 Welcome back, everyone. Today I wanted to talk about how the Seguri Device Unlocker works. So once you've installed Seguri Linux on your forensic workstation or if you're using the live CD, you're probably going to use the device Unlocker to add destination drives. You need to unlock them. That way you can write data to them. So aside from just installing Seguri Linux, this is probably one of the most common programs you'll be using in the Seguri Linux toolkit. Okay, so it's just on the desktop. This Seguri Linux device Unlocker and we can just double click on it and then enter the password, which for the virtual machine it's Seguri. And then what we see here is basically all of the devices in the system and whether they are whether they should be unlocked or not and their current read write status. So this little application just opens up a window, gives us a little bit of information and then allows us to see the current devices, their current status, their size, and whether we should unlock it or not. If we go to advanced, then we can see not only the physical device, so in Linux physical devices would be something like devsda, but we can also see the partitions which would be like sda1, this would be the first partition on sda, sda2, second partition on sda. So these are the logical volumes or the partitions on the physical drive sda. So we can see all of that information under the advanced menu. If you wanted for some reason to write block only a partition, but have the other partitions writable or the disk writable. If you block writing to the disk, obviously you cannot write anything to the partitions either. So it's under advanced because this is a very strange case where you would want to write block one partition, but not another partition and have the disk to be read write available. So let's go back. Okay, so turning off advanced mode, we see just the physical device dev sda and it's already read write mode, so it doesn't have write blocking on it right now. If I add another device and I've just added one and we do device refresh, then now I see two devices and stb is the USB stick that I just inserted. It's 15 gig, that's correct. And then it is read only mode. So whenever you attach new devices by default, they're going to be read only, you cannot write any data to the disk. And that's just the way that the operating system is set up and we'll talk about that in a little bit. So if I wanted to make this USB stick writable, then I would have to click unlock and then click the unlock button. But that's not what I want to do today. So I'm just going to go device refresh. And then we see the two physical disks that are available and then their current status. Okay, so this is a fairly simple little program. And it was pretty interesting. And it's a good example of what you might want to do or a program that you might want to create whenever you are working on forensic investigations. So this is a very handy interface. And it's a useful utility. So let's see how this works. So the first thing I want to do to learn more about this program. First off, I might want to check online if there's any information. But let's just say that there's not, I can go to properties. And we can see a couple different things here. So this is the name, just standard name. And then it's using the GK sudo Sugary Linux device Unlocker GUI. So it's running the program in as sudo or as a a super user. So close that if I double click, it's going to ask me for my password, because it needs obviously administrator privileges or root privileges to be able to do different types of right blocking. If I remove that and click close, if I double click, we should get you must execute the Unlocker with root privileges, right? So we need additional privileges. And the way that it knows to ask you is by putting the GK sudo in front of the in front of the executable in the launcher. Whenever you launch it, it's going to ask you for the password. And then you get the program running. Okay. So that's fairly straightforward. And it learned how they're asking or how they're trying to elevate privileges. And we know the name of the program. So if I go to the command line, the terminal, then I can just type tsu and tab. And then I can see a couple different options. And I see we have Sugary cleaner debug info, which might be interesting later. Sugary device Unlocker GUI. This is the program that we're interested in. But I need to know where it's located. So in Linux, if I want to know where something is located, I can use the which command, which Sugary device Unlocker GUI. So I know the name, but I don't know where this executable is actually located, but we need the full path. So I use the which command in Linux, and then Sugary device Unlocker. And then it gives me the full path, which is user been Sugary device Unlocker GUI. I'm going to copy that because we're probably going to type it. Okay. So now I actually want to see what type of file this is. So I can use file dash I, and then paste my full path in there. And what we see here is X shell script. So this has been identified as just a shell script instead of a binary. So that means that we can probably edit it directly, right? If it's just a shell script, it's just a bash shell script. So we can use bash programming to go in and edit this if we want to. So that's another reason why this would be a good example is we can just edit the file directly. Now, I'm going to use nano, which is a text editor in Linux. It's fairly simple to use. Yeah, there's lots of other ones. If you want to use them as well, I'm going to start with nano. And that's just what we're going to do. Okay, so I'm going to paste this. So I'm say nano and then the full path. If this is owned by the root user or a different user, I'm going to have to change my user. But I think it's okay to edit it as is. We might not want to edit it anyway. Okay. But we do want to see what the code says. So let's expand this a little bit. So I'm in nano. And I've opened up this bash script that is the creating the device unlocker. Okay, so you'll notice the first thing is that we have our bin bash statement. And this is how file knew that this was a bash script is because this file header was on here. There's no extension to tell us, but it does have the proper header. Then we have some comments. So this was last updated 2019. So this is kind of the version number. So there might be some updates coming out. And then the link to the that's a great Linux website. Okay, so the standard stuff, you'll see usually a short header with some version information, maybe the authors. And then you'll definitely see this bin bash or bin sh header. Okay. So now we get into the actual program. And the first thing we have is this variable creation. So we're creating a variable called reg x. And then looking at the string, we haven't talked about regular expressions yet. But basically, this is a setting up a regular expression. So a regular expression is a type of let's say method to filter or match things. Okay, so usually with regular expressions, we're looking to match different things that aren't exactly keywords. So imagine that you're looking for a keyword, but you're not exactly sure what the specific keyword is. Maybe you don't know how it's spelled or something like that, but you want to get something close to it. Well, regular expressions let you match based on patterns rather than exact matching. Okay. We'll do another video on regular expressions later. There's a lot of videos online. And they are very useful for doing searches and especially digital investigations where you're not really sure exactly what a word might be. But you can use a regular expression to search for the patterns instead. Okay. Now, there's a couple of different things that I can see in here immediately. I can guess that this pattern has something to do with the devices in the system. Because in Linux, we have our dev folder. So in the dev folder slash dev, we have all of our system devices and you'll see the physical disk kind of placeholder and the logical disk placeholders as well. So this is how you can access different devices in your system in the dev directory. So if we look at our regular expression, we see a couple instances of dev. This pipe is or, we have a slash. So it's basically looking for dev slash a to z three times. Okay. And then let's look at this. So over here, dev a to z three times would match SDA. And then we have over here NVMe. So this is a different type of disk, a different physical disk inside Linux. So basically, this regular expression is looking for different types of devices, we're trying to filter out these devices. And that's exactly what we would expect from this because the tool is going to have to find the local devices to change their state. Okay. And then we have another variable that we're setting up called advanced, and it's set to zero. And setting a variable to zero tends to be true false, where zero is false, and then one would be true. So this looks like it's probably some type of Boolean flag, whether we are in advanced mode or not. Remember, if we click the advanced button, then we can also see the logical disks, not just the physical disks. Okay. So the next thing we have is a function called check root. And we have this if statement and we have if ID dash you is not equal to zero. Well, let's just go ahead and run that and see what happens. ID dash you, what do we get from that? Okay, we have our ID. And this is for our user. And we're logged in as Seguri right now. So if it's not equal to zero, then you must execute the unlocker with root privileges. Well, let's try ID with root. So if we do pseudo ID dash you, then we get root privileges using pseudo we get our ID for root, which is zero. So that basically means we have root privileges if ID is zero. So what they're doing here is just making sure that we actually do have, we are logged in as root. Now, the next thing they're doing is if it's not equal to zero, then it needs to show us a message. And it's using a tool called zinnity. So we can basically just copy this whole thing. And we're doing a warning here or getting a warning here using zinnity and zinnity is just a tool that will create text boxes for you. So let's change it to warning. You are out of tacos. Okay, and then zinnity creates this box with whatever text you put in here and whatever title you have. It also gives us the warning sign because that's the type of thing it was. And the only option we have here is to click okay. Okay, now if we click okay, it should return back some information and then exit one exits the script. So one of the first things that this script is doing is checking if we're root. And then if we're not root giving us an error message and then exiting the script. That's pretty much what we would expect to see. So next we have the intro function. And I know this is a function because we have a name. And then the curved brackets. And this tells me that it is a function. And then we have the curly brackets that actually starts the code inside the function. Okay, then we have an if statement. So all of this line is an if statement. And if this if statement is true, then all the code will run. If this if statement is not true, the code will not run. Okay, so we have if and then dollar sign number one equals equals installer dollar sign number one is a first argument that you would send to this function. So we're sending it some value. And it's probably where where we're executing this from. So if the value that we send equals installer. So if we're basically if we're running this from the installer, the security Linux installer, then we want to check if it's using an EFI firmware, because it says here that it's not compatible with EFI. Yep, please install correctly the system reboot and BIOS legacy mode. So it's just telling us what to do. And that is if it's EFI. And then it goes to this next line. And says, where do you want to install it at. So this is a little bit strange to me. So it basically says, if this code runs, and it is EFI, and we know that it's not compatible, it'll just give you an error message and say, hey, this isn't compatible, but then it will still ask you to install, where do you want to install this at, which doesn't seem like it fits the logic. But that's how they wrote it, I would probably put both of these lines inside the check or exits, actually, I would probably exit once this is done. But maybe they kept it for some other reason. Okay, so what it's doing here is checking if we're in installer mode, and then checking if we are in EFI mode. And then if it is giving a warning message, and then after the warning message, going to the sugary installer. So installer is pretty simple. And yep, and then that's it. It's just giving these zinnity messages so far. So we actually haven't really got to the right blocking part, but it looks like it's coming up next. Okay, so next we have the menu function. Again, it's the title menu as the title. And then these curve brackets tell me it's a function. Then I have the curly brace. So everything inside those curly braces are part of the function. So whenever this runs, we're first setting a variable called list. And then we are doing a command sudo, which it should already be in administrative privileges. So sudo probably isn't necessary here. Block dev, which shows the block devices in your computer. And then dash dash report. So let's go ahead and run just that code and see what we get. And I'm betting it's listing all of the drives. Okay. Yep. So it's listing all of the drives, including all of our logical disks, not just the physical disks. And it gives a lot of information. So here we can see the read only status. Basically, SDA is all read write, where SDB is all read only. Okay. Right. So let's keep going. And then we grep e reg x. Now, this is a variable. No, it's a variable because there's the dollar sign at the top, we have this reg x. So we have to go all the way back up. And then we're finally using this regular expression that we've saved at the top. So this regular expression is just trying to pull out only the physical disks. It won't get the logical disks because that's what we're actually extracting by default. So here we have the block dev report. And then from that, look for any of the physical disks that you find. And then we're using ock. Let me scroll back here a second. We're using ock to basically change the order of the output that we got. Remember, going back here, basically, ock is moving some of this information around a little bit, kind of formatting it. And then changing. So said is basically replacement, we're replacing RW with the written out term read write. And we're replacing read RO with the written out term read only. And then we're doing some number formatting to make sure that it's in the form that Zinnity will accept as a table. So basically it's extracting all of those contents and then formatting them. All of that happens in one line. And the result of all of that is saved into a variable called list. And that list is going to be the text that we see inside the menu. Then we're creating another variable called answer, which means that we're going to ask the user some sort of question. And then we're using Zinnity to create an interface with a particular width and height. And then we're doing a list, which makes sense, because we already have our list data already saved, which is all of the disks and their current read write state, we have risk, we have radio radio list, which means that you're able to select something. We have the title. And then a lot of the text. And if you remember, this text was at the top of the menu. And then we have some extra buttons advanced. Remember, we had the advanced button, extra button device refresh, and then cancel label exit, so we can set all the labels and then okay, unlock. And then we set our different columns for what was the first one, column unlock, column device, column size, column current status, and then our list data. So basically, we're giving all of the variables to set up the interface. And then we're dumping all of our disk information into that interface at the end. Okay. And then once we have that, we're just waiting for the user to do something. And once the user does something, we save that result inside answer. And the button that we clicked is returned in the dollar sign question mark. Okay. So if you want to see, I just ran a, let's say the pseudo block dev report. So I can do echo dollar sign question mark, and I get back zero. Okay, I'm not sure what's actually being returned by zennity and the answer here. But this dollar sign question mark is the return status of the last program that ran. So this is the return status of zennity. Apparently, clicking on one of the different buttons will give a different return status and we're saving that inside a variable called button. Just for some reference, let's go back to the, let's go back to the interface. Okay. So basically this line of code here with all of this stuff waiting for an answer. All that text you saw is up here. These are the different columns that we've set up. These are the extra buttons that we've set up. And then everything that was in list is provided in these lines, right? So everything in list is in this format. Okay. So that's actually a pretty nice interface just with a few different options. It's pretty impressive. I didn't really know about zennity before we looked at it. So yeah, cool. Okay. So now we have an answer. So the user has clicked something or they've clicked a button. We've collected the answer and we've collected the button or the response. So yeah, so if answer was advanced, we clicked the advanced button, then if advanced equals equals zero. Now, what is this variable? Well, we talked about it before at the very top, we have advanced set to zero, which means that we are not in advanced mode by default. So by default we are in just normal mode, which only shows the physical disks. So this first check is looking to see if we are in advanced mode, or if we're in normal mode, in this case, if we're in normal mode, and then we set the advanced variable to one, which means we're in advanced mode, and we change the regular expression that we've already set. Now, this is a little bit different than the other regular expression. And basically what this is doing is including the logical disks. Okay. If we are not in advanced mode, then we will switch to advanced mode and change the regular expression. If we are already in advanced mode, then we will switch to, let's say normal, normal user mode, and then we will go back to the original regular expression. Okay. So that's what this is doing is just changing the regular expression, which changes the modules or changes the disks that you can select in the interface. That's all it's doing. And then once we've done that, we've set our regular expressions, then we go back to the menu function with some variable here. What is dollar sign one? I'm actually not sure what dollar sign one is going to be here, but whatever, oh yeah, we're sending it whatever it was that we were selecting at the beginning. So that's a little bit confusing because it's just taking a variable that we already had and then submitting it again. So what this does, menu dollar sign one, it calls the menu function again. But this time, whenever we call the menu function, our regular expression is going to be different. What's going to happen? Once our regular expression is different, our list is going to be different because reg x changed here. So basically we're just running this, calling the same function again, and then rerunning with a different regular expression and setting up the interface just like we did before. So we still haven't gotten any right blocking yet, but at least we're detecting disks and working at least with the block device tool built into Linux. So the next thing shouldn't really be a surprise. We have device refresh. If our answer is device refresh, then just call menu again and it will refresh with the same regular expression as last time. So nothing really special there. And then we have if the answer is empty dash a and button is zero, then we didn't actually make a choice. And you need to do something else. So well, let's see what that test case would actually be. So here I'm not making a choice at all. And then I click unlock. Yeah, empty choice, please select device. So this is if I didn't select anything and I try to unlock it, then I'm just going to keep that over here. Then it's going to give us this warning and then call the menu again. So then refresh. Otherwise, if answer is if only the answer is empty, then exit. And I don't know when you would actually get that happening because so most likely whenever you click the exit button, you don't have an answer and the button is zero. But if you have the answer is empty, and this is false, then you have your exit. Okay, so they've kind of snuck that in here as another use case, we would have to check that out to make sure that it's actually the exit button. But I would bet that's what it is. Okay. So next getting into the really interesting stuff for forensics is actually device unlock. And this is how they are going to write block or write protect or not the disks. So device unlock, let's see if the device is still read right. So if pseudo again, you probably don't need pseudo here, block dev get RO answer. So answer is a variable. And it would be whichever one of these things we select. And it's probably this dev STB. So the value, for example, inside answer would be dev STB. So here we'd have block dev get RO dev STB. So let's go ahead and run that pseudo block dev, get RO slash dev SDB. Okay, and then get RO is basically is returning one. If we did a, it would probably return zero. And that means that get RO gives us a Boolean one or zero one being true if it is read only and zero being false. It's not read only. Okay. So it's checking if it is not read only, then warning, we give a warning and the probably the vices and read write mode already. Yep. Okay, let's go ahead and do that. So we have this read write. So let's unlock that. The dev SDA device is still in read write mode. Okay, good. So basically, that's an error. It's just saying, Hey, this was already in read write mode. So don't worry about it. If number one is installer, then run installer. And that's the function that we talked about before the installer function. So just a special case. And then just run the menu again to refresh. So once we notice we clicked it, we click unlock, we get this error box, but the other box disappeared. And then we click okay, and then we run the menu again. And then it builds this entire menu over again. Okay. So if it's not already read write, so then we actually ask the question, we have a read only device, are you sure that you want to unlock this device? And then check the result if the result obviously is zero. So this question is probably going to be, it's going to return yes or no. So let's click unlock. Are you sure you want to unlock and read write mode? If you click no, then it will just probably cancel out if click yes, then check equals zero. And then we will actually unlock these things. If you click no, I'm going to click no here. The unlock has been awarded. Okay, good. So let's go back here and see what else they're doing. So if check equals zero, then that means that the user said yes, I do want to unlock this. And then it runs sudo block dev set RW for the device that you're looking at. Now we have this little asterisk here, the star. And what that does is set read write to not only the physical disk, but also the logical disks. So if it's SDA, it would also be SDA one, SDA two, SDA three. So what we're doing here is setting all of the devices associated with that block device to read write. And then Zinnity is basically just telling us that we successfully yeah, unlock the device. And then again, we're checking if this is the installer. And if it is the installer, then go back and do a special menu. Now if I clicked no, and I did click no earlier, I didn't want to change the device to read write, then it's just going to say unlock has been aborted, and then refresh the menu. Okay. And then out of all of these if statements, try to see what else we got here. If everything else goes through here, refresh the menu. But I bet we don't get back to this menu refresh very often. We need to check that. But this is probably just in case someone happened to fall through all of these things, then at a minimum, it would just refresh. But I bet most of the time they kind of break out of those. Okay. This is with the installer function. So the installer function actually on the rules, sorry, the installer function on the disk whenever you're installing the device, I know it's a function because it's giving a name and then it has this curve brackets plus the curly bracket. And then this is disable Udev hook. And this is basically where Seguri Linux is automatically setting read write is in these Udev rules. So I'm going to just go ahead and show you one of them. So basically by default, Seguri Linux is, if I can expand this, Seguri Linux is setting everything to read only using these rules in the operating system. So at the kernel level, it's trying to do right blocking using these rules. Okay. So what these rules are doing are looking for new block devices. And we're ignoring SDA, the physical disk and all of the logical disks. And then we're going to run block dev set RO for all of the devices that are found. So anything that's attached, it's going to try to set it to read only. And that's also true for loop devices that are created. Okay. So that's basically all these rules are is, hey, ignore my main drive. Don't set it to read only by default. Make sure it's read write, but everything else, make sure it's read only whenever you insert it into the computer. And then if you can assume that everything is right blocked by default, then you can just unlock the things that you need to unlock. And that's a much safer way to run for digital forensics than having everything just read only or read write and then hope that you can block it in time. Okay. And then we have a couple of other things for the installer. Basically, it's setting up the rules. It's installing the rules. And then it's setting up the you'd have admin to reload the rules and trigger them. And then we have notify send is a something very similar to zinnity. Yep. And that's pretty much it. And then it's running the installer. So the installer is pretty, pretty normal. Okay. So those are all of the functions. And then at the end, after all the functions, we're actually running the command. So here we have a check route. Remember that function basically just checks if we're running with the ID of zero. And then we have the intro. And actually, I don't remember what the intro does. Yeah, just checking if it's an installer. And then what you're doing. So most people, especially if you've already installed, you won't see that. And then it will pop up and populate the menu. Okay. And that's pretty much it. So there's a couple of different things in here that I learned. And basically, as I was going through this, I thought that looking at the way that they're using block dev was interesting. And I also didn't really know about zinnity and how easy it is to make menus. So I write a lot of command line programs. So I'll probably end up using zinnity as well. It just looks very interesting and easy to insert into your code. So that's it. I just wanted to kind of explain how the unlocker is working, because even though there's a lot going on here, like zinnity kind of makes it look like a lot more programming than it actually is. This is a really simple script. You could write this script. If you had a clear idea of what exactly what you wanted to do, you could probably write this script in like a day, maybe a couple of days. But think about how useful this is. Think about how many people are using this device unlocker plus those rules all the time. And even if you're not using Seguri Linux, you can still apply these to basically almost any Linux system that you're looking at. Plus, the logic is interesting in case you wanted to try to apply something or write some similar scripts for like Windows or OS X. So I always like to go in and see what people are doing and how they're doing it. And I always learn quite a bit from looking at other people's code. And sometimes I find things that I could probably change. But yeah, I hope this was interesting for you. And I hope that you end up writing some of your own scripts and share them with us. And maybe I can talk about those as well. So thank you very much and have a good day. Thanks for watching. If this was helpful, please like and subscribe. Also, please consider supporting us on Patreon. Your support lets us focus on making better tutorials for everyone.