Making Copies of Forensic Evidence 379
share = Printer3 - Acrobat Distiller
share = Printer2 - Acrobat PDFWriter
User = Administrator, , , Built-in account for administering the
computer/domain
Admin is TONYVPRDESKTOP\Administrator
User = Howlett, , ,
User = Guest, , , Built-in account for guest access to the
computer/domain
User = HelpAssistant, Remote Desktop Help Assistant Account,
Account for Providing Remote Assistance
User = SUPPORT_388945a0, CN=Microsoft
Corporation,L=Redmond,S=Washington,C=US, , This is a vendor's
account for the Help and Support Service
User = Tony Howlett,
In this listing you can see two users you don’t normally see in the User Accounts sec-
tion on your Windows system: the HelpAssistant and SUPPORT users. These are system-
level users for internal programs (the Remote assistance features and the annoying Notify
Support feature that pops up every time a program bombs out). Other hidden users con-
cealed by a skilled intruder could be revealed using this tool.
This chapter is not meant to be a comprehensive listing of all possible forensic tools,
but these tools should give you enough to get started with basic forensic activity on just
about any system. If you are doing this as a career or have an involved investigation, there
are many other tools available. For a good listing of open source forensic tools, visit
www.opensourceforensics.org/.
Howlett_CH11.fm Page 379 Friday, June 25, 2004 12:33 AM
Howlett_CH11.fm Page 380 Friday, June 25, 2004 12:33 AM
381
C
HAPTER
12

More on Open
Source Software
You know now how to keep your data safe inside and outside your network and how to
detect and investigate attacks on your systems and networks. This book has reviewed doz-
ens of open source security tools covering just about every aspect of information security.
However, this just scratches the surface of what is available. For each category, I tried to
pick the best tool (in my opinion) to showcase, but there were often scores of others to
choose from. In addition, there are open source software alternatives for just about every
type of application you can think of, including word processors, network management,
multimedia, and more. The list goes on and on.
This final chapter gives you some resources for further investigation of open source
security tools and how to get involved in the open source community.
Open Source Resources
If you want to further explore the world of open source software, check out the many
resources on the Internet.
USENET Newsgroups
USENET
is a network of servers that hosts discussion lists on subjects as varied as poli-
tics, hobbies, and of course computers. These forums are called
newsgroups
and they act
as a sort of community bulletin boards for people interested in particular topics. USENET
got its start as a technical discussion group, and there are still a wide variety of groups
covering technical subjects. Although spammers and the use of Web-based forums have
dulled the effectiveness of USENET, there are still a number of active USENET news-
groups related to open source.
Howlett_CH12.fm Page 381 Tuesday, June 29, 2004 3:19 PM
382 Chapter 12 • More on Open Source Software
You need a USENET newsreader to access USENET. Most modern browsers have
one built in. In Internet Explorer, from the Tools menu choose Mail and News, and then

select Read News. You also need a valid USENET News Server to subscribe to. ISPs used
to provide this service as part of their standard offering and many still do. If yours doesn’t,
there are public USENET servers you can connect to. Check out www.newzbots.com to
find public USENET feeds. Once you’ve subscribed to a server, here are a few of the gen-
eral groups that might be of interest. There are many others related to specific operating
systems or programs.
•
comp.sci.opensource
•
comp.os.linux.advocacy
•
comp.os.unix.bsd.freebsd.misc
•
comp.os.unix.bsd.openbsd.misc
You can also go to the Google Groups site (click on Groups at www.google.com). In
addition to having access to current postings and groups, it houses the former Dejanews
site, which was an archive of USENET news discussions going to back to 1992. However,
the use of USENET is declining and many forums are moving to Web-based forums or
moderated mailing lists to cut down on the noise-to-signal ratio in the postings.
Mailing Lists
There are many mailing lists related to open source. Most are specific to a particular pro-
gram. They are used to provide support and collaboration on the project. Check the Web
site or documentation for your program to find out if it has a mailing list and how to sub-
scribe. The tools discussed in this book have pertinent mailing lists shown at the beginning
of each tool section. There are also some general discussion lists.
•
Linux general discussion: />To subscribe, send an e-mail to

and put SUBSCRIBE on the Subject line.
•

BSD mailing list archive: />Web Sites
There are tons of Web sites about open source software. Any project of a decent size will
have a Web site dedicated to it. There are also some good general information sites. The
following are great sites to start if you are just getting into open source.
SourceForge SourceForge (sourceforge.net) is a great Web site for support and infor-
mation on open source projects (see Figure 12.1). It is run by the Open Source Develop-
ment Network, which funds the site with ads and by selling its open source development
Howlett_CH12.fm Page 382 Friday, June 25, 2004 12:38 AM
Open Source Resources 383
software. SourceForge provides a forum for discussing open source software and has
many resources for open source projects. If you have a budding open source program,
SourceForge will provide you with a home page, forums, project management tools, a
place to store your program for download, and many other resources. This is all provided
for free, although there are some strings attached to your use of them.
It is also a great place to look through the over 80,000 open source software projects
cataloged there, and they are searchable by category and platform. Granted that some of
them are probably half-baked ideas with minimal support, but there are also thousands of
full-featured, time-tested programs. You can get involved with any of the projects or get
feedback or support there. SourceForge attracts hundred of thousands of users and creators
of the latest open source software. If you are starting up a project, it’s a great place to look
for recruits.
Slashdot Slashdot (www.slashdot.org) is a site for news on all things open source. It is
written and maintained by and for hardcore coders, mostly open source based. Go there to
get the latest scuttlebutt, rumors, and breaking news as well as all kinds of interesting arti-
cles and opinions. It is part geek shoptalk, part hard news and articles, and part satire and
commentary. In fact, it has become part of the techie lexicon to say a site has been “slash-
dotted” when it receives an overwhelming amount of traffic from being mentioned on the
site.
Freshmeat Freshmeat (www.freshmeat.net) is a no-nonsense site for discussing and
developing open source software. It is kind of a combination of Slashdot and SourceForge

Figure 12.15 SourceForge Web Site
Howlett_CH12.fm Page 383 Friday, June 25, 2004 12:38 AM
384 Chapter 12 • More on Open Source Software
but on a smaller scale. This might be a plus for some who are intimidated by Source-
Forge’s size and the number of options and resources. It also has articles and discussion
groups as well as directly offering many projects for download.
Open Source Initiative The Open Source Initiative (www.opensource.org) is an orga-
nization dedicated to promoting and refining the concept of open source software develop-
ment. It offers a formal definition of what open source software should consist of and
offers certification of such status, even though many people may claim this is a moving
target and open source by definition is constantly changing and indefinable. Only a hand-
ful of programs so far bear their approval seal, but they are some of the bigger ones such as
the Apache Web server and the Sendmail program. I feel that it’s a move in the right direc-
tion for the future of open source: Only once the open source world organizes itself and
agrees to certain standards will it gain a significant foothold in corporate America. Stan-
dardization promotes adoption.
Free Software Foundation This site (www.fsf.org) is the home base for one of the
two major camps in the open source world. The FSF houses the GNU project as well as
their official software products. It is also the place to find the GPL license and learn all
about how it works. Some might see their view of advocating that all software should be
free as radical, but they have certainly provided the base for much of the open source soft-
ware available today.
There are many, many other sites on open source software, and new ones are being
established all the time. Use your favorite search engine and enter the terms “open source
security” or “open source software” and see where it takes you.
Joining the Open Source Movement
Once you’ve used the open source security tools in this book and benefited from them, you
may feel like you want to get more involved. In most cases, the software is free and you
are not obligated to do anything in return for the benefit you receive. However, a lot of
time and effort went into building and maintaining the software you are using, all of it by

volunteers. The only way that open source continues to work and grow is by the collective
effort. This may sound vaguely socialist to some, especially to employees of commercial
software concerns, but it is not that different from your local PTA or little league baseball
organization. It is the people involved who make open source software great.
In doing so, you will not only help keep open source alive and growing, but also meet
friends who have the same interests, make valuable business contacts in your field, and
learn a lot in the process about project management, working with others, and of course
technical knowledge and experience.
You don’t have to be a coding guru to contribute. The key to helping the open source
movement prosper is just to participate. There are a number of ways you can get involved,
ranging from taking a few hours of your time to this work becoming a second job.
Howlett_CH12.fm Page 384 Friday, June 25, 2004 12:38 AM
Joining the Open Source Movement 385
Bug Finder/Beta Tester
Even if you are just a user and have no interest in coding, you can help your favorite open
source security tool. Most major projects have bug tracking mailing lists, and some have
more complicated systems for reporting issues. If you are working with the program and
find something that doesn’t work right, report it and see if it can be fixed. In the process
of getting your problem fixed, you’ll help the developers track down bugs and improve
the program. Of course, you will want to make sure that the problem you are having is a
software bug and not an installation error on your part, but the people on the lists are usu-
ally more than happy to set you straight.
To report bugs properly, make sure that you gather all the environmental variables and
try to duplicate the problem to figure out under exactly what conditions the error happens.
Things like operating system, version of the program, settings, hardware, and so on are all
important. Also make sure you have any error messages, log files, or core dumps for the
developers to analyze.
You can also be a beta tester of the latest code. Some projects offer you the ability to
run either “stable” or “experimental” code. While most users will use the stable code, you
can be a trailblazer and try the experimental or beta versions. Keep in mind that there may

be hiccups while using this software, for example, sometimes the new code will break
things that worked before. If you are going to run beta code, you will probably want to run
it on a test machine before putting it into production.
Other projects may distribute beta code to a limited list of testers. They will want the
first users of the code to be experienced users who know they are using beta software. That
way, they can rule out the usual newbie mistakes and have users who understand how the
software works and can accurately describe their problems. So, you probably shouldn’t
volunteer to be a beta user until you have some experience with the software. When you
are ready, ask the key developers to be put on this list. This way you can help improve the
software for future users. The side benefit of this is that you will be the first to get cutting-
edge features and you can be instrumental in deciding what new features get added.
Participate in Discussion Groups and Support Other Users
Most open source projects have a mailing list for discussion and technical questions. You
should subscribe to this list even if you don’t plan on participating right away. You don’t
have to be an active poster to the list to gain some benefits. It’s okay to just “lurk” and read
the questions and answers that are posted. I have learned a lot of things about the software
that I never would have found out, just by casually following the mailing list discussions.
A word of warning, though: Some of these lists are very active and have dozens of mes-
sages posted a day. This can be overwhelming for some, especially if you are already over-
worked like most system administrators. But even reading only an occasional message that
interests you can be of value. If you feel you are getting too much e-mail, consider sub-
scribing to a “digest” version of the list, which is a single message you get daily or weekly
that contains a compilation of all the messages posted. This way you only get one message
Howlett_CH12.fm Page 385 Friday, June 25, 2004 12:38 AM
386 Chapter 12 • More on Open Source Software
and can sort through it when you have the time. Still, make sure you understand how to
unsubscribe from a list before subscribing so you can get off the list easily if the volume is
too much for you to handle.
Most open source mailing lists use a software package called Major Domo to manage
their lists (this is also an open source project!). The standard commands for subscribing

and unsubscribing on this kind of system are as follows.
•
Subscribe: Send a message to the list manager address (usually found on the Web
site) with the word “Subscribe” in the subject and body of your message. You may
get a message to confirm that you do want to be on the list. Once you reply, you’ll
start getting messages.
•
Unsubscribe: Send a message to the list manager address, and put the word “Unsub-
scribe” in the subject and body of the message.
Mailing lists can be operated as moderated or unmoderated forums. In the unmoder-
ated format, anyone can post anything and the messages go up immediately. This is the
best kind of list for getting information quickly. However, many unmoderated lists quickly
fill up with off-topic conversations, arguments, and flame-wars. That’s why most lists are
now moderated, which means that a person, the list moderator, must review each post,
decide if it’s relevant to the list charter, and approves it to be posted. This makes for a
much lower message volume that is always relevant, but it may mean your posts for help
on a subject are delayed for several days until the moderator gets around to it. And moder-
ators will usually shut down list activity for holidays (moderators deserve holidays too), so
getting answers during a holiday may be spotty.
Once you are confident that you can hang with the big dogs, begin making some
posts, answer some easy questions, and provide an opinion here or there. This will take the
load off of more technical developers by having others answer basic questions, and it will
also provide a wider base of knowledge for the whole project. After all, you may have
experience with a specific configuration or platform that no one else has—you may be
operating in an unusual environment or you might have a different take on a particular
question or issue. Chances are that someone out there can use your help. You will feel
good about helping others and you’ll be amazed at how thankful and gracious the people
you help will be. If only your internal users could be so nice and grateful!
Provide Resources to the Project
Here is something you can do even if you don’t have programming abilities or much expe-

rience with the software. Open source projects generally don’t have any revenue to support
any expenses incurred in the development and maintenance of the software. While most of
the labor is provided by the volunteers, there are still the issues of where to host the Web
site for the project, what hardware to put it on, and many others. Again, the participants
usually donate most of this. If you have an old machine that could be used as a Web server,
let the key people know. You’d be surprised what an old machine can do running Linux
Howlett_CH12.fm Page 386 Friday, June 25, 2004 12:38 AM
More Open Source Security Tools 387
and Apache. If your company is amenable to it, see if you could offer to host the project
Web site on company bandwidth. Your company might not want to do it if it’s a big
project, but for small projects just getting off the ground bandwidth utilization will proba-
bly be minimal and most of it will be during non-office hours. If you have Web design
skills, offer to put up a Web site. If your personal ISP provides free Web site space, offer to
use that for the project. A nonprofit endeavor usually falls under your terms of service for
personal Web space. Finally, some open source packages even accept good old green
backs as a “donation” for using the software. You might be able to convince your company
to put up a few bucks as an alternative to paying retail for off-the-shelf software. Anything
you can think of will usually come in handy for an open source project. Graphic design
skill to design a logo, e-mail accounts to support the mailing lists, legal help in crafting the
licenses—all these things represent creative ways to help your favorite open source
project.
Patronize Companies That Use or Support Open Source Products
While you don’t have to spend your budget dollars on the software, you do spend money
on other things. When buying hardware, software, or services, make it a point to give ven-
dors who use or support open source software special consideration. After all, if compa-
nies can be commercially viable by using open source software as a key part of their
offerings, it only strengthens the cause. Companies such as Sun, IBM, and Dell are heavily
promoting open source.
More Open Source Security Tools
You should now understand the basic concepts of information security and how to apply

them to your company using open source security tools. Using the programs and informa-
tion in this book, you can make your systems and network much more secure from the
dangers of computer crime. We have covered programs that will bring greater confidenti-
ality, integrity, and availability to your networks, systems, and data, all for a price that
should fit into everyone’s budget.
Hopefully, you understand that good information security is more than just programs
and technology. It is also about processes and people. It takes a combination of good peo-
ple, processes, and technology to truly secure your network. Open source security tools
can give you best-of-breed software to build a solid foundation for information security.
The open source movement is growing every day, increasing its visibility and legiti-
macy. I hope that this book encourages you to become more involved and contribute to the
effort of creating quality security tools using the open source framework. It is a lot of fun,
you will learn a lot, and you will feel good about making the Internet and networks more
secure. Perhaps a future edition of this book will feature an open source security tool writ-
ten by you.
Howlett_CH12.fm Page 387 Friday, June 25, 2004 12:38 AM
Howlett_CH12.fm Page 388 Friday, June 25, 2004 12:38 AM