack protector all pipe forscript c To generate forscript c out of the noweb source code the following com mand line can be used notangle Rforscript c forscript nw gt forscript c On the authors machine forscript can be compiled without any compiler warnings It has also been successfully compiled on NetBSD Since Apple Mac OS X in its current version 10 6 2 lacks support for the real time extension of POSIX the clock_gettime function required by forscript is not natively available Therefore the code described in this document can in its current state not be compiled on OS X However it should be possible to create a function emulating clock gettime and then port forscript to OS X 5 2 Example Transcript File To demonstrate forscripts output the following pages contain a commented hez dump of a transcript file created on the authors machine The dump has been created using hexdump C transcript Since metadata chunks do not necessarily start or end at a 16 byte border the dump has been cut into dis tinct pieces bytes not belonging to the current logical unit being replaced by whitespace The hex dump consists of several three colum lines The first two columns contain 16 bytes of data represented in hexadecimal form eight bytes each The third column represents these 16 bytes interpreted as ASCII charac ters nonprintable characters are replaced with a single dot
25. cs include how to launch a subprocess and change its controlling terminal as well as how to read from multiple data streams at once without having to run separate processes A 1 Overview Here s the current version number of forscript Any future alterations can be explained in the text at relevant placed MYVERSION is defined as a global constant globals 8a 15b 22a gt const char MYVERSION 1 0 0 Defines MYVERSION used in chunk The code begins with feature test macros ordinary macros and include state ments Afterwards constants and global variables are defined declarations and definitions 15b 7a featuretest 27b The functions used in the code are put in an order that makes sure every function is defined before it is called Since die is required at many places it is put first Next all the chunk writing functions appear the helper functions first Then come the functions that write startup and shutdown messages on the screen followed by the signal handling functions like finish The functions doshe11l and are the main input output functions that represent the parent and child processes 7a 15 16b A 2 Constants For improved readability we define the special characters introduced in the previous section as constants constants 16a 16b gt const unsigned char 0x0e const unsigned char Ox0f const unsigned char DLE 0x10 Defines DLE used in chunk
26. e machine forscript is run on However for forensic usage it is best to be able to use a small statically linked executable e Converting a forscript file to a script file is basically as easy as re moving everything between shift out and shift in bytes while respecting escaping rules of course 4 Implementation Oveview We give a brief insight into the code of forscript that is assembled within a single C source file and written as a literate program 4 using the tool noweb 5 The noweb tool automatically introduces cross references between code chunks so that readers can quickly find the corresponsing code We only show the most interesting code chunks here The full details can be found in the appendix forscript c Ta declarations and definitions 15b functions main 4 1 The Main Program Here is the fmain function We first determine the program s name as called on the command line then we process the command line options Afterwards we open the output file and a new pseudo terminal The original script uses one process to listen for input one to listen for output and one to initialize and execl the command to be recorded forscript in contrast uses only the select function to be notified of pending input and output and therefore only needs two processes itself and the subcommand These two processes are forked after registering the appropriate signal handlers Since neither the parent nor the child process s
27. e set to Oxffff the machines timezone is unknown chunks re 18bl gt int chunk02 struct timespec now extern long timezone int ret unsigned char data 10 uint32_t secs int32_t nanos 70 inti6_t tzone 70 if ret clock _gettime CLUCK REALTIME amp now lt 0 return ret secs htonl now tv_sec if now tv_nsec lt 1000000000L amp amp now tv_nsec gt 1000000000L nanos htonl now tv_nsec tzset tzone htons uint16_t timezone 60 memcpy amp data 0 amp secs sizeof secs memcpy amp data 4 amp nanos sizeof nanos memcpy amp data 8 amp tzone sizeof tzone return chunkwmK 0x02 data sizeof data 17 18b Defines chunk02 used in chunk Uses chunkwm 23a This chunk requires the headers time h for clock_gettime inet h for htonl and string h for memcpy includes 8b 15b 20al gt include lt time h gt include lt arpa inet h gt include lt string h gt 0x03 End of Session 1 byte Denotes the end of a forscript session The data byte contains the return value of the child process The usual exit code convention applies If the child exited normally use its return value If the child was terminated as a result of a signal like SIGSEGV use the number of the signal plus 128 The parameter status should contain the raw status value returned by wait not only the childs return value If the exit code of the child could not be det
28. e setting colors positioning the cursor etc Additionally a header Script started on X n is written where X is the human readable date and time when script was invoked If script was invoked without the q flag an additional footer Script done on Y n where Y is the human readable date and time when script terminated is written Apart from recording terminal in and output script can also record timing data Using the option t script will output timing data to stderr specifying the chronological progress of the terminal session Using this data the utility scriptreplay can display the recorded data in a video like way The timing output format is very simple It consists of tuples of delay and byte count space separated one per line like in the following example 0 725168 56 0 006549 126 0 040017 1 4 727988 1 0 047972 1 Each line can be read like x seconds after the previous output n more bytes were sent to the terminal If there was no previous output because it is the first line of timing information the delay specifies the time between script invocation and the first chunk of output The two file formats produced by script show several shortcomings with regard to their use in digital investigations e Input coming from the users keyboard is not logged at all A common example is the user entering a command in the shell but then pressing C instead of return The shell will move to the next line and display the prompt
29. e shell with c and the command instead of i The shell will then be non interactive and only run the specified command then exit Note that all POSIX compatible shells have to support the i and c parameters This behavior is identical to that of script If the f switch is used forscript will call fflush on the transcript file after new data has been written to it resulting in instant updates to the typescript file at the expense of performance This behavior is identical to that of script and is useful for letting another user watch the actions recorded by forscript in real time The parameter t was used in script to output timing information This parameter is accepted by forscript but ignored since forscript always records timing information into the transcript file Finally if forscript is called with V or version as only parameter it will print its version and exit This behavior is identical to that of script If unsupported parameters are passed forscript will print a short usage summary to stderr and exit While running the client applications output will be printed to stdout Error messages will be printed to stderr 3 Forscript File Format This section explains the new file format as used by forscript The file format allows an efficient combination of output and metadata within a single file A forscript data file called a transcript file consists of the mostly unal tered output stream of the client application bu
30. ermined Oxff is used instead chunks t7a d17b IScl gt int chunk03 int status unsigned char data 70 if WIFEXITED status data WEXITSTATUS status else if WIFSIGNALED status data 128 WTERMSIG status return 0x03 amp data sizeof data y Defines chunk03 used in chunk 38d Uses chunkwm 23a 0x11 Terminal Size two 2 byte values Is written at session start and when the size of the terminal window changes The first data word contains the number of colums the second one the number of rows Since the terminal size has to be passed to the running client application the chunk itself does not reguest the values but receives them as a parameter chunks 1Ta FZ 418b I9al gt int chunkiiKstruct size uint32_t be be htonl size gt ws_col lt lt 16 size gt ws_row return chunkwm 0x11 unsigned char amp be sizeof be y Defines chunk11 used in chunk 30b Uses chunkwm 23a and winsize 30b 18 19b 0x12 Environment Variables arbitrary number of C strings Is written at session start Contains the environment variables and their values as NAME value pairs each pair is terminated by a null byte 0x00 Since variable names may not contain the character and neither variables names nor the values may include a null byte the list needs no special escaping chunks 17a 19bb gt int chunk12K extern char environ int i O int ret while environ i
31. extern char optarg extern int optind while c getopt argc argv ac fgt 1 switch char c case a fatigh break case c optarg break case f fflg break case q qflg break case t break case default fprintf stderr usage s afgt c command file n exit 1 break argc optind argv optind Uses af 1g 25d cf1g 25e and MYNAME After the options have been parsed the output file name will be determined and stored in the global string OUTN globals 8d 25e 28cp char 0UTN transcript Defines OUTN used in chunks and A 8 3 Opening the Output File As in script there is a safety warning if no file name was supplied and transcript exists and is a hard or soft link open output file 26ch 27cl gt if argc gt 0 OUTN argv 0 else 26 struct stat s if lstat 0OUTN amp s O amp amp S_ISLNK s st_mode l s st_nlink gt 1 fprintf stderr Warning 4s is a link n Use Zs options s if you really want to use it n 4s not started n exit 1 Uses MYNAME 24a and OUTN 26b lstat needs types h and stat h as well as X0PEN SOURCE includes 8b 2Sa p include lt sys types h gt include lt sys stat h gt featuretest 27b 15b 28bl gt define _XOPEN_SOURCE 500 Defines XOPEN_SOURCE never used The file will now be opened either for wr
32. hould ever reach the end of fmain it returns EXIT_FAILURE main Tb 7a int main int argc char argv set my name 24c process command line options 25b open output file 26c open new pseudo terminal 28e register signal handlers gah fork subprocesses 8c return EXIT_FAILURE Defines main never used 4 2 Registering Signal Handlers To be notified of an exiting subprocess a handler for the SIGCHLD signal needs to be defined This signal is usually sent by the operating system if any child processs run status changes i e it is stopped SIGSTOP continued SIGCONT or it exits script terminates if the child is stopped but forscript does not because it uses the SA NOCLDSTOP flag to specify that it wishes not to be notified about the child stopping or resuming The function finish handles the childs termination The second signal handler resized handles window size changes register signal handlers 8a 7b struct sigaction sa sigemptyset amp sa sa_mask sa sa_flags SA_NOCLDSTOP sa sa_handler finish sigaction SIGCHLD amp sa NULL sa sa_handler resized sigaction SIGWINCH amp sa NULL y Uses finish and resized 30a These functions and constants require signal h includes 8b 15b Sab finclude lt signal h gt 4 3 Forking When a progam calls the fork function the operating system basically clones the program into a new process that is a
33. irst parameter On all Unix systems stdin should be file descriptor 0 33 34b 34d but for maximum portability forscript compares both descriptors and stores the value to pass to select in the variable highest preparations of main loop 34a 34b gt fd_set fds int sr int highest STDIN_FILENO gt PTM STDIN_FILENO 41 Uses PTM 28c The variable drain determines whether the child has already terminated but the buffers still have to be drained preparations of main loop 34a 34cl gt int drain O Several metadata chunks need to be written If the a flag is not set a file version chunk is written Then begin of session environment variables and locale settings Finally winsize s mode 2 is used to only write the window size to the transcript without sending a second SIGWINCH to the client preparations of main loop 34a dJ34b 34dl gt if Yaflg if chunk01 lt 0 dieKNULL 0x01 if chunk02 lt 0 die NULL 0x02 if chunK12 lt O die NULL 0x12 if chunk13 lt 0 dieKNULL 0x13 winsize 2 Uses aflg 25d chunk01 chunk02 17b chunk12 chunk13 19b die 23b and winsize 30b To be able to calculate the delay between I O chunks the monotonic clock available via clock gettime is used The following code will initialize the timer preparations of main loop 34a 35al gt struct timespec ts if clock _gettime CLOCK MONOTONIC amp ts lt O per
34. iterate programming in the development of software for digital investigations 1 4 Roadmap In Section 2 we elaborate the user interface of forscript which basically is that of script In Section 3 we present the extensible file format of forscript We give a brief insight into the implementation of forscript in Section 4 The program is evaluated in Section giving an example transcript file Finally Section 6 summarizes the work gives a description of forscripts limitations and describes possibilities of future work The appendix completes the code given in Section 4 to form a complete literate program and can be consulted at the discretion of the reader A chunk and identifier index appear at the end of this document 2 User Interface of forscript Since Forscripts invocation syntax has been designed to be compatible to script most parameters result in the same behavior We now give an overview over the interface of forscript and highlight the differences to the interface of script Forscript takes one optional argument the file name of the output file also called transcript file to which the terminal session is logged If no file name was supplied on the command line the default name is transcript This differs from scripts default name typescript intentionally because the file format is different and can for example not be displayed directly using cat If there are any scripts or constructs that assume the default output
35. iting or for appending depending on Note that if appending the file will be opened for reading as well This is because forscript checks the file version header before appending to a file open output file 26ch 27d gt if OUTF fopen OUTN aflg at w NULL perror OUTN die the output file could not be opened 0 Uses af1g 25d die 23b OUTF 22a and OUTN 26b If the file has been opened for appending check whether it starts with a compatible file format Currently the only format allowed is 0x01 If the file is empty appending is possible but the file version chunk has to be written This is done by setting af1g to 0 which will cause doio to write the chunk open output file 26c d427c it anig char buf 5 size_t count count fread amp buf sizeof char 5 OUTF if count 0 0 else if count 5 strncmp buf x0e x0e x01 x01 x0f 5 0 diek output file is not in forscript format v1 cannot append 0 Uses aflg die and OUTF 27 28d A 9 Preparing a New Pseudo Terminal While script uses manual PTY allocation by trying out device names or BSDs openpty where available forscript has been designed to use the Unix 98 PTY multiplexer dev ptmx standardized in POSIX 1 2001 to create a new PTY This method requires fcnt1l h and a sufficiently high feature test macro value for POSIX code includes 8b 15b d27a 28fp gt inc
36. l be written to the transcript file Therefore chunk16 is called to calculate and write a delay meta chunk After it has calculated the time delta it will automatically update ts to contain the current time further standard input processing 35e 36cl gt if chunk16K amp ts lt 0 die NULL 0x16 Uses chunk16 20b and die 23b If user input is available it will be read into the buffer The data will then be written to the transcript file having S0 prepended and SI appended Then it will be sent to the client application When in drain mode user input is irrelevant since the child has already terminated further standard input processing 35e if FD_ISSET STDIN_FILENO amp fds count read STDIN_FILENO iobuf BUFSIZ if count gt 0 fwrite 4SO sizeof SO 1 JOUTF chunkwdK unsigned char iobuf count fwrite dSI sizeof SI 1 JOUTF write PTM iobuf count y y Uses chunkwd 21 OUTF 22a PTM SI 16a and so T6al Regardless of whether in drain mode or not if output from the client appli cation is available it will be read into the buffer and written to the transcript file and standard output If there was no data to read the buffer has been drained drain mode ends and the main loop will terminate main loop body 35d 35d 37a gt if FD_ISSET PTM amp fds count read PTM iobuf BUFSIZ 36 37b 37d if count gt 0 fwrite iobuf sizeof char co
37. l shift out byte at the be ginning followed by a byte that determines the type of metadata that follows The available types are listed in Table I and implemented in Appendix A 3 Meta chunks can be of arbitrary length and terminate at the shift in byte The same escaping of shift out shift in and data link escape that is used for input chunks is also used for meta chunks For example the terminal size meta type is introduced by its type byte 0x11 followed by width and heigth of the terminal represented as two unsigned big endian 16 bit integers The information terminal size is 8016 characters would be written to the transcript file as 0x0e 0x0e 0x11 0x00 0x50 0x00 0x10 0x10 Ox0f Note that the least significant byte of the number 16 has to be written as 0x10 0x10 to prevent the special meaning of 0x10 to escape the following 0x0f 3 3 Properties of the File Format This basic file format design has several advantages e New meta chunk types can be introduced while still allowing older tools to read the file because the escaping rules are simple and the parsing application need not know a fixed length of each type e Since switching between input and output data occurs very often in a usual terminal session the format is designed to require very little storage overhead for these operations e The format is very compact and easy to implement Using a format like XML would decrease performance and require sophisticated libraries on th
38. lude lt fcntl h gt featuretest 27b 15b 4275 define _POSIX_C_SOURCE 200112L Defines POSIX_C_SOURCE never used The PTYs master and slave file descriptors will be stored in these global variables globals 8d 4 26b 28d gt int PTM 0 PTS O Defines PTM used in chunks 29 31 34 36 and 38d Additionally the settings of the terminal forscript runs in will be saved in the global variable TT This variable is used to duplicate the terminals settings to the newly created PTY as well as to restore the terminal settings as soon as forscript terminates There is also a variable TTSET which stores whether the settings have been written to TT This is important when restoring the terminal settings after a failure If the settings have not yet been written to TT applying them will lead to undefined behavior globals 8d struct termios TT int TTSET O Defines TTSET used in chunks and 28 open new pseudo terminal 28 7b 29ab if tcgetattr STDIN FILENO amp TT lt O perror tcgetattr dieK tcgetattr failed 0 y TTSET 1 Uses die 23b and TTSET The termios structure is defined in termios h includes 8b Blab include lt termios h gt 28 29b 29d A new PTY master is requested like this open new pseudo terminal 28e 29bb gt if PTM posix_openpt O_RDWR lt O perror openpt dieK openpt failed O y Uses die 23b and PTM
39. o the PTY slave which can then be closed change the terminal 31d if dup2 PTS STDIN_FILENO lt 0 dup2 PTS STDOUT_FILENO lt O dup2 PTS STDERR_FILENO lt 0 perror dup2 die dup2 failed 0 close PTS Uses die 23b Determining the Shell If the environment variable SHELL is set its value is used Otherwise the default is bin sh which should exist on all Unix systems determine the shell 32b 32c gt char shell if shell getenv SHELL NULL shell bin sh Next the name of the shell without any path components is determined to be used as argument zero when executing the client command determine the shell 32b char shname if shname strrchr shell NULL shname shell else shnamet Executing the Shell Finally the execl function is used to replace the currently running forscript process with the shell that has just been selected If a target command has been specified using the c option it will be passed to the shell Else an interactive shell is launched using the i option execute the shell 32d 33al gt if NULL execl shell shname c NULL else execl shell shname i NULL Uses cf1g 25e 32 The forscript child process should now have been replaced with the shell If execution reaches code after execl an error occured and the child process will terminate with an error message execute
40. ount lt 0 return ret if chunkwf return 12 return 1 y Defines chunkwm used in chunks and Uses chunkwd 21 chunkwf and chunkwh 22d A 6 Error Handling If the program has to terminate abnormally the function die will be called After resetting the terminal attributes and telling a possible child process to exit it will output an error message and exit the software tcsetattr STDERR FILENO TCSADRAIN amp TT if CHILD gt O kill CHILD SIGTERM fprintf stderr s MYNAME if chunk 0 fprintf stderr metadata chunk 402x failed chunk if message NULL fprintf stderr else if message NULL fprintf stderr unknown error y if message NULL fprintf stderr 4s message fprintf stderr exiting n exit EXIT_FAILURE y Defines die used in chunks 27 34 and Uses CHILD 8d MYNAME and TTSET exit requires stdlib h includes 8b 25c gt include lt stdlib h gt 23 24b The global variable MYNAME contains a pointer to the name the binary was main called as and is set in globals 8d d22a 25dl gt char 4MYNAME Defines MYNAME used in chunks 23 26 A 7 Startup and Shutdown Messages The statusmsg function writes a string to both the terminal and the tran script statusmsg 24b 15c void const char msg char date BUFSIZ time_t t time NULL struct tm lt localtime amp t if lt
41. ror CLOCK MONOTONIC die retrieving monotonic time failed 0 Uses die 23b If the q flag has not been supplied forscript will display a startup message similar to scripts and write the same message to the transcript file Note that this behavior differs from scripts When called with g script would not output the startup message to the terminal but record it to the typescript file nevertheless This is required because scriptreplay assumes that the first line in the typescript is this startup message and will unconditionally suppress its 34 output forscript however has no such limitation and will not write the startup line to the transcript if the g flag is set preparations of main loop 34a if qflg STARTMSC Uses STARTMSG and statusmsg 24b constants 16a B8cb const char 4STARTMSG forscript started on fs file is s r n Defines STARTMSG used in chunk The Main Loop The main loop which handles input and output will run until the child process exits the main loop 35c 33c while CHILD gt 0 drain main loop body 35d y Uses CHILD Since select manipulates the value of fds it has to be initialized again in each iteration First its value is cleared then the file descriptors for standard input and the PTYs master are added to the set then select is called to wait until one of the file descriptors has data to read available When in drain mode select
42. separately If there is exactly one command line argument and it is one of these forscript will print its version and terminate process command line options 25b 26a gt if argc 2 amp amp Istrcmp argv 1 V strcmp argv 1 version printf 4s 4sAn MYVERSION return 0 Uses MYNAME and MYVERSION The other options are parsed using the normal getopt method which requires unistd h includes 8b 27al gt include lt unistd h gt getopt returns the next option character each time it is called and 1 if there are none left The option characters are handled in a switch statement As in script flags that turn on some behavior cause a respective global int variable to be increased by one These flags are globals 8d 15b 25el gt int 0 fflg 0 gflg 0 Defines aflg used in chunks 26 27 and The value of the c parameter is stored in a global string pointer globals 8d d25d 26bb gt char NULL Defines cflg used in chunks 26a and 25 26b The t flag is accepted for compatibility reasons but has no effect in forscript because timing information is always written After the loop terminates optind arguments have been parsed argc and argv are then modified accordingly to only handle non option arguments in forscript this is only the file name The parsing loop therefore looks like this process command line options 25b int c
43. site 7 Corrections and improvements are encouraged forscript is far from being perfect and it is guite possible that during the development of additional tools bugs and shortcomings will need to be fixed Additionally we will approach the maintainers of script and the forensic community as they can probably benefit from forscripts existence References 1 BSD General Command Manual Script 1 Manual page part of util linuz ng B July 2000 2 Free Software Foundation Gnu compiler collection http gcc gnu org March 2010 release 4 4 3 3 Michael Kerrisk The Linux man pages project http www kernel org doc man pages 2010 release 3 23 4 Donald E Knuth Literate programming The Computer Journal 27 2 91 111 1984 5 Norman Ramsey Literate programming simplified IEEE Software 11 5 97 105 1994 The noweb system is available at 6 Linus Torvalds The Linux kernel http www kernel org 2010 re lease 2 6 31 7 Tim Weber forscript http scytale name proj forscript re lease 1 0 0 8 Karel Zak The util linuz ng project http userweb kernel org kzak 2010 current release 2 17 14 A Implementation of forscript This section will describe the code of forscript in detail You will learn how the software hooks into the input and output stream of the client application and how it reacts to things like window size changes or the child terminating Other interesting topi
44. subprocess of the caller Both processes continue to run at the next command after the fork call but the value forkQ returned will be different The child will see a return value of 0 while the parent will retrieve the process ID of the child A negative value will be returned if the fork did not succeed fork subprocesses 8c 9 gt if CHILD fork lt 0 perror fork fork failed 0 Uses CHILD 8d and die CHILD is used in several places when dealing with the subprocess therefore it is a global variable globals 8d Tab int CHILD 0 Defines CHILD used in chunks 9 and After forking the child launches or to be exact becomes the process that should be logged within doshe11 while the parent does the actual input output logging within doio fork subprocesses 8c 7b d8c if 0 osheliK else Mdeio Uses CHILD 8d doio and doshell Further code can be found in the appendix 5 Evaluation In order to show you what the code you have just seen actually does this section contains instructions on how to compile it and it features an example transcript file analyzed in detail 5 1 Compiling forscript forscript is written conforming to the C99 and POSIX 1 2001 standards with portability in mind It has been developed on a machine running Linux 2 6 32 6 using glibc 2 10 and GCC 4 4 3 2 The following command line is an example of how to compile forscript gcc stdz
45. t file A replaying application should wait for the time specified in this chunk before Since the seconds and nanoseconds are represented as integers converting to a floating point number would mean a loss of precision Therefore both integers are subtracted independently If the nanoseconds part of now is less than that of ts the seconds part has to be decreased by one for the result to be correct chunks 17a int chunk16Kstruct timespec ts unsigned char buf 2 sizeof uint32_t uint32_t secs nanos struct timespec now if clock_gettime CLOCK_MONOTONIC amp now lt 0 return 1 secs now tv_sec ts gt tv_sec if now tv_nsec gt ts gt tv_nsec nanos now tv_nsec ts gt tv_nsec else nanos 1000000000L ts gt tv_nsec now tv_nsec secs y ts now secs htonl secs nanos htonl nanos memcpy amp buf 0 amp secs sizeof secs memcpy amp buf sizeof secs amp nanos sizeof nanos return 0x16 buf sizeof buf Defines chunk16 used in chunk 36b Uses chunkwm 23a 20 A 4 Magic Number Since a forscript file has to start with a file version chunk followed by a begin of session chunk there is a distinctive eight byte signature at the beginning of each file Ox0e Ox0e 0x01 Ox Ox0f Ox0e Ox0e 0x02 The first two bytes start a metadata chunk the third one identifies it as a file version chunk The fourth byte contains the version number
46. t includes blocks of additional data called control chunks at arbitrary positions A control chunk is started by a shift out byte 0x0e and terminated by a shift in byte 0x0f Each control chunk is either an input chunk or a metadata chunk 3 1 Input Chunks Input chunks contain the data that is sent to the client applications input stream which is usually identical to the users keyboard input They are of arbitrary length and terminate at the shift in byte If a literal shift out or shift in byte needs to appear in an input chunks data it is escaped by prepending a data link escape byte 0x10 If a literal data link escape byte needs to appear in an input chunks data it has to be doubled i e 0x10 0x10 For example if the user sends the byte sequence Ox4e Ox0f 0x00 0x61 0x74 0x10 the complete binary value type name size 0x01 file version 1 byte 0x02 begin of session 10 bytes 0x03 end of session 1 byte 0x12 environment variables arbitrary number of C strings 0x13 locale settings 7 C strings 0x16 delay two 4 byte values Table 1 forscript file format metadata chunk types input chunk written to the transcript file is 0x0e Ox4e 0x10 OxOf 0x00 0x61 0x74 0x10 0x10 OxOf 3 2 Metadata Chunks Metadata chunks also called meta chunks contain additional information about the file or the applications status for example environment variables terminal settings or time stamps They contain an additiona
47. the shell 32d perror shell dieK execing the shell failed 0 8 Uses die 23b A 11 Handling Input and Output While script forks twice and utilizes separate processes to handle input and output to and from the client application forscript uses a single process for both tasks taking advantage of the select function defined in select h that allows it to monitor several open file descriptors at once includes 8b 38a gt include lt sys select h gt Input and output data will never be read simultaneously Therefore a single data buffer is sufficient Its size is BUFSIZ bytes which is a constant defined in stdio h and contains a recommended buffer size for example 8192 bytes The number of bytes that have been read into the buffer by read will be stored in count If the main loop exits the child has terminated done O is called to flush data and tidy up the environment doio 33c void char iobuf BUFSIZ int count preparations of main loop 34ah the main loop 35c done O Defines doio used in chunk 9 Uses done 37d Preparing the Main Loop The select function is supplied with a set of file descriptors to watch stored in the variable fds It returns in sr the number of file descriptors that are ready or 1 if an error occured for example a signal like SIGWINCH was received Additionally it requires the number of the highest numbered file descriptor plus one as its f
48. unt write STDOUT_FILENO iobuf count else drain 0 Uses OUTF 22a and PTM 28c If the f flag has been specified on the command line the file should be flushed now that data has been written main loop body 35d if fflg fflush OUTF Uses OUTF A 12 Finishing Execution Since a signal handler can handle more than one signal its number is passed as an argument However finish only handles SIGCHLD therefore it will ignore its argument Its only task is setting CHILD to 1 which will cause the main loop to exit as soon as possible int signal signal 1 Defines finish used in chunk 8a Uses CHILD 8d and UNUSED UNUSED is a macro that causes the compiler to stop warning about an unused parameter macros 37c 15b define UNUSED var while 0 void var Defines UNUSED used in chunks 30a and The function done is called as soon as the main loop terminates It cleans up the environment resets the terminal and finishes execution First it has to fetch the exit status of the child process using wait done 37dp 38b gt void 4 int status wait amp status Defines done used in chunks 33c and 37 38b 38d To be able to use wait wait h must be included includes 8b include lt sys wait h gt If the g flag has not been supplied forscript will write a shutdown mes sage to both the terminal and the transcript file
49. which is currently 0x01 but may change in the future Byte 5 closes the version chunk 5 to 8 start a begin of session chunk A 5 Writing Metadata Chunks to Disk The function chunkwd takes a pointer and a byte count as arguments and writes chunk data to the transcript file applying required escapes on the fly To improve performance it does not write byte by byte but instead scans the input data until it finds a special character When it does it writes everything up to but not including the special character to the file and then adds a DLE charac ter The search then goes on If another special character is found everything from the last special character inclusive to the current one exclusive plus a DLE is written Eventually the whole input data will have been scanned and the function terminates after writing everything from the last special character inclusive or the beginning of the data if there were no special characters to the end of the input data This is the code ee int unsigned char data int count int escaped 0 int pos 0 int start 0 while pos lt count if data pos lt ESCMAX amp amp data pos gt if pos gt start if swriteK amp data start sizeof char pos start OUTF return 1 if swrite amp 8DLE sizeof DLE OUTF return 2 start pos escapedrr pos if swrite amp data start Sizeof char pos start OUTF return

Design and Implementation of a Documentation Tool for

Contents

Download Pdf Manuals

Related Search

Related Contents