• No results found

Unix/Linux Forensics 1

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Unix/Linux Forensics 1"

Copied!
57
0
0

Loading.... (view fulltext now)

Download now ( 57 Page )

Full text

(1)
(2)

Simple Linux Commands

• date – display the date

• ls – list the files in the current directory • more – display files one screen at a time • cat – display the contents of a file

• wc – displays lines, words, and characters • cp, mv, rm, pwd, mkdir, cd, rmdir, chmod, • head – show the first few lines of a file • file – determine a file type

• tail – show the last few lines of a file • cal – display calendar

• kill – terminate a running command • lpr – send a job to the printer

• grep – searches a file for a specific pattern • chmod – change file permissions

• fdisk

(3)

Basic Concepts

• shell

• shell scripts

• background and foreground

– &

– Ctrl-Z, bg, fg, jobs

• Environment variables

– env

(4)

The Linux Filesystem Layout

• The basic layout of the filesystem starts with the root directory.

–root directory : this is the base of the file system's tree structure.

–/bin : binary files for the OS –/dev : the device files

–/etc : system configuration files

–/sbin: system administrative binaries

(5)
(6)

Commonly used command/concepts

• cksum

– checksum and count the bytes in a file

• sum

– checksum and count the blocks in a file

• diff

– Provide a list of each line that differs

(7)

Commonly used command/concepts

• Every file is managed by a data structure

called an inode

– File location and size – Owner, permission,

– Time of creation, time of last access, time of last modification

– stat

• SUID root

(8)
(9)

Network Information System

(10)
(11)

Four basic steps

• Collect

• Preserve

• Analyze

(12)

Investigating A Unix Host

• Filesystem integrity-checking program

– Tripwire: http://sourceforge.net/projects/tripwire/

• TCT

– Examining hacked Unix systems

– http://www.porcupine.org/forensics/tct.html

(13)

Order of Volatility

• The more volatile the data is, the more difficult it is to capture, and the less time you have to do it.

• The descending order:

(14)

TCT (1)

• TCT – The Coroner’s Toolkit

– http://www.porcupine.org/forensics/

• Mostly perl but some C as well

• A STATIC tool!

– e.g. changes to filesystem during analysis will NOT be noticed by TCT

(15)

TCT (2)

• Four major parts:

– grave-robber: captures forensics data – The C-tools (ils, icat, pcat, file, etc)

• pcat – low-level memory utilities: copy process memory

– pcat PID

• file: determine file type

• icat: copies files by inode number

• ils: list inode info (usually removed files)

– lazarus

• Lazarus: create structure from unstructured data

– mactime

(16)

The C-tools

(ils, icat, pcat, file, etc)

• pcat – gathers process memory from live

system

• ils – gathers inode information

– ./ils /dev/sda6

• icat – copy files using inode information to

standard out

– ./icat /dev/sda6 1405802 (you can use stat to obtain the inode number)

(17)

lazarus

• Lazarus – classify raw information for

analyzing (brings back info from the dead)

(18)

mactime

• Three times on ext f/sys:

– Modification time – Access time

– Change time

• collects information on all three times for

specific files

(19)

Be nice to your MAC times

• MAC times are sensitive (to changes within the

system)

• Running a single command may change last Access time of a file

• Should grab MACtime info before running any further commands on system.

(20)

Sleuth kit

• Expands TCT data

(21)

The Sleuth Kit

File system tools

• File System Category • Content Category

– dls –f ext –e –l sda6.img

» a: the data unit is allocated » f: the data unit is unallocated – dcat –f ext sda6.img 23456

» View the contents of any data unit

• Metadata category

» Include data that describe a file: for example, temporal information, the addresses of the data units, the size of the file.

» istat –f ext sda6.img 163199 - to get the specific metadata entry

(22)

The Sleuth Kit

• File Name Category

» Includes the data that associates a name with a metadata entry » fls: list file names in a given directory

» ffind: list which file name corresponds to a given metadata address

• Application Category

» A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash

» jls – list the contents of the journal and show which file system blocks are saved in the journal blocks

• Multiple category

(23)

The Sleuth Kit

– Searching tools

• sigfind – find binary signature in a file – Disk tools

• disk_stat

(24)

Autopsy

• Developed to automate the investigation

process when TSK is being used

(25)

Capture Filesystem

• Imaging utilities

– Wipe out analysis drive

• dd if=/dev/zero of=/dev/fd0

– One more example

• nc –l –p 10001 > syspect.hdb5.image.1of3& • nc –l –p 10002 > syspect.hdb5.image.2of3& • nc –l –p 10003 > syspect.hdb5.image.3of3&

• dd if =/dev/hdb5 count 2000000 bs=1024 | nc 192.168.0.4 10001 –w 3

• dd if =/dev/hdb5 skip 2000000 count 2000000 bs=1024 | nc 192.168.0.4 10002 –w 3

• dd if =/dev/hdb5 skip 4000000 count 2000000 bs=1024 | nc 192.168.0.4 10003 –w 3

(26)

md5

• Create the hash value of collected data and

record it

– md5 from tct: md5 /dev/sda6

(27)

Accessing Captured Filesystems for

Examination

• Copy the image into a partition that is the same

size as the image (partition cleaned using dd)

• Another approach

– mkdir /mnt/suspecthost

(28)

logs

(29)
(30)

logs

• /var/log/secure

– authpriv.*

• HTTP

(31)
(32)
(33)

Invisible Files and Directories

• Find invisible files and directories

– find . –type d –name “.*” –print0 | cat –a

• Search SUID root executables

– find / -user root –perm -4000 –print0 | xargs -0 ls

-l

• Search SGID programs

(34)
(35)
(36)
(37)
(38)
(39)
(40)

RootKit

• http://www.securityfocus.com/infocus/1811

• Increase privileges • Hide activities

– To manipulate the environment and hide evidence

• Gather information

– To extend attacks

• One example

(41)
(42)
(43)
(44)
(45)
(46)
(47)
(48)
(49)

Detecting Trojan LKMs on Live System

• Detecting trojan LKMs on a live system

– Complicated

(50)

Miscellaneous

• To determine listing applications associated

with open ports

– netstat –anp

• To determine whether a sniffer is running on a

system (promiscuous mode)

– ifconfig eth0

• /proc

(51)

Miscellaneous

• lsof (list open files)

– Lists processes with all their open files, network ports, current directories, and other file system-related information

– An open file can be a regular file, a directory, a library, a stream, or a network socket.

– Example:

• For root user: lsof –p PID_of_SSHD

(52)

Miscellaneous

• ltrace

– Library call monitoring programs – ltrace date > /dev/null

• Show fragment of a library-call trace of the date command

• strace

– System call monitoring – strace date > /dev/null

• sysctl

(53)

Prepare Analysis Machines

• Boot into Knoppix-STD (or your favorite

Linux OS with all the right tools)

(54)

A Summary of the Steps in a Unix Investigation

• Review all pertinent logs • Perform keyword searches • Review relevant files

• Identify unauthorized user accounts or groups • Identify rogue processes

• Check for unauthorized access points • Analyze trust relationships

(55)
(56)
(57)

Attack Steps

• Target Identification

• Intelligence Gathering

– Password sniffing and guessing – Compromise network service

• Initial Compromise • Privilege Escalation

– Gain root access

• Reconnaissance

– Attackers perform their own forensic examination – Look for security programs

– Analyze system and user activities

• Covering the Tracks

References

Download now ( PDF - 57 Page - 2.62 MB )

Related documents

Why Do Mothers Breastfeed Girls Less Than Boys? Evidence and Implications for Child Health in India

Given the well-documented health benefits of breastfeeding for children in developing countries, we test whether mortality patterns with respect to gender, birth order and ideal

A Critical Marketing Practitioner in Japan: Philosophy and Marketing Activities of Seiji Tsutsumi

Seiji Tsutsumi was a unique critical marketer in Japan, and his search for the ‘ethics of capitalists’ (Yomiuri Newspaper 1997) influenced the Japanese

Can We Believe Without Sufficient Evidence? The James/Clifford Quarrel and the Response of Alvin Plantinga

In fact, Clifford could respond affirming that, even if there are beneficial consequences following beliefs upon insufficient evidence, that proves neither that we are fulfilling

AVIATION WORKFORCE. Current and Future Availability of Aviation Engineering and Maintenance Professionals

available workforce, we reviewed and analyzed data from the Department of Education (Education) on completion rates for degree or certificate programs that might prepare

Big Data Analytics(Hadoop) Prepared By : Manoj Kumar Joshi & Vikas Sawhney

 Name Node : Keeps the metadata of all files/blocks in the file system, and tracks where across the cluster the file data is kept.  Data Node : DataNode actually stores data

SWsoft Plesk 8.2 for Linux/Unix Backup and Restore Utilities. Administrator's Guide

-f -f=<file name> Specifies the path to file that contains a list of objects (clients' login names or domain names) that you prepared for a selective backup.. You can

Genetics of obesity: can an old dog teach us new tricks?

So what is clear is that while the brain leptin – melanocortin pathway is central to mammalian food intake control with genetic disruption resulting in extreme obesity,

Best Practice & Research Clinical Obstetrics and Gynaecology

If fundal height measurement suggests growth restriction, the recommended follow- up investiga- tions are ultrasound biometry for calculating and plotting estimated fetal weight