domain-investigation.net

9. Product

General

In all three cases, an illegal service should, as a matter of principle, be taken off the internet as quickly as possible.

Webhosting

In the case of "simple" webhosting, the ISP will "unfortunately" only be able to store an excerpt, out of consideration for uninvolved third parties.
However, one advantage is that customers can usually not apply a transparent encryption.

Information about the system (file directories and the memory locations of log files are of special interest):

distribution including version (because LINUX will typically be used);
... and any non-standard configuration;
applications (Apache HTTP Server, MariaDB Server, PHP: Hypertext Preprocessor) including release numbers;
... and any non-standard configuration of the ISP;
... and the customer's specific configurations (usually by way of a web front-end, e.g. Parallels Plesk).

The service to be saved should be stopped before saving it (if at all possible).

Example of saving the Document Root of an Apache HTTP Server running on Debian GNU/Linux.

Achtung Schleudergefahr Example 1: local data storage device (Click for more details.)


#

find
/var/www \( -type f -o -type d -o -type l \) -exec
stat
'{}' \; ¦
tee
-a var_www_stat



  File: „./index.html“


  Size: 11104     	Blocks: 24         IO Block: 4096   regular file


Device: fe03h/65027d	Inode: 100689847   Links: 1


Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)


Access: 2015-10-13 08:51:21.733845567 +0200


Modify: 2015-09-29 17:26:45.342639038 +0200


Change: 2015-09-29 17:26:45.342639038 +0200


 Birth: -


[...]




#

find /var/www \( -type f -o -type d \) -exec
getfacl
-np '{}' \; | tee -a var_www_getfacl



# file: ./index.html


# owner: 0


# group: 0


user::rw-


group::r--


other::r--


[...]




#

find /var/www -type f -exec
openssl
md5 '{}' \;  | tee -a var_www_md5



MD5(index.html)= 74cec59a19e5d16f7cc6a2445e35fa3b


[...]




#
find /var/www -type f -exec openssl sha1 '{}' \;  | tee -a var_www_sha1


SHA1(index.html)= 82e01cba3a822a0b52734eced67839eacf3d8eea


[...]




#

tar
-cpPzv --atime-preserve --numeric-owner --acls --format=pax --file var_www.tar.gz /var/www



/var/www/index.html


[...]




#
openssl md5 var_www.tar.gz | tee -a var_www.tar.gz.md5


[...]




#
openssl sha1 var_www.tar.gz | tee -a var_www.tar.gz.sha1


[...]

Achtung Schleudergefahr Example 2: by SSH via the network (Click for more details.)


Source:




#

find /var/www \( -type f -o -type d -o -type l \) -exec stat '{}' \; ¦
ssh
user@192.168.178.123 "cat > ~/Logical_Acquire/var_www_stat"



user@192.168.178.123's password: ************




#
find /var/www \( -type f -o -type d \) -exec getfacl -np '{}' \; | ssh user@192.168.178.123 "cat > ~/Logical_Acquire/var_www_getfacl"


user@192.168.178.123's password: ************




#
find /var/www -type f -exec openssl md5 '{}' \;  | ssh user@192.168.178.123 "cat > ~/Logical_Acquire/var_www_md5"


user@192.168.178.123's password: ************




#
find /var/www -type f -exec openssl sha1 '{}' \;  | ssh user@192.168.178.123 "cat > ~/Logical_Acquire/var_www_sha1"


user@192.168.178.123's password: ************




#
tar -cpPzv --atime-preserve --numeric-owner --acls --format=pax --file - /var/www | ssh user@192.168.178.123 "cat > ~/Logical_Acquire/var_www.tar.gz"


user@192.168.178.123's password: ************




Destination:




#
cat ~/Logical_Acquire/var_www_stat


  File: „./index.html“


  Size: 11104     	Blocks: 24         IO Block: 4096   regular file


Device: fe03h/65027d	Inode: 100689847   Links: 1


Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)


Access: 2015-10-13 08:51:21.733845567 +0200


Modify: 2015-09-29 17:26:45.342639038 +0200


Change: 2015-09-29 17:26:45.342639038 +0200


 Birth: -


[...]




#
cat ~/Logical_Acquire/var_www_getfacl


# file: ./index.html


# owner: 0


# group: 0


user::rw-


group::r--


other::r--


[...]




#
cat ~/Logical_Acquire/var_www_md5


MD5(index.html)= 74cec59a19e5d16f7cc6a2445e35fa3b


[...]




#
cat ~/Logical_Acquire/var_www_sha1


SHA1(index.html)= 82e01cba3a822a0b52734eced67839eacf3d8eea


[...]




#
openssl md5 ~/Logical_Acquire/var_www.tar.gz | tee -a ~/Logical_Acquire/var_www.tar.gz.md5


MD5(mnt.tar.gz)= 1d9d8be9a88842b95388ec50297be054


[...]




#
openssl sha1 ~/Logical_Acquire/var_www.tar.gz | tee -a ~/Logical_Acquire/var_www.tar.gz.sha1


SHA1(mnt.tar.gz)= 387457b334ae06850adf7c97d443779f2a4f5099


[...]

The procedure would be similar for log files and other services (MariaDB Server, PHP: Hypertext Preprocessor, FTP Server, Mail Server, ...).

vServer

In the case of a virtual server, the "host" situation is similar to that of webhosting (distribution, coding, ...). However, there is the chance that the data of the virtual server is located on a single virtual drive/in a single regular file that can be saved completely (analogous to the root server).

Information about the system:

distribution including version (because LINUX will typically be used);
... and any non-standard configuration;
type and implementation of the virtualisation (product and configuration);
customer configuration options.

Typically, you will not be able to access the running system on the vServer. For this reason, it will not be easily possible to produce a logical backup from decoded devices/containers.
HOWEVER: You should be sure to backup the main memory of the running vServer.

Always shut down the vServer before making a backup of the virtual drive/regular file (where the system is located), if possible.

Root Server

The best case is a Dedicated Root Server. Theoretically, such a server can be handed over completely.

Information about the system:

What distribution was chosen at the time of ordering?
What password was communicated to the customer as part of the server provision?

Example of creating a backup of a RAID that is distributed on two physical drives

Take the following actions in order to prevent writes (if possible):

umount all file systems that are located on logical drives (/dev/dm-X);
umount all file systems that are located directly on a RAID (/dev/mdX).

Achtung Schleudergefahr Example 3: RAW Image (Click for more details.)


#
openssl md5 /dev/sda | tee -a dev_sda.md5


[...]


#
openssl sha1 /dev/sda | tee -a dev_sda.sha1


[...]


#

dd
if=/dev/sda of=sda.dd bs=512 conv=noerror,sync



[...]


#
openssl md5 sda.dd | tee -a sda.dd.md5.txt


[...]


#
openssl sha1 sda.dd | tee -a sda.dd.sha1.txt
[...]




#
openssl md5 /dev/sdb | tee -a dev_sdb.md5


[...]


[...]


#
openssl sha1 /dev/sdb | tee -a dev_sdb.sha1


[...]


#
dd if=/dev/sdb of=sdb.dd bs=512 conv=noerror,sync


[...]


#
openssl md5 sdb.dd | tee -a sdb.dd.md5


[...]


#
openssl sha1 sda.dd | tee -a sdb.dd.sha1
[...]




#
openssl md5 /dev/md1 | tee -a dev_md1.md5


[...]


#
openssl sha1 /dev/md1 | tee -a dev_md1.sha1


[...]


#
dd if=/dev/md1 of=sda.dd bs=512 conv=noerror,sync


[...]


#
openssl md5 md1.dd | tee -a md1.dd.md5


[...]


#
openssl sha1 md1.dd | tee -a md1.dd.sha1
[...]




(A solution over the network is similar to the second example of course also possible.)

Post-processing (as needed):

mount all file systems that are located on logical drives;
mount all file systems that are located directly on a RAID.

Additional services

If the customer also has the option to register internet domains directly using a Domain Registration Robot, this option should be taken away from that customer too.

The same holds true of course with regard to any access to a Nameserver Robot. Other providers might provide similar front-ends.