Transcription
Unix/Linux Forensics1
Simple Linux Commands date – display the datels – list the files in the current directorymore – display files one screen at a timecat – display the contents of a filewc – displays lines, words, and characterscp, mv, rm, pwd, mkdir, cd, rmdir, chmod,head – show the first few lines of a filefile – determine a file typetail – show the last few lines of a filecal – display calendarkill – terminate a running commandlpr – send a job to the printergrep – searches a file for a specific patternchmod – change file permissionsfdiskmount, cat /etc/fstablast .2
Basic Concepts shell shell scripts background and foreground–&– Ctrl-Z, bg, fg, jobs Environment variables– env passwd3
The Linux Filesystem Layout The basic layout of the filesystem starts with the rootdirectory.–root directory : this is the base of the file system'stree structure.–/bin : binary files for the OS–/dev : the device files–/etc : system configuration files–/sbin: system administrative binaries–/home : conventional location for users’ homedirectories.–lost found : storage for recovered files4
Commonly used command/concepts mount/umountls: different optionslndftreechmod, chown, chgrpfindtargzipddstat5
Commonly used command/concepts cksum– checksum and count the bytes in a file sum– checksum and count the blocks in a file diff– Provide a list of each line that differs strings6
Commonly used command/concepts Every file is managed by a data structurecalled an inode– File location and size– Owner, permission,– Time of creation, time of last access, time of lastmodification– stat SUID root– Set user ID7
Ext2 l8
Network Information System/etc/nsswitch.confyppasswd9
Shared System Files10
Four basic steps CollectPreserveAnalyzePresent (report)11
Investigating A Unix Host Filesystem integrity-checking program– Tripwire: http://sourceforge.net/projects/tripwire/ TCT– Examining hacked Unix systems– http://www.porcupine.org/forensics/tct.html netcat12
Order of Volatility The more volatile the data is, the more difficult it is tocapture, and the less time you have to do it. The descending order:––––––CPU storageSystem storageKernel TablesFixed mediaRemovable mediaPaper printouts Table 11-413
TCT (1) TCT – The Coroner’s Toolkit– http://www.porcupine.org/forensics/ Mostly perl but some C as well A STATIC tool!– e.g. changes to filesystem during analysis willNOT be noticed by TCT– You MUST isolate the system under investigation14
TCT (2) Four major parts:– grave-robber: captures forensics data– The C-tools (ils, icat, pcat, file, etc) pcat – low-level memory utilities: copy process memory– pcat PID file: determine file type icat: copies files by inode number ils: list inode info (usually removed files)– lazarus Lazarus: create structure from unstructured data– mactime Report on times of files15
The C-tools(ils, icat, pcat, file, etc) pcat – gathers process memory from livesystem ils – gathers inode information– ./ils /dev/sda6 icat – copy files using inode information tostandard out– ./icat /dev/sda6 1405802 (you can use stat to obtainthe inode number) file – determine file system type16
lazarus Lazarus – classify raw information foranalyzing (brings back info from the dead)– Unallocated datablocks with no referent inode17
mactime Three times on ext f/sys:– Modification time– Access time– Change time collects information on all three times forspecific files– ./mactime -d /root/download/tct-1.16/bin -y9/29/200618
Be nice to your MAC times MAC times are sensitive (to changes within thesystem) Running a single command may change last Accesstime of a file Should grab MACtime info before running anyfurther commands on system. You’ll use this info to create a timeline of activity.19
Sleuth kit Expands TCT data Provides low- and high-level access to Xnixand Windows f/systems.20
The Sleuth KitFile system tools File System Category Content Category– dls –f ext –e –l sda6.img» a: the data unit is allocated» f: the data unit is unallocated– dcat –f ext sda6.img 23456» View the contents of any data unit Metadata category» Include data that describe a file: for example, temporalinformation, the addresses of the data units, the size of thefile.» istat –f ext sda6.img 163199 - to get the specificmetadata entry» ils –f ext –e sda6.img - list the details of several metadatastructures» icat –f ext sda6.ima 31 - View the contents of the filebased on metadata address instead of its file name21
The Sleuth Kit File Name Category» Includes the data that associates a name with a metadata entry» fls: list file names in a given directory» ffind: list which file name corresponds to a given metadataaddress Application Category» A file system journal records updates to the file system so thatthe file system can be recovered more quickly after a crash» jls – list the contents of the journal and show which file systemblocks are saved in the journal blocks Multiple category» mactime: takes temporal data from fls and ils to produce atimeline of file activity22
The Sleuth Kit– Searching tools sigfind – find binary signature in a file– Disk tools disk stat– Volume system tools23
Autopsy Developed to automate the investigationprocess when TSK is being used http://www.sleuthkit.org/autopsy/24
Capture Filesystem Imaging utilities– Wipe out analysis drive dd if /dev/zero of /dev/fd0– One more example nc –l –p 10001 syspect.hdb5.image.1of3& nc –l –p 10002 syspect.hdb5.image.2of3& nc –l –p 10003 syspect.hdb5.image.3of3& dd if /dev/hdb5 count 2000000 bs 1024 nc 192.168.0.4 10001–w 3 dd if /dev/hdb5 skip 2000000 count 2000000 bs 1024 nc192.168.0.4 10002 –w 3 dd if /dev/hdb5 skip 4000000 count 2000000 bs 1024 nc192.168.0.4 10003 –w 3 cat suspect.image1.10f3 suspect.hdb5.image cat suspect.image2.2of3 suspect.hdb5.image cat suspect.image3.3of3 suspect.hdb5.image25
md5 Create the hash value of collected data andrecord it– md5 from tct: md5 /dev/sda6– Verify the image file on the collection host26
Accessing Captured Filesystems forExamination Copy the image into a partition that is the samesize as the image (partition cleaned using dd) Another approach– mkdir /mnt/suspecthost– mount –t ext2 –o ro, loop /dev/loop0suspect.hdb5.image /mnt/suspecthost– Treat it like any other filesystem27
logs /etc/syslog.conf28
logs29
logs /var/log/secure– authpriv.* HTTP– /var/log/httpd/*: grep passwd /var/log/httpd/*30
Examine Account Information31
Trust Relationship Configuration Files32
Invisible Files and Directories Find invisible files and directories– find . –type d –name “.*” –print0 cat –a Search SUID root executables– find / -user root –perm -4000 –print0 xargs -0 ls-l Search SGID programs– find / -perm -2000 –print0 xargs -0 ls -l33
Signs of Intrusion in /tmp34
Verifying crontab and at jobs35
Signs that an Executable File Deservesa Closer Look36
Shell and Application History sh– .sh history csh– .history ksh– .sh history bash– .bash history tcsh– .history37
Signs of Hostile Processes38
Levels of System Compromise39
RootKit http://www.securityfocus.com/infocus/1811 Increase privileges Hide activities– To manipulate the environment and hide evidence Gather information– To extend attacks One example– Loadable kernel modules (LKM)– http://www.s0ftpj.org/docs/lkm.htm40
RootKit Content41
RootKit Content42
RootKit Content43
RootKit Content44
RootKit Content45
RootKit Content46
RootKit Content47
KSTAT Utility Kstat –s: display the system call table48
Detecting Trojan LKMs on Live System Detecting trojan LKMs on a live system– Complicated– These tools intercept system calls. Port 2222 is open – default Adore LKM port49
Miscellaneous To determine listing applications associatedwith open ports– netstat –anp To determine whether a sniffer is running on asystem (promiscuous mode)– ifconfig eth0 /proc– fd subdirectory: all the files a process has opened– cmdfile: the command-line argument50
Miscellaneous lsof (list open files)– Lists processes with all their open files, networkports, current directories, and other file systemrelated information– An open file can be a regular file, a directory, alibrary, a stream, or a network socket.– Example: For root user: lsof –p PID of SSHD lsof –i: show all processes with active network ports51
Miscellaneous ltrace– Library call monitoring programs– ltrace date /dev/null Show fragment of a library-call trace of the date command strace– System call monitoring– strace date /dev/null sysctl– Read/Write access to kernel configuration parameters andother data– sysctl -a52
Prepare Analysis Machines Boot into Knoppix-STD (or your favoriteLinux OS with all the right tools) http://en.wikipedia.org/wiki/Knoppix STD53
A Summary of the Steps in a Unix Investigation Review all pertinent logsPerform keyword searchesReview relevant filesIdentify unauthorized user accounts or groupsIdentify rogue processesCheck for unauthorized access pointsAnalyze trust relationshipsCheck for kernel module rootkits54
Compromising a Unix Host55
Typical Attack Host Exploits56
Attack Steps Target Identification Intelligence Gathering– Password sniffing and guessing– Compromise network service Initial Compromise Privilege Escalation– Gain root access Reconnaissance– Attackers perform their own forensic examination– Look for security programs– Analyze system and user activities Covering the Tracks– System that is owned Gain administrative access, clean the tracks, and prepare a returnedpath57
Sep 29, 2006 · – grave-robber: captures forensics data – The C-tools (ils, icat, pcat, file, etc) pcat – low-level memory utilities: copy process memory – pcat PID file: determine file type icat: copies files by inode number ils: list inode info (usually removed files) – lazar
