• No results found

Computing forensics: a live analysis

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Computing forensics: a live analysis"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

Computing forensics: a live analysis

Craig Pearce

(2)

Outline

1 Basics

2 Live Analysis

(3)

Objectives

Evidence acquisition

Recovery and examination of suspect digital evidence (think Warrick Brown on CSI)

Hardware: servers, workstations, laptops, PDAs, mobiles, cameras pagers

Software: databases, e-mail, Internet cookies, bookmarks, deleted files, unallocated space

Considerations

Integrity: must be able to prove data has not been changed to be admissible in court

Chain of command:

Legal and social responsibilities: Privacy Act (2001), user agreements

(4)

Things that can get in the way

Encryption: partitions, files, email, instant-messaging communication

Anonymity: overlay networks, such as Tor

Volatility: memory-resident contents are lost when machine is rebooted

(5)

Live analysis: Scenario

An attack has taken place. You, the investigator have just arrived on the scene. It is expected that the

attacker uses encrypted disk volumes In any case, the machine contains memory-resident information that will be lost after a power cycle.

Reasoning:

Integrity: changes to the suspect host MAY contaminate evidence and WILL not be admissible

Volatility: critical data will be lost (or inaccessible) May not afford disruption to service

(6)

Forensics 101: Secure the scene

1 Photograph computer screen

2 Record current system time and note this against an accurate

time source

3 Begin data acquisition in order of volatility (OOV)

1 Physical memory, open files, open network connections, swap

space

2 Encrypted file systems where you do not have key to unlock 3 Temporary file systems (/tmp, /proc)

4 Record current system time (why twice?)

5 Message digests of gathered evidence

(7)

Helix: Open-Source Forensic Toolkit

Knoppix-based bootable CD-ROM Features:

NX server for fast remote session management

Can be loaded entirely into RAM (resource permitting) for improved seek times

UnionFS (or Klik) for customisations

Live dumps of Linux/Windows suspected hosts Tools:

Sleuthkit, Autopsy PyFLAG, macrobber

md5deep, Ethereal and MUCH more URL: http://www.e-fense.com/helix

(8)

Set up the scene for data acquisition

Suspect host (Linux or Windows):

1 Load Helix CD-ROM into drive

2 Ensure that your tools do NOT

modify the disk!

3 Use IP addresses instead of hostnames

(why?)

4 Used trusted CD-ROM binaries only

5 Send acquired data over encrypted

network Investigator:

1 Boot machine with Helix, loading it into RAM-Disk for faster

seek times

2 Start electronic (Unix ’script’) and paper-based

(9)

Live analysis (1)

Initialise Client:

export safe="/mnt/cdrom"

export nc="/mnt/cdrom/ -w 3 192.168.1.253 65534" $safe/bash # trusted shell

export PATH=$safe # clear path Initialise Server (for each command):

nc -l -p 65534 >> forensics.data.txt Files and Network Connections

1 $safe/lsof -nDr | $nc # open files

2 $safe/netstat -nap | $nc # network connections

3 $safe/netstat -nr | $nc # routes

(10)

Live analysis (2)

Processes

1 $safe/ps -leaf | $nc # solaris: suspect processes

2 $safe/ps -auxl | $nc # linux: suspect processes

3 $safe/pcat <PID> | $nc # save PID memory space Users

1 $safe/who -iHl | $nc # active users

(11)

Live analysis (3)

Swap space (already have /proc/kcore)

1 $safe/dd if=/dev/SWAPdev bs=2k | $nc # swap space

Encrypted volumes

1 $safe/dd if=/dev/hdaN bs=2k | $nc # exact copy

Temporary partition

1 $safe/dd if=/dev/TMPdev bs=2k | $nc # temp partition

File access times

1 $safe/ls -alRu / | $nc # access times

2 $safe/ls -alRc / | $nc # modification times

3 $safe/ls -alR / | $nc # creation times

(12)

Automated Live Analysis

Helix provides a script (linux-ir.sh) that: pretty much runs the above commands

tools output to STDOUT, allowing easy pipe to netcat server customisable to specific requirements by script editing

Usage:

1 Insert Helix into CD-ROM of live system

2 /bin/mount /mnt/cdrom

3 /mnt/cdrom/Static-Binaries/linux-ir.sh | $nc

A few of Helix’s static built binaries are seg-faulting, so a video demonstration of this will have to wait for another day ...

(13)

Improvements

Rename trusted commands:

eg rename /mnt/cdrom/pcat to /mnt/cdrom/t-pcat

prevents running suspected host binary that may be trojaned preserves MAC times on suspected host files

Use Cryptcat in place of Netcat, or pipe through ’des’

des -e -c -k pword | nc # suspect host

nc | des -d -c -k pword | dd of=out.txt # server

GPG gives stronger symmetric key ciphers at a cost of speed and space

(14)

Other issues

Requires suspected host to have a working NIC

Server must start NC receiver for each client NC send request Large volumes slow to copy bit-for-bit over encrypted network More time spent in Live Analysis increases increases risk to modification to physical storage!

Attackers using LKM rootkits

Privacy: depends on the user’s ‘expectation of privacy’ Privacy: to comply with some legal jurisdictions or personal liberties within multi-user systems:

$safe/w <UID> instead of $safe/w

(15)

Secure the evidence

1 Document and label evidence

2 Transport the evidence

3 Shut down the computers

Unix: (if root):

sync; sync; halt

(else) pull out power cable Windows: pull out power cable

4 Begin data analysis of volatile data (already acquired)

5 Begin data aquisition and analyis of non-volatile data

(16)
(17)

Dead Analysis

Now it is time for in-depth ”after-the-fact” analysis within a laboratory. Don’t forget to document chain of command for potential evidence!

(18)

Helix setup

Server-side

1 Boot up Helix, load contents into RAM (faster seek times)

2 Change passwords for root, helix (default password is blank!)

3 Start FreeNX-server:

nxsetup-knoppix

4 Optionally load additional software with UnionFS or wget klik.atekon.de/client/install -O - | sh Client-side

Start NX-client (Unix, Mac, Windows clients available) Set desktop session type to

/usr/bin/startxfce4

to preserve server resources

(19)

Acquisition: What is wrong here?

Image cloning:

1 Master boot record

dd if=/dev/hdN of=partition.hdN.mbr count=1 bs=512 2 Partitial table

sfdisk -d /dev/hdN > partition.hdN.pt 3 Partition x of Disk N

partimage -d -b -z1 -o -V700 save /dev/hdNx vol.hdNx.gz Restoration:

1 dd if=partition.hdN.mbr of=/dev/hdN

2 sfdisk /dev/hdN < partition.hdN.pt

(20)

Dead analysis

Some popular tools

Autopsy: graphical front-end to sleuthkit

Sleuthkit: update to The Coroner’s Toolkit (TCT) PyFLAG: log file analysis for forensics investigations plenty more...

Techniques

Recover deleted files from unallocated space, slack space, ... Search for hidden data (steganalysis)

(21)

Conclusion

Briefly discussed:

what Helix is, how it can be used

how to perform a live analysis while maintaining integrity of data

KEY POINT: Ensure forensics tools DO NOT write to suspected host hard disk

Further information

Know Your Enemy (2nd Ed). The Honeynet Project, 2004 Incident Response and Computer Forensics. McGraw-Hill. 2003. (Chapter 6)

References

Download now ( PDF - 21 Page - 0.92 MB )

Related documents

CODE OF PRACTICE FOR INFO-COMMUNICATIONS FACILITIES IN BUILDINGS

1.10.2 The developer or owner (as the case may be) shall be responsible for drilling through concrete floor or walls of buildings and will provide any service fittings, conduits and

Network layer" 1DT066! Distributed Information Systems!! Chapter 4" Network Layer!! goals: "

Network Layer 4-11 ver length 32 bits data (variable length, typically a TCP or UDP segment) 16-bit identifier header checksum time to live. 32 bit source IP

2012-13-Phy-G7-T2.doc

• He measures the temperature of the mixture every half minute for seven minutes, Stirring throughout, and records the values in Table.. A boy is investigating the properties

Term 4 Week Beckenham Primary School 386 Railway Parade Beckenham Dear Parents/Carers

These professional developments days usually fall on a Monday following school holiday breaks but are different for 2021. Please do not send your child to school on the

Datasheet SHT25 Humidity and Temperature Sensor

In case of applications with exposure of the sensor to corrosive gases or condensed water (i.e. environments with high relative humidity) the soldering pads shall be sealed

IPv4 Lecture 17. COMPSCI 726 Network Defence and Countermeasures. Nalin Asanka Gamagedara Arachchilage. Slides from Muhammad Rizwan Asghar

Live (TTL) 8-bit Protocol 16-bit Header Checksum 32-bit Source IP Address. 32-bit Destination IP Address Options

DEVELOPMENT INFRASTRUCTURE ASSISTANCE (DIA) PROGRAM GUIDELINES Version 2.1

The Development Infrastructure Assistance Program is a CRA incentive program in which the CRA reimburses a private for-profit organization fifty percent (50%) of the

The Effects of Drought on Crop Yields and Yield Variability in Sahel

To capture how climate change and climate variability could affect the agricultural sector, a recent wave of studies looks at the effects of change in climate variables