290 likes | 385 Views
COEN 250 Computer Forensics. Unix System Life Response. Creating a Response Toolkit. Toolkits depend on the OS. Often, need to compile tools from source. Many Unix versions are not compatible. Creating a Response Toolkit. Tools on the system are often Trojaned.
E N D
COEN 250 Computer Forensics Unix System Life Response
Creating a Response Toolkit • Toolkits depend on the OS. • Often, need to compile tools from source. • Many Unix versions are not compatible.
Creating a Response Toolkit • Tools on the system are often Trojaned. • Much more than on Windows machines. • Statically link tools. • http://www.incident-response.org
Store information • On local hard drive. • On remote media (floppies, USB, tape) • Record information by hand. • Use netcat or cryptcat to transfer to a forensic workstation over the net.
Collecting Data before a Forensic Duplication • System date and time. • Currently logged-on users. • Time/date stamps for the entire file system. • List of currently open sockets. • Application listening on these sockets. • List of recent connections.
Collecting Data before a Forensic Duplication • Create a trusted shell. • Exit X-windows or other GUI • Log on with root privileges • Mount floppy: mount /dev/fd0 /mnt/floppy • Run shell from floppy (bash) • Set path to . (dot)
Collecting Data before a Forensic Duplication • Use “date” for the time. • Use “w” for current users. • Use ls recursively (R) to record access times, starting at /. • ls –alRu / > floppy/atime • ls –alRc / > floppy/ctime • ls –alR / > floppy/mtime
Collecting Data before a Forensic Duplication • Alternative • find / printf “%m;%Ax;%AT;%TX;%TT;%Cx;%CT;%U;%G%s;%p\n”
Collecting Data before a Forensic Duplication • Find open TCP / UDP ports • Goal: • Find open backdoors • Use “netstat –an” to view all open ports. • Use “netstat –anp” (on Linux) to list all applications associated with open ports. • Check normal use of open ports: • www.portsdb.org (currently down) • http://logs.sofaware.com/resolveport/?portnumber=80&protocol=TCP • Use “lsof” (list of open files) utility as in “lsof –i –D r”
Collecting Data before a Forensic Duplication • Take a snapshot of all running processes • ps –eaf on Solaris • ps –aux on FreeBSD and Linux
Collecting Data before a Forensic Duplication • Open Files • lsof
Collecting Data before a Forensic Duplication • Internal Routing Table • netstat –rn • Goal: Evidence of man in the middle attack
Collecting Data before a Forensic Duplication • Loaded Kernel Module • Used to be standard way to install a rootkit • Use lsmod command • Warning: Knark and other loadable kernel module rootkits will subvert this program
Collecting Data before a Forensic Duplication • Mounted File Systems • df command • Example: Mounted NFS shares can be used by an intruder to transfer data
Collecting Data before a Forensic Duplication • System version and patch level • uname -a
Collecting Data before a Forensic Duplication • Obtain all system logs • /var/run/utmp log contains currently logged on users • Warning: tools like “zap2” delete these entries • http://www.packetstormsecurity.com/ • /var/log/wtmp • History of logins • Syslog logs in syslog.conf
Collecting Data before a Forensic Duplication • User accounts • Look for evidence of backdoors in password files • /etc/passwd • For suspicious users, check user history files
Collecting Data before a Forensic Duplication • Obtain important config files • Dump System RAM • Often in /proc/kmem or /proc/kcore • Use it for keyword searches
Collecting Data before a Forensic Duplication • Suspicious files • Assume attacker runs a binary such as datapipe and then deletes it. • Binary is kept in /proc file system • /proc does not exist on the hard drive • To collect binary image of process pid 1234: • Change into /proc/1234 • Copy exe to forensics workstation using cat and netstat • fd directory contains all open files for a particular process.
Collecting Data before a Forensic Duplication • Take Date again • Record all steps (script, history) • Record MD5 sums to prevent challenges of changed data.
Rootkits • Rootkits: tools to acquire and keep root access. • File Level Rootkits: Trojan • login • ps • find • who • netstat
Rootkits • Trojaned login • Works as designed. • But lets one special username in. • Trojaned who • Works as designed. • But does not display the user with the special username. • Provides access and protection
Rootkits • Use Tripwire to detect system file alterations. • Use trusted forensics tool to find file level rootkits.
Rootkits • Kernel-Level Rootkits • Create their own kernel. • That is, let users live in a virtual reality that they created. • Loadable Kernel Modules (LKM) • Supported by Linux, Solaris, etc. • Allow to add modules to the kernel.
Rootkits • Rogue LKM can intercept system commands. • Tripwire will not help, system files are still there and unchanged.
Rootkits • Knark • To hide a process, send kill -31. • Knark LKM takes care of the rest. • Forensically sound tools are not circumvented, though.
Rootkits • Detection • Look for inconsistencies in the data • Example: • lsof output contains file /tmp/.kde • find does not list /tmp/.kde • Discrepancy is strong hint at existence of a rootkit set to hide /tmp/.kde
Sniffers • Used to capture network traffic • Payload are unencrypted login procedures • Payload are email messages • …
Sniffers • Ethernet card needs to be in promiscuous mode for sniffing. • Use ifconfig –i eth0 • Look for keyword PROMISC • Use lsof to find large output files