1 / 28

Lecture 12 Foundations for Unix Investigations

Lecture 12 Foundations for Unix Investigations. CSCE 517 Forensic Computing. Topics Unix File System Stat system call Deleting files Processes and /proc Argv, environment Logs. June 26, 2003. Unix File System. / etc acct usr … bin lib

treva
Download Presentation

Lecture 12 Foundations for Unix Investigations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 12Foundations for Unix Investigations CSCE 517 Forensic Computing • Topics • Unix File System • Stat system call • Deleting files • Processes and /proc • Argv, environment • Logs June 26, 2003

  2. Unix File System • / • etc acct usr … bin lib • passwd mm … bin man include ls man … ps • Admin Courses … Research stdio.h .. • Directories • Paths: full and relative

  3. A File System in Unix • Boot Block • Bootstrap loader • Super Block • freeSpace list etc. • Inode Table (Inode = Information Node) • Owner of the file, uid, gid • Permissions • Disk addresses of Blocks • Data Blocks • Directories contain inode of file and name • File Systems can be mounted at particular places in the hierarchy with the mount command.

  4. Inode information on Files • struct o_stat { • o_dev_t st_dev; //major device number • o_ino_t st_ino; // inode number • o_mode_t st_mode; //permissions, type of file,etc. • o_nlink_t st_nlink; // number of links • o_uid_t st_uid; • o_gid_t st_gid; • o_dev_t st_rdev; • off32_t st_size; • time32_t st_atime; • time32_t st_mtime; • time32_t st_ctime; • };

  5. Original Unix File system Disk Block Pointers • 10 direct pointers – pointers to data blocks • single indirect pointer – pointer to block of pointers to data • double indirect pointer - • triple indirect pointer -

  6. The stat system call • int stat(const *path, struct stat *buf) – • get statistics on this file • int fstat(int fd, struct stat *buf) – • a version of stat for open files • int lstat(const *path, struct stat *buf) – • a version of stat that does not follow symbolic links

  7. Command Line Arguments in C • #include <stdio.h> • main(int argc, char *argv[]) { • int i; • for(i=0; i < argc; ++i) • printf("argv[%d]=""%s""\n", i, argv[i]); • } • N.B. This can be hidden by copying over the structure at run-time.

  8. Accessing the Environment • /* This example shows how to access environment variables */ • #include <stdio.h> • extern char **environ; • main(){ • char **p; • for(p=environ; *p != NULL; ++p){ • fprintf(stderr,"%s\n", *p); • } • }

  9. Use of the Stat Call • … • struct stat buf; • char *ptr; • for (i = 1; i < argc; i++) { • printf("%s: ", argv[i]); • if (lstat(argv[i], &buf) < 0) { • err_ret("lstat error"); • continue; • } • if (S_ISREG(buf.st_mode)) ptr = "regular"; • ...

  10. Multiple links • The system call link(path1, path2) • Creates a new link to the file specified by path2 • It does not create a new inode • It creates a new directory entry and uses the same inode number • It increments the nlink field in the inode • Symbolic Links • The file contains a path to the file • Symbolic vs Hard links • The unlink system call unlink(path) is used to delete files

  11. Deleting a file • The system call unlink(path) • Does not really delete the file (at least immediately) • The directory entry if removed (subject to permissions) • It checks the nlink field in the inode corresponding to the file and decrements it • Then if it is non-zero that’s all – the file just has one less link • If it is zero and no currently running process has it open the the file is deleted. • Inode is put on the free inode list • Disk blocks put on the freespace list

  12. File System Check (fsck) • When a file system is mounted a “file system dirty” bit is set. • This is to insure the consistency of internal data structures and those stored on disk. • Power down gracefully and ungracefully • Shutdown is run to close everything down gracefully • When the system is brought back up it will run fsck to check the file system (if the dirty bit is set.) • Some versions of fsck will save orphaned files in lost+found

  13. Tools • Ls • Find • Ps • Dd • Netstat • Strings • Netcat • Bash • Vi • Ifconfig • …

  14. Trusted tools • On of the first things a hacker would do is replace these tools with special ones to hide the presence of the hackers files/processes • Build a CD of trusted tools • Executing a trusted shell

  15. Who is logged on and what are they doing? • Who, w • Ps –aef • But what if the hacker has removed his code “deleted the object file”?

  16. /proc file system • Pseudo file system that provides an interface to kernel data structures • Example on erdos or forensicrig • Ps –aux | grep /root/ir/lo

  17. Networking Overview • Client-server paradigm • TCP/IP Protocol Suite

  18. Network Connections • IP address • Port number/ protocol • Netstat –anp • Ifconfig –I eth0

  19. Summary

More Related