100% found this document useful (47 votes)

154 views

EBOOK Digital Forensics With Open Source Tools Using Open Source Platform Tools For Performing Computer Forensics On Target Systems Windows Mac Linux Unix Etc Ebook Pdf Version download full chapter pdf kindle

ebook

Uploaded by

jeffery.beltran629

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (47 votes)

154 views

EBOOK Digital Forensics With Open Source Tools Using Open Source Platform Tools For Performing Computer Forensics On Target Systems Windows Mac Linux Unix Etc Ebook Pdf Version download full chapter pdf kindle

ebook

Uploaded by

jeffery.beltran629

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 58

Digital Forensics with Open Source

Tools: Using Open Source Platform

Tools for Performing Computer
Forensics on Target Systems:
Windows, Mac, Linux, Unix, etc – Ebook
PDF Version
Visit to download the full and correct content document:
https://ebookmass.com/product/digital-forensics-with-open-source-tools-using-open-s
ource-platform-tools-for-performing-computer-forensics-on-target-systems-windows-
mac-linux-unix-etc-ebook-pdf-version/
Digital Forensics with
Open Source Tools
This page intentionally left blank
Digital Forensics with
Open Source Tools

Cory Altheide

Harlan Carvey

Technical Editor

Ray Davidson

AMSTERDAM • BOSTON • HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Syngress is an imprint of Elsevier

Acquiring Editor: Angelina Ward
Development Editor: Heather Scherer
Project Manager: Andre Cuello
Designer: Joanne Blank
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
© 2011 Elsevier, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or any information storage and retrieval system,
without permission in writing from the publisher. Details on how to seek permission, further
information about the Publisher’s permissions policies and our arrangements with organizations such
as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website:
www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the
Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience
broaden our understanding, changes in research methods or professional practices, may become
necessary. Practitioners and researchers must always rely on their own experience and knowledge
in evaluating and using any information or methods described herein. In using such information or
methods they should be mindful of their own safety and the safety of others, including parties for
whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume
any liability for any injury and/or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas
contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application submitted
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-586-8
Printed in the United States of America
11 12 13 14 10 9 8 7 6 5 4 3 2 1
Typeset by: diacriTech, India

For information on all Syngress publications visit our website at www.syngress.com

Contents

About the Authors��xi

Acknowledgments��xiii
Introduction��xv

CHAPTER 1 Digital Forensics with Open Source Tools�� 1

Welcome to “Digital Forensics with Open Source Tools”��1
What Is “Digital Forensics?”��1
Goals of Forensic Analysis��2
The Digital Forensics Process��3
What Is “Open Source?”��4
“Free” vs. “Open”��4
Open Source Licenses��5
Benefits of Open Source Tools�� 5
Education��5
Portability and Flexibility�� 6
Price��6
Ground Truth��7
Summary��7
References��8
CHAPTER 2 Open Source Examination Platform�� 9
Preparing the Examination System��9
Building Software��9
Installing Interpreters��10
Working with Image Files��10
Working with File Systems�� 10
Using Linux as the Host��10
Extracting Software��11
GNU Build System��12
Version Control Systems��16
Installing Interpreters��16
Working with Images��19
Using Windows as the Host�� 26
Building Software��26
Installing Interpreters��27
Working with Images��31
Working with File Systems�� 34
Summary��37
References��37
vi Contents

CHAPTER 3 Disk and File System Analysis�� 39

Media Analysis Concepts��39
File System Abstraction Model��40
The Sleuth Kit��41
Installing the Sleuth Kit��41
Sleuth Kit Tools�� 42
Partitioning and Disk Layouts�� 52
Partition Identification and Recovery��52
Redundant Array of Inexpensive Disks��53
Special Containers�� 54
Virtual Machine Disk Images��54
Forensic Containers��55
Hashing��56
Carving��58
Foremost��59
Forensic Imaging��61
Deleted Data��61
File Slack��62
dd��64
dcfldd��65
dc3dd��66
Summary��67
References��67
CHAPTER 4 Windows Systems and Artifacts�� 69
Introduction��69
Windows File Systems��69
File Allocation Table��69
New Technology File System��71
File System Summary��77
Registry��78
Event Logs��84
Prefetch Files��87
Shortcut Files��89
Windows Executables��89
Summary��93
References��93
CHAPTER 5 Linux Systems and Artifacts�� 95
Introduction��95
Linux File Systems��95
Contents vii

File System Layer��96

File Name Layer��99
Metadata Layer��101
Data Unit Layer��103
Journal Tools�� 103
Deleted Data��103
Linux Logical Volume Manager��104
Linux Boot Process and Services��105
System V��105
BSD��107
Linux System Organization and Artifacts��107
Partitioning��107
Filesystem Hierarchy��107
Ownership and Permissions��108
File Attributes��109
Hidden Files��109
/tmp�� 109
User Accounts��110
Home Directories��112
Shell History�� 113
ssh��113
GNOME Windows Manager Artifacts��114
Logs��116
User Activity Logs��116
Syslog��117
Command Line Log Processing��119
Scheduling Tasks��121
Summary��121
References��121

CHAPTER 6 Mac OS X Systems and Artifacts�� 123

Introduction��123
OS X File System Artifacts�� 123
HFS+ Structures��123
OS X System Artifacts��129
Property Lists��129
Bundles��130
System Startup and Services��130
Kexts��131
Network Configuration��131
Hidden Directories��132
viii Contents

Installed Applications�� 133

Swap and Hibernation dataData��133
System Logs��133
User Artifacts��134
Home Directories��134
Summary��141
References��141
CHAPTER 7 Internet Artifacts�� 143
Introduction��143
Browser Artifacts��143
Internet Explorer��144
Firefox��147
Chrome��154
Safari��156
Mail Artifacts��161
Personal Storage Table��161
mbox and maildir��163
Summary��166
References��166
CHAPTER 8 File Analysis�� 169
File Analysis Concepts��169
Content Identification��170
Content Examination�� 171
Metadata Extraction��172
Images��175
JPEG��178
GIF��183
PNG��184
TIFF��185
Audio��185
WAV��185
MPEG-3/MP3��186
MPEG-4 Audio (AAC/M4A)��186
ASF/WMA��188
Video��189
MPEG-1 and MPEG-2�� 189
MPEG-4 Video (MP4)��189
AVI��190
ASF/WMV��190
Contents ix

MOV (Quicktime)��191
MKV�� 192
Archives�� 192
ZIP��192
RAR��193
7-zip��195
TAR, GZIP, and BZIP2��195
Documents��196
OLE Compound Files (Office Documents)��197
Office Open XML��201
OpenDocument Format��204
Rich Text Format��205
PDF�� 206
Summary��210
References��210
CHAPTER 9 Automating Analysis and Extending Capabilities�� 211
Introduction��211
Graphical Investigation Environments�� 211
PyFLAG��212
Digital Forensics Framework��221
Automating Artifact Extraction��229
Fiwalk��229
Timelines��231
Relative Times��233
Inferred Times��234
Embedded Times��236
Periodicity��236
Frequency Patterns and Outliers (Least Frequency
of Occurrence)��237
Summary��239
References��239
Appendix A Free, Non-open Tools of Note�� 241
Introduction��241
Chapter 3: Disk and File System Analysis��242
FTK Imager��242
ProDiscover Free��242
Chapter 4: Windows Systems and Artifacts��244
Windows File Analysis��244
Event Log Explorer��244
Log Parser��245
x Contents

Chapter 7: Internet Artifacts��247

NirSoft Tools��247
Woanware Tools�� 247
Chapter 8: File Analysis��248
Mitec.cz: Structured Storage Viewer��248
OffVis�� 249
FileInsight��250
Chapter 9: Automating Analysis and Extending Capabilities��250
Mandiant: Highlighter��250
CaseNotes�� 252
Validation and Testing Resources��253
Digital Corpora��253
Digital Forensics Tool Testing Images��253
Electronic Discovery Reference Model��254
Digital Forensics Research Workshop Challenges��254
Additional Images�� 254
References��255

Index�� 257
About the Authors
Cory Altheide is a security engineer at Google, focused on forensics and incident
response. Prior to Google, Cory was a principal consultant with MANDIANT, an
information security consulting firm that works with the Fortune 500, the defense
industrial base, and banks of the world to secure their networks and combat cyber
crime. In this role he responded to numerous incidents for a variety of clients in
addition to developing and delivering training to corporate and law enforcement
customers.
Cory also worked as the senior network forensics specialist in the National
Nuclear Security Administration’s Information Assurance Response Center (NNSA
IARC). In this capacity he analyzed potentially hostile code, performed wireless
assessments of Department of Energy facilities, and researched new forensic tech-
niques. He also developed and presented hands-on forensics training for various DoE
entities and worked closely with members of the Southern Nevada Cyber Crimes
Task Force to develop their skills in examining less common digital media.
Cory has authored several papers for the computer forensics journal Digital
Investigation and was a contributing author for UNIX and Linux Forensic Analysis
(2008) and The Handbook of Digital Forensics and Investigation (2010). Addition-
ally, Cory is a recurring member of the program committee of the Digital Forensics
Research Workshop.

Harlan Carvey (CISSP) is a vice president of Advanced Security Projects with

Terremark Worldwide, Inc. Terremark is a leading global provider of IT infrastructure
and “cloud computing” services based in Miami, Florida. Harlan is a key contributor
to the Engagement Services practice, providing disk forensics analysis, consulting,
and training services to both internal and external customers. Harlan has provided
forensic analysis services for the hospitality industry and financial institutions, as
well as federal government and law enforcement agencies. Harlan’s primary areas of
interest include research and development of novel analysis solutions, with a focus on
Windows platforms. Harlan holds a bachelor’s degree in electrical engineering from
the Virginia Military Institute and a master’s degree in the same discipline from the
Naval Postgraduate School. Harlan resides in Northern Virginia with his family.

xi
This page intentionally left blank
Acknowledgments
Cory Altheide
First off I want to thank Harlan Carvey. In addition to serving as my coauthor and
sounding board, he has been a good friend and colleague for many years. He has
proven to be one of the most consistently knowledgeable and helpful individuals
I have met in the field. Harlan, thanks again for adding your considerable expertise to
the book and for never failing to buy me a beer every time I see you.
I also thank Ray Davidson for his work as technical editor. His early insights and
commentary helped focus the book and made me target my subsequent writing on
the intended audience.
Tremendous thanks go out to the “usual suspects” that make the open source
forensics world the wonderful place it is. First, thank you to Wietse Venema and Dan
Farmer for creating open source forensics with “The Coroner’s Toolkit.” Thanks to
Brian Carrier for picking up where they left off and carrying the torch to this day.
Simson Garfinkel, you have my gratitude for providing the invaluable resource that is
the Digital Forensics Corpora. Special thanks to Eoghan Casey, who first encouraged
me to share my knowledge with the community many years ago.
To my parents, Steve and Jeanine Altheide, thank you for buying my first Com-
modore-64 (and the second… and the third). Thanks to my brother Jeremy Altheide
and the Old Heathen Brewing Company for producing some of the finest beers
around… someday.
I express infinite gratitude to my incredible wife Jamie Altheide for her never-
ending patience, love, and support during the research and writing of this book.
Finally, I thank my daughters Winter and Lily for reminding me every day that I will
never have all the answers, and that’s okay.

Harlan Carvey
I begin by thanking God for the many blessings He’s given me in my life, the first of
which has been my family. I try to thank Him daily, but I find myself thinking that
that’s not nearly enough. A man’s achievements are often not his alone, and in my
heart, being able to write books like this is a gift and a blessing in many ways.
I thank my true love and the light of my life, Terri, and my stepdaughter, Kylie.
Both of these wonderful ladies have put up with my antics yet again (intently staring
off into space, scribbling in the air, and, of course, my excellent imitations taken from
some of the movies we’ve seen), and I thank you both as much for your patience as
for being there for me when I turned away from the keyboard. It can’t be easy to have
a nerd like me in your life, but I do thank you both for the opportunity to “put pen to
paper” and get all of this stuff out of my head. Yes, that was a John Byrne reference.
Finally, whenever you meet Cory, give him a thundering round of applause. This
book was his idea, and he graciously asked me to assist. I, of course, jumped at the
chance to work with him again. Thanks, Cory.
xiii
This page intentionally left blank
Introduction
Intended Audience
When writing a technical book, one of the first questions the authors must answer
is “Who is your audience?” The authors must then keep this question in mind at all
times when writing. While it is hoped that this book is useful to everyone that reads
it, the intended audience is primarily two groups.
The first group is new forensic practitioners. This could range from students who
are brand new to the world of digital forensics, to active practitioners that are still
early in their careers, to seasoned system administrators looking to make a career
change. While this book is not a singular, complete compendium of all the forensic
knowledge you will need to be successful, it is, hopefully, enough to get you started.
The second audience is experienced digital forensics practitioners new to open
source tools. This is a fairly large audience, as commercial, proprietary tools have
had a nearly exhaustive hold on working forensic examiners. Many examiners oper-
ating today are reliant upon a single commercial vendor to supply the bulk of their
examination capabilities. They rely on one vendor for their core forensic platform
and may have a handful of other commercial tools used for specific tasks that their
main tool does not perform (or does not perform well). These experienced examiners
who have little or no experience with open source tools will also hopefully benefit
greatly from the content of this book.

Layout of the Book

Beyond the introductory chapter that follows, the rest of this book is divided up into
eight chapters and one Appendix.
Chapter 2 discusses the Open Source Examination Platform. We walk through
all the prerequisites required to start compiling source code into executable code,
install interpreters, and ensure we have a proper environment to build software on
Ubuntu and Windows. We also install a Linux emulation environment on Windows
along with some additional packages to bring Windows closer to “feature parity”
with Linux for our purposes.
Chapter 3 details Disk and File System Analysis using the Sleuth Kit. The
Sleuth Kit is the premier open source file system forensic analysis framework. We
explain use of the Sleuth Kit and the fundamentals of media analysis, disk and par-
tition structures, and file system concepts. We also review additional core digital
forensics topics such as hashing and the creation of forensic images.
Chapter 4 begins our operating system-specific examination chapters with
Windows Systems and Artifacts. We cover analysis of FAT and NTFS file systems,
including internal structures of the NTFS Master File Table, extraction and analysis
of Registry hives, event logs, and other Windows-specific artifacts. Finally, because

xv
xvi Introduction

malware-related intrusion cases are becoming more and more prevalent, we discuss
some of the artifacts that can be retrieved from Windows executable files.
We continue on to Chapter 5, Linux Systems and Artifacts, where we dis-
cuss analysis of the most common Linux file systems (Ext2 and 3) and identifi-
cation, extraction, and analysis of artifacts found on Linux servers and desktops.
System level artifacts include items involved in the Linux boot process, service
control scripts, and user account management. User-generated artifacts include
Linux graphical user environment traces indicating recently opened files, mounted
volumes, and more.
Chapter 6 is the final operating system-specific chapter, in which we examine
Mac OS X Systems and Artifacts. We examine the HFS+ file system using the
Sleuth Kit as well as an HFS-specific tool, HFSXplorer. We also analyze the Property
List files that make up the bulk of OS X configuration information and user artifacts.
Chapter 7 reviews Internet Artifacts. Internet Explorer, Mozilla Firefox, Apple
Safari, and Google Chrome artifacts are processed and analyzed, along with Outlook,
Maildir, and mbox formatted local mail.
Chapter 8 is all about File Analysis. This chapter covers the analysis of files
that aren’t necessarily bound to a single system or operating system—documents,
graphics files, videos, and more. Analysis of these types of files can be a big part of
any investigation, and as these files move frequently between systems, many have the
chance to carry traces of their source system with them. In addition, many of these
file formats contain embedded information that can persist beyond the destruction of
the file system or any other malicious tampering this side of wiping.
Chapter 9 covers a range of topics under the themes of Automating Analysis
and Extending Capabilities. We discuss the PyFLAG and DFF graphical inves-
tigation environments. We also review the fiwalk library designed to take the pain
out of automated forensic data extraction. Additionally, we discuss the generation
and analysis of timelines, along with some alternative ways to think about temporal
analysis during an examination.
The Appendix discusses some non-open source tools that fill some niches not
yet covered by open source tools. These tools are all available free of charge, but are
not provided as open source software, and as such did not fit directly into the main
content of the book. That said, the authors find these tools incredibly valuable and
would be remiss in not including some discussion of them.

What is not Covered

While it is our goal to provide a book suitable for novice-to-intermediate examiners,
if you do not have any experience with Linux at the command line, you may find it
difficult to follow along with the tool use examples. While very few of the tools cov-
ered are Linux specific, most of the tool installation and subsequent usage examples
are performed from a Linux console.
Introduction xvii

We focus exclusively on dead drive forensic analysis—media and images of sys-

tems that are offline. Collection and analysis of volatile data from running systems
are not covered. Outside of the Linux platform, current tools for performing these
tasks are largely closed source. That said, much of the analysis we go through is
equally applicable to artifacts and items recovered from live systems.
Low-level detail of file system internals is intentionally omitted as this material is
covered quite well in existing works. Likewise the development of open source tools
is not discussed at length here. This is a book that first and foremost is concerned
with the operational use of existing tools by forensic practitioners.
Outside of the Appendix, no commercial, proprietary, closed source, or otherwise
restricted software is used.
This page intentionally left blank
CHAPTER

Digital Forensics with

Open Source Tools
1
Information in this Chapter
• Welcome to “Digital Forensics with Open Source Tools”
• What Is “Digital Forensics?”
• What Is “Open Source?”
• Benefits of Open Source Tools

Welcome to “Digital Forensics with

Open Source Tools”
In digital forensics, we rely upon our expertise as examiners to interpret data and
information retrieved by our tools. To provide findings, we must be able to trust our
tools. When we use closed source tools exclusively, we will always have a veil of
abstraction between our minds and the truth that is impossible to eliminate.
We wrote this book to fill several needs. First, we wanted to provide a work that
demonstrated the full capabilities of open source forensics tools. Many examiners
that are aware of and that use open source tools are not aware that you can actually
perform a complete investigation using solely open source tools. Second, we wanted
to shine a light on the persistence and availability (and subsequent examination) of a
wide variety of digital artifacts. It is our sincere hope that the reader learns to under-
stand the wealth of information that is available for use in a forensic examination.
To continue further, we must define what we mean by “Digital Forensics” and
what we mean by “Open Source.”

What Is “Digital Forensics?”

At the first Digital Forensics Research Workshop (DFRWS) in 2001, digital forensics
was defined as:
The use of scientifically derived and proven methods toward the preservation,
collection, validation, identification, analysis, interpretation, documentation and

1
2 CHAPTER 1 Digital Forensics with Open Source Tools

presentation of digital evidence derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events found to be criminal, or
helping to anticipate unauthorized actions shown to be disruptive to planned
operations [1].
While digital forensics techniques are used in more contexts than just criminal
investigations, the principles and procedures are more or less the same no matter the
investigation. While the investigation type may vary widely, the sources of evidence gen-
erally do not. Digital forensic examinations use computer-generated data as their source.
Historically this has been limited to magnetic and optical storage media, but increasingly
snapshots of memory from running systems are the subjects of examination.
Digital forensics is alternately (and simultaneously!) described as an art and a
science. In Forensic Discovery, Wietse Venema and Dan Farmer make the argument
that at times the examiner acts as a digital archaeologist and, at other times, a digital
geologist.
Digital archaeology is about the direct effects from user activity, such as file con-
tents, file access time stamps, information from deleted files, and network flow
logs. … Digital geology is about autonomous processes that users have no direct
control over, such as the allocation and recycling of disk blocks, file ID numbers,
memory pages or process ID numbers [2].
This mental model of digital forensics may be more apropos than the “digital
ballistics” metaphor that has been used historically. No one ever faults an archaeolo-
gist for working on the original copy of a 4000-year-old pyramid, for example. Like
archaeology and anthropology, digital forensics combines elements from “hard” or
natural science with elements from “soft” or social science.
Many have made the suggestion that the dichotomy of the art and science of
forensic analysis is not a paradox at all, but simply an apparent inconsistency arising
from the conflation of the two aspects of the practice: the science of forensics com-
bined with the art of investigation. Applying scientific method and deductive reason-
ing to data is the science—interpreting these data to reconstruct an event is the art.
On his Web site, Brian Carrier makes the argument that referring to the practice
as “digital forensics” may be partially to blame for some of this. While traditional
crime scene forensic analysts are tasked with answering very discrete questions
about subsets of evidence posed to them by detectives, digital forensic examiners
often wear both hats. Carrier prefers the term “digital forensic investigation” to make
this distinction clear [3].

Goals of Forensic Analysis

The goal of any given forensic examination is to find facts, and via these facts to rec-
reate the truth of an event. The examiner reveals the truth of an event by discovering
and exposing the remnants of the event that have been left on the system. In keeping
with the digital archaeologist metaphor, these remnants are known as artifacts. These
remnants are sometimes referred to as evidence. As the authors deal frequently with
What Is “Digital Forensics?” 3

lawyers in writing, we prefer to avoid overusing the term evidence due to the loaded
legal connotations. Evidence is something to be used during a legal proceeding, and
using this term loosely may get an examiner into trouble. Artifacts are traces left
behind due to activities and events, which can be innocuous, or not.
As stated by Locard’s exchange principle, “with contact between two items, there
will be an exchange [4].” This simple statement is the fundamental principle at the
core of evidence dynamics and indeed all of digital forensics. Specific to digital
forensics, this means that an action taken by an actor on a computer system will
leave traces of that activity on the system. Very simple actions may simply cause
registers to change in the processor. More complex actions have a greater likelihood
of creating longer-lasting impressions to the system, but even simple, discreet tasks
can create artifacts. To use a real-world crime scene investigation analogy, kicking
open a door and picking a lock will both leave artifacts of their actions (a splintered
door frame and microscopic abrasions on the tumblers, respectively). Even the act of
cleaning up artifacts can leave additional artifacts—the digital equivalent to the smell
of bleach at a physical crime scene that has been “washed.”
It is important to reiterate the job of the examiner: to determine truth. Every
examination should begin with a hypothesis. Examples include “this computer was
hacked into,” “my spouse has been having an affair,” or “this computer was used
to steal the garbage file.” The examiner’s task is not to prove these assertions. The
examiner’s task is to uncover artifacts that indicate the hypothesis to be either valid
or not valid. In the legal realm, these would be referred to as inculpatory and exculpa-
tory evidence, respectively.
An additional hitch is introduced due to the ease with which items in the digi-
tal realm can be manipulated (or fabricated entirely). In many investigations, the
examiner must determine whether or not the digital evidence is consistent with the
processes and systems that were purported to have generated it. In some cases, deter-
mining the consistency of the digital evidence is the sole purpose of an examination.

The Digital Forensics Process

The process of digital forensics can be broken down into three categories of activity:
acquisition, analysis, and presentation.
• Acquisition refers to the collection of digital media to be examined. Depending
on the type of examination, these can be physical hard drives, optical media, stor-
age cards from digital cameras, mobile phones, chips from embedded devices, or
even single document files. In any case, media to be examined should be treated
delicately. At a minimum the acquisition process should consist of creating a
duplicate of the original media (the working copy) as well as maintaining good
records of all actions taken with any original media.
• Analysis refers to the actual media examination—the “identification, analysis,
and interpretation” items from the DFRWS 2001 definition. Identification con-
sists of locating items or items present in the media in question and then further
reducing this set to items or artifacts of interest. These items are then subjected
4 CHAPTER 1 Digital Forensics with Open Source Tools

to the appropriate analysis. This can be file system analysis, file content exami-
nation, log analysis, statistical analysis, or any number of other types of review.
Finally, the examiner interprets results of this analysis based on the examiner’s
training, expertise, experimentation, and experience.
• Presentation refers to the process by which the examiner shares results of the
analysis phase with the interested party or parties. This consists of generating a
report of actions taken by the examiner, artifacts uncovered, and the meaning of
those artifacts. The presentation phase can also include the examiner defending
these findings under challenge.
Note that findings from the analysis phase can drive additional acquisitions, each
of which will generate additional analyses, etc. This feedback loop can continue for
numerous cycles given an extensive network compromise or a long-running criminal
investigation.
This book deals almost exclusively with the analysis phase of the process,
although basic acquisition of digital media is discussed.

What is “Open Source?”

Generically, “open source” means just that: the source code is open and available
for review. However, just because you can view the source code doesn’t mean you
have license to do anything else with it. The Open Source Initiative has created a
formal definition that lays out the requirements for a software license to be truly open
source. In a nutshell, to be considered open source, a piece of software must be freely
redistributable, must provide access to the source code, must allow the end user to
modify the source code at will, and must not restrict the end use of the software. For
more detail, see the full definition at the Open Source Initiative’s site [5].

Note
Free for Some
Note that under the Open Source Initiative’s definition, any license that restricts the use of
software for certain tasks or that restricts distribution among certain groups cannot be an
open source license. This includes the “Law Enforcement Only” or “Non-Commercial Use”
restrictions commonly placed on freeware tools in the digital forensics community.

“Free” vs. “Open”

Due to the overloading of the word “free” in the English language, confusion about
what “free” software is can arise. Software available free of charge (gratis) is not
necessarily free from restriction (libre). In the open source community, “free soft-
ware” generally means software considered “open source” and without restriction, in
addition to usually being available at no cost. This is in contrast to various “freeware”
applications generally found on Windows system available solely in binary, execut-
able format but at no cost.
Benefits of Open Source Tools 5

This core material of this book is focused on the use of open source software to
perform digital forensic examinations. “Freeware” closed source applications that
perform a function not met by any available open source tools or that are otherwise
highly useful are discussed in the Appendix.

Open Source Licenses

At the time of this writing, there are 58 licenses recognized as “Open Source” by the
Open Source Initiative [6]. Since this is a book about the use of open source software
and not a book about the intricacies of software licensing, we briefly discuss the most
commonly used open source licenses. The two most commonly used licenses are the
GNU Public License (GPL) and the Berkeley Software Distribution License (BSD).
To grossly simplify, the core difference between these two licenses is that the GPL
requires that any modifications made to GPL code that is then incorporated into
distributed compiled software be made available in source form as well. The BSD
license does not have this requirement, instead only asking for acknowledgment that
the distributed software contains code from a BSD-licensed project.
This means that a widget vendor using GPL-licensed code in their widget con-
troller code must provide customers that purchase their widgets the source code
upon request. If the widget was driven using BSD license software, this would not
be necessary. In other words, the GPL favors the rights of the original producer
of the code, while the BSD license favors the rights of the user or consumer of
the code. Because of this requirement, the GPL is known as a copyleft license (a
play on “copyright”). The BSD license is what is known as a permissive license.
Most permissive licenses are considered GPL compatible because they give the
end user authority over what he or she does with the code, including using it
in derivative works that are GPL licensed. Additional popular GPL-compatible
licenses include the Apache Public License (used by Apache Foundation projects)
and the X11/MIT License.

Benefits of Open Source Tools

There are great many passionate screeds about the benefits of open source software,
the ethics of software licensing, and the evils of proprietary software. We will not
repeat them here, but we will outline a few of the most compelling reasons to use
open source tools that are specific to digital forensics.

Education
When the authors entered the digital forensics field, there were two routes to becom-
ing an examiner. The first was via a law enforcement or military career, and the
second was to teach yourself (with the authors representing each of these routes).
In either scenario, one of the best ways to learn was by using freely available tools
6 CHAPTER 1 Digital Forensics with Open Source Tools

(and in the self-taught scenario, the only way!). Today, there are numerous college
programs and training programs available to an aspiring examiner, but there is still
something to be said for learning by doing. The authors have been using open source
tools throughout their careers in digital forensics, and we both have no doubt that we
are far better examiners than we would have been otherwise.
Using open source tools to learn digital forensics has several benefits. First,
open source tools innately “show their work.” You can execute the tool, examine
the options and output, and finally examine the code that produced the output to
understand the logic behind the tool’s operation. For the purposes of small examina-
tion scenarios, you can run the tools on any old hardware you have access to—no
multithousand dollar deluxe forensic workstation required. Finally, you also have
access to a dedicated community of examiners, developers, and enthusiasts ready to
help you—provided you’ve done a modicum of legwork before firing off questions
answered trivially by a Google search.

Portability and Flexibility

Another key benefit to the tools covered in this book by and large is that they are all
portable and flexible. By portable we mean that you can easily take your toolkit with
you as you move from one system to another, from one operating system to another, or
from one job to another. Unless you personally license an expensive proprietary tool,
your toolkit may not come with you if you move from one company to another. Any
product-specific expertise you built up could end up worthless. If you are currently
employed in law enforcement, any law enforcement–only tools you are currently using
won’t be available to you should you decide to go into the private sector.
If portability means you can choose where you use your tools, flexibility means
you can choose how you use your tools. You can use open source tools on your local
system or you can install them on a remote server and use them over a remote shell.
You can install them on a single system or you can install them on thousands of
systems. You can do all this without asking the software provider for permissions,
without filling out a purchase order, and without plugging a thousand hardware copy
protection dongles into a thousand machines.

Price
In addition to being open source, all of the tools covered in this work are free of
cost. This is great for individuals looking to learn forensics on their own, students
taking formal coursework in digital forensics, or examiners looking to build a digital
forensics capability on a budget. This is also a great benefit for anyone already using
a full complement of commercial tools. Adding a set of open source tools to your
toolkit will usually cost you nothing, save for a bit of time. Even if you continue
using proprietary, commercial tools on a daily basis, you can use the tools in this
book as an adjunct to cover gaps in your tools coverage or to validate or calibrate
your tools’ findings and operation.
Another random document with
no related content on Scribd:
DANCE ON STILTS AT THE GIRLS’ UNYAGO, NIUCHI

Newala, too, suffers from the distance of its water-supply—at least

the Newala of to-day does; there was once another Newala in a lovely
valley at the foot of the plateau. I visited it and found scarcely a trace
of houses, only a Christian cemetery, with the graves of several
missionaries and their converts, remaining as a monument of its
former glories. But the surroundings are wonderfully beautiful. A
thick grove of splendid mango-trees closes in the weather-worn
crosses and headstones; behind them, combining the useful and the
agreeable, is a whole plantation of lemon-trees covered with ripe
fruit; not the small African kind, but a much larger and also juicier
imported variety, which drops into the hands of the passing traveller,
without calling for any exertion on his part. Old Newala is now under
the jurisdiction of the native pastor, Daudi, at Chingulungulu, who,
as I am on very friendly terms with him, allows me, as a matter of
course, the use of this lemon-grove during my stay at Newala.
FEET MUTILATED BY THE RAVAGES OF THE “JIGGER”
(Sarcopsylla penetrans)

The water-supply of New Newala is in the bottom of the valley,

some 1,600 feet lower down. The way is not only long and fatiguing,
but the water, when we get it, is thoroughly bad. We are suffering not
only from this, but from the fact that the arrangements at Newala are
nothing short of luxurious. We have a separate kitchen—a hut built
against the boma palisade on the right of the baraza, the interior of
which is not visible from our usual position. Our two cooks were not
long in finding this out, and they consequently do—or rather neglect
to do—what they please. In any case they do not seem to be very
particular about the boiling of our drinking-water—at least I can
attribute to no other cause certain attacks of a dysenteric nature,
from which both Knudsen and I have suffered for some time. If a
man like Omari has to be left unwatched for a moment, he is capable
of anything. Besides this complaint, we are inconvenienced by the
state of our nails, which have become as hard as glass, and crack on
the slightest provocation, and I have the additional infliction of
pimples all over me. As if all this were not enough, we have also, for
the last week been waging war against the jigger, who has found his
Eldorado in the hot sand of the Makonde plateau. Our men are seen
all day long—whenever their chronic colds and the dysentery likewise
raging among them permit—occupied in removing this scourge of
Africa from their feet and trying to prevent the disastrous
consequences of its presence. It is quite common to see natives of
this place with one or two toes missing; many have lost all their toes,
or even the whole front part of the foot, so that a well-formed leg
ends in a shapeless stump. These ravages are caused by the female of
Sarcopsylla penetrans, which bores its way under the skin and there
develops an egg-sac the size of a pea. In all books on the subject, it is
stated that one’s attention is called to the presence of this parasite by
an intolerable itching. This agrees very well with my experience, so
far as the softer parts of the sole, the spaces between and under the
toes, and the side of the foot are concerned, but if the creature
penetrates through the harder parts of the heel or ball of the foot, it
may escape even the most careful search till it has reached maturity.
Then there is no time to be lost, if the horrible ulceration, of which
we see cases by the dozen every day, is to be prevented. It is much
easier, by the way, to discover the insect on the white skin of a
European than on that of a native, on which the dark speck scarcely
shows. The four or five jiggers which, in spite of the fact that I
constantly wore high laced boots, chose my feet to settle in, were
taken out for me by the all-accomplished Knudsen, after which I
thought it advisable to wash out the cavities with corrosive
sublimate. The natives have a different sort of disinfectant—they fill
the hole with scraped roots. In a tiny Makua village on the slope of
the plateau south of Newala, we saw an old woman who had filled all
the spaces under her toe-nails with powdered roots by way of
prophylactic treatment. What will be the result, if any, who can say?
The rest of the many trifling ills which trouble our existence are
really more comic than serious. In the absence of anything else to
smoke, Knudsen and I at last opened a box of cigars procured from
the Indian store-keeper at Lindi, and tried them, with the most
distressing results. Whether they contain opium or some other
narcotic, neither of us can say, but after the tenth puff we were both
“off,” three-quarters stupefied and unspeakably wretched. Slowly we
recovered—and what happened next? Half-an-hour later we were
once more smoking these poisonous concoctions—so insatiable is the
craving for tobacco in the tropics.
Even my present attacks of fever scarcely deserve to be taken
seriously. I have had no less than three here at Newala, all of which
have run their course in an incredibly short time. In the early
afternoon, I am busy with my old natives, asking questions and
making notes. The strong midday coffee has stimulated my spirits to
an extraordinary degree, the brain is active and vigorous, and work
progresses rapidly, while a pleasant warmth pervades the whole
body. Suddenly this gives place to a violent chill, forcing me to put on
my overcoat, though it is only half-past three and the afternoon sun
is at its hottest. Now the brain no longer works with such acuteness
and logical precision; more especially does it fail me in trying to
establish the syntax of the difficult Makua language on which I have
ventured, as if I had not enough to do without it. Under the
circumstances it seems advisable to take my temperature, and I do
so, to save trouble, without leaving my seat, and while going on with
my work. On examination, I find it to be 101·48°. My tutors are
abruptly dismissed and my bed set up in the baraza; a few minutes
later I am in it and treating myself internally with hot water and
lemon-juice.
Three hours later, the thermometer marks nearly 104°, and I make
them carry me back into the tent, bed and all, as I am now perspiring
heavily, and exposure to the cold wind just beginning to blow might
mean a fatal chill. I lie still for a little while, and then find, to my
great relief, that the temperature is not rising, but rather falling. This
is about 7.30 p.m. At 8 p.m. I find, to my unbounded astonishment,
that it has fallen below 98·6°, and I feel perfectly well. I read for an
hour or two, and could very well enjoy a smoke, if I had the
wherewithal—Indian cigars being out of the question.
Having no medical training, I am at a loss to account for this state
of things. It is impossible that these transitory attacks of high fever
should be malarial; it seems more probable that they are due to a
kind of sunstroke. On consulting my note-book, I become more and
more inclined to think this is the case, for these attacks regularly
follow extreme fatigue and long exposure to strong sunshine. They at
least have the advantage of being only short interruptions to my
work, as on the following morning I am always quite fresh and fit.
My treasure of a cook is suffering from an enormous hydrocele which
makes it difficult for him to get up, and Moritz is obliged to keep in
the dark on account of his inflamed eyes. Knudsen’s cook, a raw boy
from somewhere in the bush, knows still less of cooking than Omari;
consequently Nils Knudsen himself has been promoted to the vacant
post. Finding that we had come to the end of our supplies, he began
by sending to Chingulungulu for the four sucking-pigs which we had
bought from Matola and temporarily left in his charge; and when
they came up, neatly packed in a large crate, he callously slaughtered
the biggest of them. The first joint we were thoughtless enough to
entrust for roasting to Knudsen’s mshenzi cook, and it was
consequently uneatable; but we made the rest of the animal into a
jelly which we ate with great relish after weeks of underfeeding,
consuming incredible helpings of it at both midday and evening
meals. The only drawback is a certain want of variety in the tinned
vegetables. Dr. Jäger, to whom the Geographical Commission
entrusted the provisioning of the expeditions—mine as well as his
own—because he had more time on his hands than the rest of us,
seems to have laid in a huge stock of Teltow turnips,[46] an article of
food which is all very well for occasional use, but which quickly palls
when set before one every day; and we seem to have no other tins
left. There is no help for it—we must put up with the turnips; but I
am certain that, once I am home again, I shall not touch them for ten
years to come.
Amid all these minor evils, which, after all, go to make up the
genuine flavour of Africa, there is at least one cheering touch:
Knudsen has, with the dexterity of a skilled mechanic, repaired my 9
× 12 cm. camera, at least so far that I can use it with a little care.
How, in the absence of finger-nails, he was able to accomplish such a
ticklish piece of work, having no tool but a clumsy screw-driver for
taking to pieces and putting together again the complicated
mechanism of the instantaneous shutter, is still a mystery to me; but
he did it successfully. The loss of his finger-nails shows him in a light
contrasting curiously enough with the intelligence evinced by the
above operation; though, after all, it is scarcely surprising after his
ten years’ residence in the bush. One day, at Lindi, he had occasion
to wash a dog, which must have been in need of very thorough
cleansing, for the bottle handed to our friend for the purpose had an
extremely strong smell. Having performed his task in the most
conscientious manner, he perceived with some surprise that the dog
did not appear much the better for it, and was further surprised by
finding his own nails ulcerating away in the course of the next few
days. “How was I to know that carbolic acid has to be diluted?” he
mutters indignantly, from time to time, with a troubled gaze at his
mutilated finger-tips.
Since we came to Newala we have been making excursions in all
directions through the surrounding country, in accordance with old
habit, and also because the akida Sefu did not get together the tribal
elders from whom I wanted information so speedily as he had
promised. There is, however, no harm done, as, even if seen only
from the outside, the country and people are interesting enough.
The Makonde plateau is like a large rectangular table rounded off
at the corners. Measured from the Indian Ocean to Newala, it is
about seventy-five miles long, and between the Rovuma and the
Lukuledi it averages fifty miles in breadth, so that its superficial area
is about two-thirds of that of the kingdom of Saxony. The surface,
however, is not level, but uniformly inclined from its south-western
edge to the ocean. From the upper edge, on which Newala lies, the
eye ranges for many miles east and north-east, without encountering
any obstacle, over the Makonde bush. It is a green sea, from which
here and there thick clouds of smoke rise, to show that it, too, is
inhabited by men who carry on their tillage like so many other
primitive peoples, by cutting down and burning the bush, and
manuring with the ashes. Even in the radiant light of a tropical day
such a fire is a grand sight.
Much less effective is the impression produced just now by the
great western plain as seen from the edge of the plateau. As often as
time permits, I stroll along this edge, sometimes in one direction,
sometimes in another, in the hope of finding the air clear enough to
let me enjoy the view; but I have always been disappointed.
Wherever one looks, clouds of smoke rise from the burning bush,
and the air is full of smoke and vapour. It is a pity, for under more
favourable circumstances the panorama of the whole country up to
the distant Majeje hills must be truly magnificent. It is of little use
taking photographs now, and an outline sketch gives a very poor idea
of the scenery. In one of these excursions I went out of my way to
make a personal attempt on the Makonde bush. The present edge of
the plateau is the result of a far-reaching process of destruction
through erosion and denudation. The Makonde strata are
everywhere cut into by ravines, which, though short, are hundreds of
yards in depth. In consequence of the loose stratification of these
beds, not only are the walls of these ravines nearly vertical, but their
upper end is closed by an equally steep escarpment, so that the
western edge of the Makonde plateau is hemmed in by a series of
deep, basin-like valleys. In order to get from one side of such a ravine
to the other, I cut my way through the bush with a dozen of my men.
It was a very open part, with more grass than scrub, but even so the
short stretch of less than two hundred yards was very hard work; at
the end of it the men’s calicoes were in rags and they themselves
bleeding from hundreds of scratches, while even our strong khaki
suits had not escaped scatheless.

NATIVE PATH THROUGH THE MAKONDE BUSH, NEAR

MAHUTA

I see increasing reason to believe that the view formed some time
back as to the origin of the Makonde bush is the correct one. I have
no doubt that it is not a natural product, but the result of human
occupation. Those parts of the high country where man—as a very
slight amount of practice enables the eye to perceive at once—has not
yet penetrated with axe and hoe, are still occupied by a splendid
timber forest quite able to sustain a comparison with our mixed
forests in Germany. But wherever man has once built his hut or tilled
his field, this horrible bush springs up. Every phase of this process
may be seen in the course of a couple of hours’ walk along the main
road. From the bush to right or left, one hears the sound of the axe—
not from one spot only, but from several directions at once. A few
steps further on, we can see what is taking place. The brush has been
cut down and piled up in heaps to the height of a yard or more,
between which the trunks of the large trees stand up like the last
pillars of a magnificent ruined building. These, too, present a
melancholy spectacle: the destructive Makonde have ringed them—
cut a broad strip of bark all round to ensure their dying off—and also
piled up pyramids of brush round them. Father and son, mother and
son-in-law, are chopping away perseveringly in the background—too
busy, almost, to look round at the white stranger, who usually excites
so much interest. If you pass by the same place a week later, the piles
of brushwood have disappeared and a thick layer of ashes has taken
the place of the green forest. The large trees stretch their
smouldering trunks and branches in dumb accusation to heaven—if
they have not already fallen and been more or less reduced to ashes,
perhaps only showing as a white stripe on the dark ground.
This work of destruction is carried out by the Makonde alike on the
virgin forest and on the bush which has sprung up on sites already
cultivated and deserted. In the second case they are saved the trouble
of burning the large trees, these being entirely absent in the
secondary bush.
After burning this piece of forest ground and loosening it with the
hoe, the native sows his corn and plants his vegetables. All over the
country, he goes in for bed-culture, which requires, and, in fact,
receives, the most careful attention. Weeds are nowhere tolerated in
the south of German East Africa. The crops may fail on the plains,
where droughts are frequent, but never on the plateau with its
abundant rains and heavy dews. Its fortunate inhabitants even have
the satisfaction of seeing the proud Wayao and Wamakua working
for them as labourers, driven by hunger to serve where they were
accustomed to rule.
But the light, sandy soil is soon exhausted, and would yield no
harvest the second year if cultivated twice running. This fact has
been familiar to the native for ages; consequently he provides in
time, and, while his crop is growing, prepares the next plot with axe
and firebrand. Next year he plants this with his various crops and
lets the first piece lie fallow. For a short time it remains waste and
desolate; then nature steps in to repair the destruction wrought by
man; a thousand new growths spring out of the exhausted soil, and
even the old stumps put forth fresh shoots. Next year the new growth
is up to one’s knees, and in a few years more it is that terrible,
impenetrable bush, which maintains its position till the black
occupier of the land has made the round of all the available sites and
come back to his starting point.
The Makonde are, body and soul, so to speak, one with this bush.
According to my Yao informants, indeed, their name means nothing
else but “bush people.” Their own tradition says that they have been
settled up here for a very long time, but to my surprise they laid great
stress on an original immigration. Their old homes were in the
south-east, near Mikindani and the mouth of the Rovuma, whence
their peaceful forefathers were driven by the continual raids of the
Sakalavas from Madagascar and the warlike Shirazis[47] of the coast,
to take refuge on the almost inaccessible plateau. I have studied
African ethnology for twenty years, but the fact that changes of
population in this apparently quiet and peaceable corner of the earth
could have been occasioned by outside enterprises taking place on
the high seas, was completely new to me. It is, no doubt, however,
correct.
The charming tribal legend of the Makonde—besides informing us
of other interesting matters—explains why they have to live in the
thickest of the bush and a long way from the edge of the plateau,
instead of making their permanent homes beside the purling brooks
and springs of the low country.
“The place where the tribe originated is Mahuta, on the southern
side of the plateau towards the Rovuma, where of old time there was
nothing but thick bush. Out of this bush came a man who never
washed himself or shaved his head, and who ate and drank but little.
He went out and made a human figure from the wood of a tree
growing in the open country, which he took home to his abode in the
bush and there set it upright. In the night this image came to life and
was a woman. The man and woman went down together to the
Rovuma to wash themselves. Here the woman gave birth to a still-
born child. They left that place and passed over the high land into the
valley of the Mbemkuru, where the woman had another child, which
was also born dead. Then they returned to the high bush country of
Mahuta, where the third child was born, which lived and grew up. In
course of time, the couple had many more children, and called
themselves Wamatanda. These were the ancestral stock of the
Makonde, also called Wamakonde,[48] i.e., aborigines. Their
forefather, the man from the bush, gave his children the command to
bury their dead upright, in memory of the mother of their race who
was cut out of wood and awoke to life when standing upright. He also
warned them against settling in the valleys and near large streams,
for sickness and death dwelt there. They were to make it a rule to
have their huts at least an hour’s walk from the nearest watering-
place; then their children would thrive and escape illness.”
The explanation of the name Makonde given by my informants is
somewhat different from that contained in the above legend, which I
extract from a little book (small, but packed with information), by
Pater Adams, entitled Lindi und sein Hinterland. Otherwise, my
results agree exactly with the statements of the legend. Washing?
Hapana—there is no such thing. Why should they do so? As it is, the
supply of water scarcely suffices for cooking and drinking; other
people do not wash, so why should the Makonde distinguish himself
by such needless eccentricity? As for shaving the head, the short,
woolly crop scarcely needs it,[49] so the second ancestral precept is
likewise easy enough to follow. Beyond this, however, there is
nothing ridiculous in the ancestor’s advice. I have obtained from
various local artists a fairly large number of figures carved in wood,
ranging from fifteen to twenty-three inches in height, and
representing women belonging to the great group of the Mavia,
Makonde, and Matambwe tribes. The carving is remarkably well
done and renders the female type with great accuracy, especially the
keloid ornamentation, to be described later on. As to the object and
meaning of their works the sculptors either could or (more probably)
would tell me nothing, and I was forced to content myself with the
scanty information vouchsafed by one man, who said that the figures
were merely intended to represent the nembo—the artificial
deformations of pelele, ear-discs, and keloids. The legend recorded
by Pater Adams places these figures in a new light. They must surely
be more than mere dolls; and we may even venture to assume that
they are—though the majority of present-day Makonde are probably
unaware of the fact—representations of the tribal ancestress.
The references in the legend to the descent from Mahuta to the
Rovuma, and to a journey across the highlands into the Mbekuru
valley, undoubtedly indicate the previous history of the tribe, the
travels of the ancestral pair typifying the migrations of their
descendants. The descent to the neighbouring Rovuma valley, with
its extraordinary fertility and great abundance of game, is intelligible
at a glance—but the crossing of the Lukuledi depression, the ascent
to the Rondo Plateau and the descent to the Mbemkuru, also lie
within the bounds of probability, for all these districts have exactly
the same character as the extreme south. Now, however, comes a
point of especial interest for our bacteriological age. The primitive
Makonde did not enjoy their lives in the marshy river-valleys.
Disease raged among them, and many died. It was only after they
had returned to their original home near Mahuta, that the health
conditions of these people improved. We are very apt to think of the
African as a stupid person whose ignorance of nature is only equalled
by his fear of it, and who looks on all mishaps as caused by evil
spirits and malignant natural powers. It is much more correct to
assume in this case that the people very early learnt to distinguish
districts infested with malaria from those where it is absent.
This knowledge is crystallized in the
ancestral warning against settling in the
valleys and near the great waters, the
dwelling-places of disease and death. At the
same time, for security against the hostile
Mavia south of the Rovuma, it was enacted
that every settlement must be not less than a
certain distance from the southern edge of the
plateau. Such in fact is their mode of life at the
present day. It is not such a bad one, and
certainly they are both safer and more
comfortable than the Makua, the recent
intruders from the south, who have made USUAL METHOD OF
good their footing on the western edge of the CLOSING HUT-DOOR
plateau, extending over a fairly wide belt of
country. Neither Makua nor Makonde show in their dwellings
anything of the size and comeliness of the Yao houses in the plain,
especially at Masasi, Chingulungulu and Zuza’s. Jumbe Chauro, a
Makonde hamlet not far from Newala, on the road to Mahuta, is the
most important settlement of the tribe I have yet seen, and has fairly
spacious huts. But how slovenly is their construction compared with
the palatial residences of the elephant-hunters living in the plain.
The roofs are still more untidy than in the general run of huts during
the dry season, the walls show here and there the scanty beginnings
or the lamentable remains of the mud plastering, and the interior is a
veritable dog-kennel; dirt, dust and disorder everywhere. A few huts
only show any attempt at division into rooms, and this consists
merely of very roughly-made bamboo partitions. In one point alone
have I noticed any indication of progress—in the method of fastening
the door. Houses all over the south are secured in a simple but
ingenious manner. The door consists of a set of stout pieces of wood
or bamboo, tied with bark-string to two cross-pieces, and moving in
two grooves round one of the door-posts, so as to open inwards. If
the owner wishes to leave home, he takes two logs as thick as a man’s
upper arm and about a yard long. One of these is placed obliquely
against the middle of the door from the inside, so as to form an angle
of from 60° to 75° with the ground. He then places the second piece
horizontally across the first, pressing it downward with all his might.
It is kept in place by two strong posts planted in the ground a few
inches inside the door. This fastening is absolutely safe, but of course
cannot be applied to both doors at once, otherwise how could the
owner leave or enter his house? I have not yet succeeded in finding
out how the back door is fastened.

MAKONDE LOCK AND KEY AT JUMBE CHAURO

This is the general way of closing a house. The Makonde at Jumbe
Chauro, however, have a much more complicated, solid and original
one. Here, too, the door is as already described, except that there is
only one post on the inside, standing by itself about six inches from
one side of the doorway. Opposite this post is a hole in the wall just
large enough to admit a man’s arm. The door is closed inside by a
large wooden bolt passing through a hole in this post and pressing
with its free end against the door. The other end has three holes into
which fit three pegs running in vertical grooves inside the post. The
door is opened with a wooden key about a foot long, somewhat
curved and sloped off at the butt; the other end has three pegs
corresponding to the holes, in the bolt, so that, when it is thrust
through the hole in the wall and inserted into the rectangular
opening in the post, the pegs can be lifted and the bolt drawn out.[50]

MODE OF INSERTING THE KEY

With no small pride first one householder and then a second

showed me on the spot the action of this greatest invention of the
Makonde Highlands. To both with an admiring exclamation of
“Vizuri sana!” (“Very fine!”). I expressed the wish to take back these
marvels with me to Ulaya, to show the Wazungu what clever fellows
the Makonde are. Scarcely five minutes after my return to camp at
Newala, the two men came up sweating under the weight of two
heavy logs which they laid down at my feet, handing over at the same
time the keys of the fallen fortress. Arguing, logically enough, that if
the key was wanted, the lock would be wanted with it, they had taken
their axes and chopped down the posts—as it never occurred to them
to dig them out of the ground and so bring them intact. Thus I have
two badly damaged specimens, and the owners, instead of praise,
come in for a blowing-up.
The Makua huts in the environs of Newala are especially
miserable; their more than slovenly construction reminds one of the
temporary erections of the Makua at Hatia’s, though the people here
have not been concerned in a war. It must therefore be due to
congenital idleness, or else to the absence of a powerful chief. Even
the baraza at Mlipa’s, a short hour’s walk south-east of Newala,
shares in this general neglect. While public buildings in this country
are usually looked after more or less carefully, this is in evident
danger of being blown over by the first strong easterly gale. The only
attractive object in this whole district is the grave of the late chief
Mlipa. I visited it in the morning, while the sun was still trying with
partial success to break through the rolling mists, and the circular
grove of tall euphorbias, which, with a broken pot, is all that marks
the old king’s resting-place, impressed one with a touch of pathos.
Even my very materially-minded carriers seemed to feel something
of the sort, for instead of their usual ribald songs, they chanted
solemnly, as we marched on through the dense green of the Makonde
bush:—
“We shall arrive with the great master; we stand in a row and have
no fear about getting our food and our money from the Serkali (the
Government). We are not afraid; we are going along with the great
master, the lion; we are going down to the coast and back.”
With regard to the characteristic features of the various tribes here
on the western edge of the plateau, I can arrive at no other
conclusion than the one already come to in the plain, viz., that it is
impossible for anyone but a trained anthropologist to assign any
given individual at once to his proper tribe. In fact, I think that even
an anthropological specialist, after the most careful examination,
might find it a difficult task to decide. The whole congeries of peoples
collected in the region bounded on the west by the great Central
African rift, Tanganyika and Nyasa, and on the east by the Indian
Ocean, are closely related to each other—some of their languages are
only distinguished from one another as dialects of the same speech,
and no doubt all the tribes present the same shape of skull and
structure of skeleton. Thus, surely, there can be no very striking
differences in outward appearance.
Even did such exist, I should have no time
to concern myself with them, for day after day,
I have to see or hear, as the case may be—in
any case to grasp and record—an
extraordinary number of ethnographic
phenomena. I am almost disposed to think it
fortunate that some departments of inquiry, at
least, are barred by external circumstances.
Chief among these is the subject of iron-
working. We are apt to think of Africa as a
country where iron ore is everywhere, so to
speak, to be picked up by the roadside, and
where it would be quite surprising if the
inhabitants had not learnt to smelt the
material ready to their hand. In fact, the
knowledge of this art ranges all over the
continent, from the Kabyles in the north to the
Kafirs in the south. Here between the Rovuma
and the Lukuledi the conditions are not so
favourable. According to the statements of the
Makonde, neither ironstone nor any other
form of iron ore is known to them. They have
not therefore advanced to the art of smelting
the metal, but have hitherto bought all their
THE ANCESTRESS OF
THE MAKONDE
iron implements from neighbouring tribes.
Even in the plain the inhabitants are not much
better off. Only one man now living is said to
understand the art of smelting iron. This old fundi lives close to
Huwe, that isolated, steep-sided block of granite which rises out of
the green solitude between Masasi and Chingulungulu, and whose
jagged and splintered top meets the traveller’s eye everywhere. While
still at Masasi I wished to see this man at work, but was told that,
frightened by the rising, he had retired across the Rovuma, though
he would soon return. All subsequent inquiries as to whether the
fundi had come back met with the genuine African answer, “Bado”
(“Not yet”).
BRAZIER

Some consolation was afforded me by a brassfounder, whom I

came across in the bush near Akundonde’s. This man is the favourite
of women, and therefore no doubt of the gods; he welds the glittering
brass rods purchased at the coast into those massive, heavy rings
which, on the wrists and ankles of the local fair ones, continually give
me fresh food for admiration. Like every decent master-craftsman he
had all his tools with him, consisting of a pair of bellows, three
crucibles and a hammer—nothing more, apparently. He was quite
willing to show his skill, and in a twinkling had fixed his bellows on
the ground. They are simply two goat-skins, taken off whole, the four
legs being closed by knots, while the upper opening, intended to
admit the air, is kept stretched by two pieces of wood. At the lower
end of the skin a smaller opening is left into which a wooden tube is
stuck. The fundi has quickly borrowed a heap of wood-embers from
the nearest hut; he then fixes the free ends of the two tubes into an
earthen pipe, and clamps them to the ground by means of a bent
piece of wood. Now he fills one of his small clay crucibles, the dross
on which shows that they have been long in use, with the yellow
material, places it in the midst of the embers, which, at present are
only faintly glimmering, and begins his work. In quick alternation
the smith’s two hands move up and down with the open ends of the
bellows; as he raises his hand he holds the slit wide open, so as to let
the air enter the skin bag unhindered. In pressing it down he closes
the bag, and the air puffs through the bamboo tube and clay pipe into
the fire, which quickly burns up. The smith, however, does not keep
on with this work, but beckons to another man, who relieves him at
the bellows, while he takes some more tools out of a large skin pouch
carried on his back. I look on in wonder as, with a smooth round
stick about the thickness of a finger, he bores a few vertical holes into
the clean sand of the soil. This should not be difficult, yet the man
seems to be taking great pains over it. Then he fastens down to the
ground, with a couple of wooden clamps, a neat little trough made by
splitting a joint of bamboo in half, so that the ends are closed by the
two knots. At last the yellow metal has attained the right consistency,
and the fundi lifts the crucible from the fire by means of two sticks
split at the end to serve as tongs. A short swift turn to the left—a
tilting of the crucible—and the molten brass, hissing and giving forth
clouds of smoke, flows first into the bamboo mould and then into the
holes in the ground.
The technique of this backwoods craftsman may not be very far
advanced, but it cannot be denied that he knows how to obtain an
adequate result by the simplest means. The ladies of highest rank in
this country—that is to say, those who can afford it, wear two kinds
of these massive brass rings, one cylindrical, the other semicircular
in section. The latter are cast in the most ingenious way in the
bamboo mould, the former in the circular hole in the sand. It is quite
a simple matter for the fundi to fit these bars to the limbs of his fair
customers; with a few light strokes of his hammer he bends the
pliable brass round arm or ankle without further inconvenience to
the wearer.
SHAPING THE POT

SMOOTHING WITH MAIZE-COB

CUTTING THE EDGE

FINISHING THE BOTTOM

LAST SMOOTHING BEFORE

BURNING

FIRING THE BRUSH-PILE

LIGHTING THE FARTHER SIDE OF
THE PILE

TURNING THE RED-HOT VESSEL

NYASA WOMAN MAKING POTS AT MASASI

Pottery is an art which must always and everywhere excite the
interest of the student, just because it is so intimately connected with
the development of human culture, and because its relics are one of
the principal factors in the reconstruction of our own condition in
prehistoric times. I shall always remember with pleasure the two or
three afternoons at Masasi when Salim Matola’s mother, a slightly-
built, graceful, pleasant-looking woman, explained to me with
touching patience, by means of concrete illustrations, the ceramic art
of her people. The only implements for this primitive process were a
lump of clay in her left hand, and in the right a calabash containing
the following valuables: the fragment of a maize-cob stripped of all
its grains, a smooth, oval pebble, about the size of a pigeon’s egg, a
few chips of gourd-shell, a bamboo splinter about the length of one’s
hand, a small shell, and a bunch of some herb resembling spinach.
Nothing more. The woman scraped with the
shell a round, shallow hole in the soft, fine
sand of the soil, and, when an active young
girl had filled the calabash with water for her,
she began to knead the clay. As if by magic it
gradually assumed the shape of a rough but
already well-shaped vessel, which only wanted
a little touching up with the instruments
before mentioned. I looked out with the
MAKUA WOMAN closest attention for any indication of the use
MAKING A POT. of the potter’s wheel, in however rudimentary
SHOWS THE a form, but no—hapana (there is none). The
BEGINNINGS OF THE embryo pot stood firmly in its little
POTTER’S WHEEL
depression, and the woman walked round it in
a stooping posture, whether she was removing
small stones or similar foreign bodies with the maize-cob, smoothing
the inner or outer surface with the splinter of bamboo, or later, after
letting it dry for a day, pricking in the ornamentation with a pointed
bit of gourd-shell, or working out the bottom, or cutting the edge
with a sharp bamboo knife, or giving the last touches to the finished
vessel. This occupation of the women is infinitely toilsome, but it is
without doubt an accurate reproduction of the process in use among
our ancestors of the Neolithic and Bronze ages.
There is no doubt that the invention of pottery, an item in human
progress whose importance cannot be over-estimated, is due to
women. Rough, coarse and unfeeling, the men of the horde range
over the countryside. When the united cunning of the hunters has
succeeded in killing the game; not one of them thinks of carrying
home the spoil. A bright fire, kindled by a vigorous wielding of the
drill, is crackling beside them; the animal has been cleaned and cut
up secundum artem, and, after a slight singeing, will soon disappear
under their sharp teeth; no one all this time giving a single thought
to wife or child.
To what shifts, on the other hand, the primitive wife, and still more
the primitive mother, was put! Not even prehistoric stomachs could
endure an unvarying diet of raw food. Something or other suggested
the beneficial effect of hot water on the majority of approved but
indigestible dishes. Perhaps a neighbour had tried holding the hard
roots or tubers over the fire in a calabash filled with water—or maybe
an ostrich-egg-shell, or a hastily improvised vessel of bark. They
became much softer and more palatable than they had previously
been; but, unfortunately, the vessel could not stand the fire and got
charred on the outside. That can be remedied, thought our
ancestress, and plastered a layer of wet clay round a similar vessel.
This is an improvement; the cooking utensil remains uninjured, but
the heat of the fire has shrunk it, so that it is loose in its shell. The
next step is to detach it, so, with a firm grip and a jerk, shell and
kernel are separated, and pottery is invented. Perhaps, however, the
discovery which led to an intelligent use of the burnt-clay shell, was
made in a slightly different way. Ostrich-eggs and calabashes are not
to be found in every part of the world, but everywhere mankind has
arrived at the art of making baskets out of pliant materials, such as
bark, bast, strips of palm-leaf, supple twigs, etc. Our inventor has no
water-tight vessel provided by nature. “Never mind, let us line the
basket with clay.” This answers the purpose, but alas! the basket gets
burnt over the blazing fire, the woman watches the process of
cooking with increasing uneasiness, fearing a leak, but no leak
appears. The food, done to a turn, is eaten with peculiar relish; and
the cooking-vessel is examined, half in curiosity, half in satisfaction
at the result. The plastic clay is now hard as stone, and at the same
time looks exceedingly well, for the neat plaiting of the burnt basket
is traced all over it in a pretty pattern. Thus, simultaneously with
pottery, its ornamentation was invented.
Primitive woman has another claim to respect. It was the man,
roving abroad, who invented the art of producing fire at will, but the
woman, unable to imitate him in this, has been a Vestal from the
earliest times. Nothing gives so much trouble as the keeping alight of
the smouldering brand, and, above all, when all the men are absent
from the camp. Heavy rain-clouds gather, already the first large
drops are falling, the first gusts of the storm rage over the plain. The
little flame, a greater anxiety to the woman than her own children,
flickers unsteadily in the blast. What is to be done? A sudden thought
occurs to her, and in an instant she has constructed a primitive hut
out of strips of bark, to protect the flame against rain and wind.
This, or something very like it, was the way in which the principle
of the house was discovered; and even the most hardened misogynist
cannot fairly refuse a woman the credit of it. The protection of the
hearth-fire from the weather is the germ from which the human
dwelling was evolved. Men had little, if any share, in this forward
step, and that only at a late stage. Even at the present day, the
plastering of the housewall with clay and the manufacture of pottery
are exclusively the women’s business. These are two very significant
survivals. Our European kitchen-garden, too, is originally a woman’s
invention, and the hoe, the primitive instrument of agriculture, is,
characteristically enough, still used in this department. But the
noblest achievement which we owe to the other sex is unquestionably
the art of cookery. Roasting alone—the oldest process—is one for
which men took the hint (a very obvious one) from nature. It must
have been suggested by the scorched carcase of some animal
overtaken by the destructive forest-fires. But boiling—the process of
improving organic substances by the help of water heated to boiling-
point—is a much later discovery. It is so recent that it has not even
yet penetrated to all parts of the world. The Polynesians understand
how to steam food, that is, to cook it, neatly wrapped in leaves, in a
hole in the earth between hot stones, the air being excluded, and
(sometimes) a few drops of water sprinkled on the stones; but they
do not understand boiling.
To come back from this digression, we find that the slender Nyasa
woman has, after once more carefully examining the finished pot,
put it aside in the shade to dry. On the following day she sends me
word by her son, Salim Matola, who is always on hand, that she is
going to do the burning, and, on coming out of my house, I find her
already hard at work. She has spread on the ground a layer of very
dry sticks, about as thick as one’s thumb, has laid the pot (now of a
yellowish-grey colour) on them, and is piling brushwood round it.
My faithful Pesa mbili, the mnyampara, who has been standing by,
most obligingly, with a lighted stick, now hands it to her. Both of
them, blowing steadily, light the pile on the lee side, and, when the
flame begins to catch, on the weather side also. Soon the whole is in a
blaze, but the dry fuel is quickly consumed and the fire dies down, so
that we see the red-hot vessel rising from the ashes. The woman
turns it continually with a long stick, sometimes one way and
sometimes another, so that it may be evenly heated all over. In
twenty minutes she rolls it out of the ash-heap, takes up the bundle
of spinach, which has been lying for two days in a jar of water, and
sprinkles the red-hot clay with it. The places where the drops fall are
marked by black spots on the uniform reddish-brown surface. With a
sigh of relief, and with visible satisfaction, the woman rises to an
erect position; she is standing just in a line between me and the fire,
from which a cloud of smoke is just rising: I press the ball of my
camera, the shutter clicks—the apotheosis is achieved! Like a
priestess, representative of her inventive sex, the graceful woman
stands: at her feet the hearth-fire she has given us beside her the
invention she has devised for us, in the background the home she has
built for us.
At Newala, also, I have had the manufacture of pottery carried on
in my presence. Technically the process is better than that already
described, for here we find the beginnings of the potter’s wheel,
which does not seem to exist in the plains; at least I have seen
nothing of the sort. The artist, a frightfully stupid Makua woman, did
not make a depression in the ground to receive the pot she was about
to shape, but used instead a large potsherd. Otherwise, she went to
work in much the same way as Salim’s mother, except that she saved
herself the trouble of walking round and round her work by squatting
at her ease and letting the pot and potsherd rotate round her; this is
surely the first step towards a machine. But it does not follow that
the pot was improved by the process. It is true that it was beautifully
rounded and presented a very creditable appearance when finished,
but the numerous large and small vessels which I have seen, and, in
part, collected, in the “less advanced” districts, are no less so. We
moderns imagine that instruments of precision are necessary to
produce excellent results. Go to the prehistoric collections of our
museums and look at the pots, urns and bowls of our ancestors in the
dim ages of the past, and you will at once perceive your error.
MAKING LONGITUDINAL CUT IN
BARK

DRAWING THE BARK OFF THE LOG

REMOVING THE OUTER BARK

BEATING THE BARK

WORKING THE BARK-CLOTH AFTER BEATING, TO MAKE IT

SOFT

MANUFACTURE OF BARK-CLOTH AT NEWALA

To-day, nearly the whole population of German East Africa is
clothed in imported calico. This was not always the case; even now in
some parts of the north dressed skins are still the prevailing wear,
and in the north-western districts—east and north of Lake
Tanganyika—lies a zone where bark-cloth has not yet been
superseded. Probably not many generations have passed since such
bark fabrics and kilts of skins were the only clothing even in the
south. Even to-day, large quantities of this bright-red or drab
material are still to be found; but if we wish to see it, we must look in
the granaries and on the drying stages inside the native huts, where
it serves less ambitious uses as wrappings for those seeds and fruits
which require to be packed with special care. The salt produced at
Masasi, too, is packed for transport to a distance in large sheets of
bark-cloth. Wherever I found it in any degree possible, I studied the
process of making this cloth. The native requisitioned for the
purpose arrived, carrying a log between two and three yards long and
as thick as his thigh, and nothing else except a curiously-shaped
mallet and the usual long, sharp and pointed knife which all men and
boys wear in a belt at their backs without a sheath—horribile dictu!
[51]
Silently he squats down before me, and with two rapid cuts has
drawn a couple of circles round the log some two yards apart, and
slits the bark lengthwise between them with the point of his knife.
With evident care, he then scrapes off the outer rind all round the
log, so that in a quarter of an hour the inner red layer of the bark
shows up brightly-coloured between the two untouched ends. With
some trouble and much caution, he now loosens the bark at one end,
and opens the cylinder. He then stands up, takes hold of the free
edge with both hands, and turning it inside out, slowly but steadily
pulls it off in one piece. Now comes the troublesome work of
scraping all superfluous particles of outer bark from the outside of
the long, narrow piece of material, while the inner side is carefully
scrutinised for defective spots. At last it is ready for beating. Having
signalled to a friend, who immediately places a bowl of water beside
him, the artificer damps his sheet of bark all over, seizes his mallet,
lays one end of the stuff on the smoothest spot of the log, and
hammers away slowly but continuously. “Very simple!” I think to
myself. “Why, I could do that, too!”—but I am forced to change my
opinions a little later on; for the beating is quite an art, if the fabric is
not to be beaten to pieces. To prevent the breaking of the fibres, the
stuff is several times folded across, so as to interpose several
thicknesses between the mallet and the block. At last the required
state is reached, and the fundi seizes the sheet, still folded, by both
ends, and wrings it out, or calls an assistant to take one end while he
holds the other. The cloth produced in this way is not nearly so fine
and uniform in texture as the famous Uganda bark-cloth, but it is
quite soft, and, above all, cheap.
Now, too, I examine the mallet. My craftsman has been using the
simpler but better form of this implement, a conical block of some
hard wood, its base—the striking surface—being scored across and
across with more or less deeply-cut grooves, and the handle stuck
into a hole in the middle. The other and earlier form of mallet is
shaped in the same way, but the head is fastened by an ingenious
network of bark strips into the split bamboo serving as a handle. The
observation so often made, that ancient customs persist longest in
connection with religious ceremonies and in the life of children, here
finds confirmation. As we shall soon see, bark-cloth is still worn
during the unyago,[52] having been prepared with special solemn
ceremonies; and many a mother, if she has no other garment handy,
will still put her little one into a kilt of bark-cloth, which, after all,
looks better, besides being more in keeping with its African
surroundings, than the ridiculous bit of print from Ulaya.
MAKUA WOMEN