Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Transcription

1 s Unix Definition of : Computer Coherent application of a methodical investigatory techniques to solve crime cases. Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

2 s Unix Has a criminal offense taken place? You need to know what exactly happened (was it just a defacement or something more?) You need proof that something took place. (was John Doe using his computer at home as he was saying, or was he out robbing the bank)

3 s Unix What to do before touching a system Why do we think is necessary here? (Hacked, Stolen data, Illegal content or activities) What is the purpose of the system? (Web/database/file-server etc.) What OS? What services should normally be running?

4 s Unix There are three important A s in computer :

5 s Unix the without altering or damaging the original Pull the plug (freezes the system, but might loose information) Impossible on important running server? Beware of changed binary files Make complete copy of drive (Unix: dd, preserves everything) Alternatives 1 Examine using software on the suspected system 2 Verify software 3 Use CD with software 4 Boot with CD 5 Pull the plug, then use work station, working on write protected disk/disk image

6 s Unix the Chain of Custody Who collected it, how, where How stored Who took it out of storage Documentation (very important) Create hash of entire drive and of files. Use both MD5 and SHA

7 s Unix the data without modifying it work on a copy calculate hash before analysis documentation Network analysis and network logs are very important

8 s Unix It is almost impossible to completely delete the contents of a hard disk completely fill disk with random zeros and ones several times Even then, it might be possible to retrieve the original data

9 s Unix Footprints from unusual activity not only stand out, they are likely to stand out for a long time because most information on a system is rarely touched.

10 s Unix MAC-times: Modify, Access, Change/Create Unix filesystems(stat): Modify, last time the file content was changed Access, last time the file was accessed Change, last time meta-data of the file changed FAT and NTFS: Modify, last time the file content was changed Access, last time the file was accessed Create, creation time of the file

11 s Unix Example from a computer: A man had downloaded and forwarded child pornography Claimed he had never looked at the pictures Access times where several days older than the creation times for the pictures He confessed that he had looked at them.

12 s Unix Extract the partitions File system timeline (mac-robber and mactime) From timeline study, create a list of interesting words Make a strings file from your image(s) and search for your interesting words Extract unallocated datablocks and slack-space Search unallocated/slack-space for interesting words too

13 s Unix Can give you important clues So we need to study it closely Timeline can also be made from application logs! Merge all into one picture - log2timeline

14 s Unix Some important spots to look for MFT (NTFS Master File Table) Recycle bin (hidden INFO-file) Index.dat (IE cache) Registry Log files (as for any OS)

15 s Unix ifconfig, ps, netstat /proc (Linux only) lsmod (shows Linux kernel modules) strings (text in binary files) logfiles Unix

16 s Unix The Coroner s Toolkit graverobber, collects file info, processes, system info. Option: -c corpse... mactime,mac-robber (gives chronological order, timeline) unrm (copies free space to file) Lazarus, identifies contents of a block TASK, tool built on top of TCT utilities and TCT. Knows both Unix and Widows filesystems. Autopsy, aka the Sleuth Kit, HTML-based interface for TASK Foremost, recover files, (US Air Force)

17 s Unix tests will audit remotely a given network and determine whether bad guys may break into it, or misuse it in some way. nmap, network mapper, commercial vulnerability scanner OpenVAS, vulnerability scanner and manager Metasploit, penetration, performs actual exploits scan reports can be loaded by Metasploit and used as configuration for a penetration test

18 s Unix vulnerability scanner Tests systems, networks and applications for weaknesses Checks patching and configuration Detects malware and potentially unwanted and unmanaged software plugins, covering unique CVE(Common Vulnerabilities and Exposures) IDs and unique Bugtraq IDs