460 likes | 628 Views
INSA. Information Networking Security and Assurance Lab National Chung Cheng University. Incident Response & Computer Forensics. Chapter 6 Live Data Collection from Unix Systems. INSA. Information Networking Security and Assurance Lab National Chung Cheng University. Outline. Preface
E N D
INSA Information Networking Security and Assurance Lab National Chung Cheng University Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Jai, 2004
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System
Preface • Many Unix versions are not backward or forward compatible • Four storage options • Local hard drive • Remote media such as floppy disks, USB drives, or tape drives • Hand • Forensic workstation over the network • Best time • All are not online
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System
INSA Information Networking Security and Assurance Lab National Chung Cheng University The minimum information • System date and time • A list of the users who are currently logged on • Time/Date stamps for the entire file system • A list of currently running processes • A list of currently open sockets • The applications listening on open sockets • A list of the systems that have current or recent connections to the system
Follow these steps • Execute a trusted shell • Record the system time and date • Determine who is logged on to the system • Record modification, creation, and access times of all files • Determine open ports • List applications associated with open ports • Determine the running processes • List current and recent connections • Record the system time • Record the steps taken • Record cryptographic checksums
INSA Information Networking Security and Assurance Lab National Chung Cheng University Executing a trusted shell • Avoid to log-in with X-window • Set-up your PATH equal to dot (.)
INSA Information Networking Security and Assurance Lab National Chung Cheng University Recording the system Time and Date This is command
INSA Information Networking Security and Assurance Lab National Chung Cheng University Who? The local starting time of the connection command The time used by all processes attached to that console control terminal ttyn: logon at the console ptsn: over the network The processor time used by the current process under the WHAT column
INSA Information Networking Security and Assurance Lab National Chung Cheng University Recording file Modification, Access, and Inode Change Times • Access time (atime) • Modification time (mtime) • Inode change time (ctime)
Access Time Access Time $man ls
Inode Cahnge Time Inode change time $man ls
Modification Time Modification time
Determine which Ports are Open Command
Applications associated with Open Ports You must be root!!!! Command PID/Program name
Applications associated with Open Ports In some other Unix-Like OS List all running processes and the file descriptors they have open
Determine the Running Processes Command Indicate when a process began
INSA Information Networking Security and Assurance Lab National Chung Cheng University Recording the Steps Taken The file that log the keystrokes you type and output!! Command Another command: history
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System
INSA Information Networking Security and Assurance Lab National Chung Cheng University The files you want to collect • The log files • The configuration file • The other relevant file
INSA Information Networking Security and Assurance Lab National Chung Cheng University Loadable Kernel Module Rootkits • Rootkits • Collections of commonly trojaned system processes and scripts that automate many of the actions attackers want to do!!! • LKMs are programs that can be dynamically linked into the kernel after the system has booted up
Loadable Kernel Module Rootkits • Rogue LKMs can lie about the results • LKM rootkits • knark • adore • heroin • When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide
INSA Information Networking Security and Assurance Lab National Chung Cheng University The important logs you must collect!! • Binary log files • The utmp file, accessed with the w utility • The wtmp file, accessed with the last suility • The lastlog file, accessed with the lastlog utility • Process accounting logs, accessed with the lastcomm utility
INSA Information Networking Security and Assurance Lab National Chung Cheng University The important logs you must collect!! • ASCII text log files • Web access logs • Xferlog (ftp log) • History log
The important configuration files you want to collect!! • /etc/passwd • /etc/shadow • /etc/group • /etc/hosts • /etc/hosts.equic • ~/.rhosts • /etc/hosts.allow and /etc/hosts.deny • /etc/syslog.conf • /etc/rc • crontab files • /etc/inetd.conf and /etc/xinetd.conf
INSA Information Networking Security and Assurance Lab National Chung Cheng University Discovering illicit sniffers on Unix Systems • Most Dangerous • More widespread than a single system • Have root-level access
Discovering illicit sniffers on Unix Systems No sniffers Sniffers on your system
INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System
INSA Information Networking Security and Assurance Lab National Chung Cheng University What? • Pseudo-file system • An interface to kernel data structure • Each process has a subdirectory in /proc that corresponds to it’s PID
Example Start a executed file PID Go into the subdirectory The command you executed
The fd subdirectories Standard Input Standard Output Standard Error The file descriptor opened Another socket example!! The file descriptor that socket opened
INSA Information Networking Security and Assurance Lab National Chung Cheng University Dump System Ram • Two files your should collect • /proc/kmem • /proc/kcore
INSA Information Networking Security and Assurance Lab National Chung Cheng University A tech you can use!!!!! • The command line is changed at runtime! • Two parameter • argc • An integer representing in the argv[] array • argv • An array of string values that represent the command-line argument
INSA Information Networking Security and Assurance Lab National Chung Cheng University Example • tcpdump –x –v –n • argv[0] = tcpdump • argv[1] = -x • argv[2] = -v • argv[3] = -n • strcpy(argv[0], “xterm”)
INSA Information Networking Security and Assurance Lab National Chung Cheng University Example 2 The two parameter!
INSA Information Networking Security and Assurance Lab National Chung Cheng University Example 2 The tech you want to learn!!
INSA Information Networking Security and Assurance Lab National Chung Cheng University Example 2 Succeed ^_^