[Cryptography] Cheap forensic recorder

[Kevin W. Wall]

On Fri, Feb 27, 2015 at 11:01 AM, Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> I have been using a Raspberry Pi 2 as a burner machine in a legal case. The
> nice feature of the Pi being that I can pull the O/S image card, drop it in
> an evidence bag and FedEx it to the lawyers.
>
> This approach lets me:
>
> * Use a machine in a verifiable known state
> * Control exactly what is on the machine
>
> But I would like to go a little further. In particular i would ideally like
> a complete, signed record of every keystroke and the video output.
>
> Some folk have been setting up screencapture (scrot) with a crontab job.
> Since this is X-Windows, is there an easy way to insert an X-Windows logger
> in the path?
>
> This is all preparatory to being able to dump the recorded stream into a
> timestamp notary system.

Phillip,

If you only need to log keystrokes to shell / terminal windows, I think
some of them have their own logging facility built in.  In addition, PAM
supports audit logging via the pam_tty_audit.so PAM module. (E.g.,
see http://fatmin.com/2014/07/17/rhel6-cool-pam-tricks-logging-terminal-keystokes/
for an example of how to use that with RHEL 6.)

I think the first will record input and output, but if not, there's always the
'script' command that you could run. (But beware captured passwords, etc.
which IIRC, script captures even when echo is disabled.)

Also, you could configure auditd to run. That doesn't capture keystrokes,
but will capture all the commands along with arguments that are run.

Hope that helps some. You probably will have to install some additional
software on your Raspberry Pi to get some of these to work, but it
shouldn't be too hard as most of these things work on most Linux
distros. (Of course, if you are also doing something that records output,
such as the 'script' command, make sure you have sufficient space.)

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.