1 Unix/Linux Forensics
Simple Linux Commands • date – display the date • ls – list the files in the current directory • more – display files one screen at a time • cat – display the contents of a file • wc – displays lines, words, and characters • cp, mv, rm, pwd, mkdir, cd, rmdir, chmod, • head – show the first few lines of a file • file – determine a file type • tail – show the last few lines of a file • cal – display calendar • kill – terminate a running command • lpr – send a job to the printer • grep – searches a file for a specific pattern • chmod – change file permissions • fdisk • mount, cat /etc/fstab • last • …. 2
Basic Concepts • shell • shell scripts • background and foreground – & – Ctrl-Z, bg, fg, jobs • Environment variables – env • passwd 3
The Linux Filesystem Layout • The basic layout of the filesystem starts with the root directory. –root directory : this is the base of the file system's tree structure. –/bin : binary files for the OS –/dev : the device files –/etc : system configuration files –/sbin: system administrative binaries –/home : conventional location for users’ home directories. –lost+found : storage for recovered files 4
Commonly used command/concepts • mount/umount • ls: different options • ln • df • tree • chmod, chown, chgrp • find • tar • gzip • dd • stat 5
Commonly used command/concepts • cksum – checksum and count the bytes in a file • sum – checksum and count the blocks in a file • diff – Provide a list of each line that differs • strings 6
Commonly used command/concepts • Every file is managed by a data structure called an inode – File location and size – Owner, permission, – Time of creation, time of last access, time of last modification – stat • SUID root – Set user ID 7
8 http://www.tldp.org/LDP/tlk/fs/filesystem.html Ext2 Inode
9 Network Information System /etc/nsswitch.conf yppasswd
10 Shared System Files
11 Four basic steps • Present (report) • Preserve • Analyze • Collect
Investigating A Unix Host • Filesystem integrity-checking program – Tripwire: http://sourceforge.net/projects/tripwire/ • TCT – Examining hacked Unix systems – http://www.porcupine.org/forensics/tct.html • netcat 12
Order of Volatility • The more volatile the data is, the more difficult it is to capture, and the less time you have to do it. • The descending order: – CPU storage – System storage – Kernel Tables – Fixed media – Removable media – Paper printouts • Table 11-4 13
TCT (1) • TCT – The Coroner’s Toolkit – http://www.porcupine.org/forensics/ • Mostly perl but some C as well • A STATIC tool! – e.g. changes to filesystem during analysis will NOT be noticed by TCT – You MUST isolate the system under investigation 14
TCT (2) • Four major parts: – grave-robber: captures forensics data – The C-tools (ils, icat, pcat, file, etc) • pcat – low-level memory utilities: copy process memory – pcat PID • file: determine file type • icat: copies files by inode number • ils: list inode info (usually removed files) – lazarus • Lazarus: create structure from unstructured data – mactime • Report on times of files 15
The C-tools (ils, icat, pcat, file, etc) • pcat – gathers process memory from live system • ils – gathers inode information – ./ils /dev/sda6 • icat – copy files using inode information to standard out – ./icat /dev/sda6 1405802 (you can use stat to obtain the inode number) • file – determine file system type 16
lazarus • Lazarus – classify raw information for analyzing (brings back info from the dead) – Unallocated datablocks with no referent inode 17
mactime • Three times on ext f/sys: – Modification time – Access time – Change time • collects information on all three times for specific files – ./mactime -d /root/download/tct-1.16/bin -y 9/29/2006 18
Be nice to your MAC times • MAC times are sensitive (to changes within the system) • Running a single command may change last Access time of a file • Should grab MACtime info before running any further commands on system. • You’ll use this info to create a timeline of activity. 19
Sleuth kit • Expands TCT data • Provides low- and high-level access to Xnix and Windows f/systems. 20
The Sleuth Kit File system tools • File System Category • Content Category – dls –f ext –e –l sda6.img » a: the data unit is allocated » f: the data unit is unallocated – dcat –f ext sda6.img 23456 » View the contents of any data unit • Metadata category » Include data that describe a file: for example, temporal information, the addresses of the data units, the size of the file. » istat –f ext sda6.img 163199 - to get the specific metadata entry » ils –f ext –e sda6.img - list the details of several metadata structures » icat –f ext sda6.ima 31 - View the contents of the file based on metadata address instead of its file name 21
The Sleuth Kit • File Name Category » Includes the data that associates a name with a metadata entry » fls: list file names in a given directory » ffind: list which file name corresponds to a given metadata address • Application Category » A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash » jls – list the contents of the journal and show which file system blocks are saved in the journal blocks • Multiple category » mactime: takes temporal data from fls and ils to produce a timeline of file activity 22
The Sleuth Kit – Searching tools • sigfind – find binary signature in a file – Disk tools • disk_stat – Volume system tools 23
Autopsy • Developed to automate the investigation process when TSK is being used • http://www.sleuthkit.org/autopsy/ 24
Capture Filesystem • Imaging utilities – Wipe out analysis drive • dd if=/dev/zero of=/dev/fd0 – One more example • nc –l –p 10001 > syspect.hdb5.image.1of3& • nc –l –p 10002 > syspect.hdb5.image.2of3& • nc –l –p 10003 > syspect.hdb5.image.3of3& • dd if =/dev/hdb5 count 2000000 bs=1024 | nc 192.168.0.4 10001 –w 3 • dd if =/dev/hdb5 skip 2000000 count 2000000 bs=1024 | nc 192.168.0.4 10002 –w 3 • dd if =/dev/hdb5 skip 4000000 count 2000000 bs=1024 | nc 192.168.0.4 10003 –w 3 • cat suspect.image1.10f3 >> suspect.hdb5.image • cat suspect.image2.2of3 >> suspect.hdb5.image 25 • cat suspect.image3.3of3 >> suspect.hdb5.image
md5 • Create the hash value of collected data and record it – md5 from tct: md5 /dev/sda6 – Verify the image file on the collection host 26
Accessing Captured Filesystems for Examination • Copy the image into a partition that is the same size as the image (partition cleaned using dd) • Another approach – mkdir /mnt/suspecthost – mount –t ext2 –o ro, loop=/dev/loop0 suspect.hdb5.image /mnt/suspecthost – Treat it like any other filesystem 27
28 logs • /etc/syslog.conf
29 logs
logs • /var/log/secure – authpriv.* • HTTP – /var/log/httpd/*: grep passwd /var/log/httpd/* 30
31 Examine Account Information
32 Trust Relationship Configuration Files
Invisible Files and Directories • Find invisible files and directories – find . –type d –name “.*” –print0 | cat –a • Search SUID root executables – find / -user root –perm -4000 –print0 | xargs -0 ls -l • Search SGID programs – find / -perm -2000 –print0 | xargs -0 ls -l 33
34 Signs of Intrusion in /tmp
35 Verifying crontab and at jobs
Signs that an Executable File Deserves 36 a Closer Look
Shell and Application History • sh – .sh_history • csh – .history • ksh – .sh_history • bash – .bash_history • tcsh – .history 37
38 Signs of Hostile Processes
39 Levels of System Compromise
RootKit • http://www.securityfocus.com/infocus/1811 • Increase privileges • Hide activities – To manipulate the environment and hide evidence • Gather information – To extend attacks • One example – Loadable kernel modules (LKM) – http://www.s0ftpj.org/docs/lkm.htm 40
41 RootKit Content
42 RootKit Content
43 RootKit Content
44 RootKit Content
45 RootKit Content
46 RootKit Content
47 RootKit Content
48 •Kstat –s: display the system call table KSTAT Utility
Detecting Trojan LKMs on Live System • Detecting trojan LKMs on a live system – Complicated – These tools intercept system calls. • Port 2222 is open – default Adore LKM port 49
Miscellaneous • To determine listing applications associated with open ports – netstat –anp • To determine whether a sniffer is running on a system (promiscuous mode) – ifconfig eth0 • /proc – fd subdirectory: all the files a process has opened – cmdfile : the command-line argument 50
Recommend
More recommend