Unix/Linux Forensics 1
Simple Linux Commands date display the date ls list the files in the current directory more display files one screen at a time cat display the contents of a file wc displays lines, words, and characters cp, mv, rm, pwd, mkdir, cd, rmdir, chmod, head show the first few lines of a file file determine a file type tail show the last few lines of a file cal display calendar kill terminate a running command lpr send a job to the printer grep searches a file for a specific pattern chmod change file permissions fdisk mount, cat /etc/fstab last. 2
Basic Concepts shell shell scripts background and foreground & Ctrl-Z, bg, fg, jobs Environment variables env passwd 3
The Linux Filesystem Layout The basic layout of the filesystem starts with the root directory. root directory : this is the base of the file system's tree structure. /bin : binary files for the OS /dev : the device files /etc : system configuration files /sbin: system administrative binaries /home : conventional location for users home directories. lost+found : storage for recovered files 4
Commonly used command/concepts mount/umount ls: different options ln df tree chmod, chown, chgrp find tar gzip dd stat 5
Commonly used command/concepts cksum checksum and count the bytes in a file sum checksum and count the blocks in a file diff Provide a list of each line that differs strings 6
Commonly used command/concepts Every file is managed by a data structure called an inode File location and size Owner, permission, Time of creation, time of last access, time of last modification stat SUID root Set user ID 7
Ext2 Inode http://www.tldp.org/ldp/tlk/fs/filesystem.html 8
Network Information System /etc/nsswitch.conf yppasswd 9
Shared System Files 10
Four basic steps Collect Preserve Analyze Present (report) 11
Investigating A Unix Host Filesystem integrity-checking program Tripwire: http://sourceforge.net/projects/tripwire/ TCT Examining hacked Unix systems http://www.porcupine.org/forensics/tct.html netcat 12
Order of Volatility The more volatile the data is, the more difficult it is to capture, and the less time you have to do it. The descending order: CPU storage System storage Kernel Tables Fixed media Removable media Paper printouts Table 11-4 13
TCT (1) TCT The Coroner s Toolkit http://www.porcupine.org/forensics/ Mostly perl but some C as well A STATIC tool! e.g. changes to filesystem during analysis will NOT be noticed by TCT You MUST isolate the system under investigation 14
TCT (2) Four major parts: grave-robber: captures forensics data The C-tools (ils, icat, pcat, file, etc) pcat low-level memory utilities: copy process memory pcat PID file: determine file type icat: copies files by inode number ils: list inode info (usually removed files) lazarus Lazarus: create structure from unstructured data mactime Report on times of files 15
The C-tools (ils, icat, pcat, file, etc) pcat gathers process memory from live system ils gathers inode information./ils /dev/sda6 icat copy files using inode information to standard out./icat /dev/sda6 1405802 (you can use stat to obtain the inode number) file determine file system type 16
lazarus Lazarus classify raw information for analyzing (brings back info from the dead) Unallocated datablocks with no referent inode 17
mactime Three times on ext f/sys: Modification time Access time Change time collects information on all three times for specific files./mactime -d /root/download/tct-1.16/bin -y 9/29/2006 18
Be nice to your MAC times MAC times are sensitive (to changes within the system) Running a single command may change last Access time of a file Should grab MACtime info before running any further commands on system. You ll use this info to create a timeline of activity. 19
Sleuth kit Expands TCT data Provides low- and high-level access to Xnix and Windows f/systems. 20
The Sleuth Kit File system tools File System Category Content Category dls f ext e l sda6.img» a: the data unit is allocated» f: the data unit is unallocated dcat f ext sda6.img 23456» View the contents of any data unit Metadata category» Include data that describe a file: for example, temporal information, the addresses of the data units, the size of the file.» istat f ext sda6.img 163199 - to get the specific metadata entry» ils f ext e sda6.img - list the details of several metadata structures» icat f ext sda6.ima 31 - View the contents of the file based on metadata address instead of its file name 21
The Sleuth Kit File Name Category» Includes the data that associates a name with a metadata entry» fls: list file names in a given directory» ffind: list which file name corresponds to a given metadata address Application Category» A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash» jls list the contents of the journal and show which file system blocks are saved in the journal blocks Multiple category» mactime: takes temporal data from fls and ils to produce a timeline of file activity 22
The Sleuth Kit Searching tools sigfind find binary signature in a file Disk tools disk_stat Volume system tools 23
Autopsy Developed to automate the investigation process when TSK is being used http://www.sleuthkit.org/autopsy/ 24
Capture Filesystem Imaging utilities Wipe out analysis drive dd if=/dev/zero of=/dev/fd0 One more example nc l p 10001 > syspect.hdb5.image.1of3& nc l p 10002 > syspect.hdb5.image.2of3& nc l p 10003 > syspect.hdb5.image.3of3& dd if =/dev/hdb5 count 2000000 bs=1024 nc 192.168.0.4 10001 w 3 dd if =/dev/hdb5 skip 2000000 count 2000000 bs=1024 nc 192.168.0.4 10002 w 3 dd if =/dev/hdb5 skip 4000000 count 2000000 bs=1024 nc 192.168.0.4 10003 w 3 cat suspect.image1.10f3 >> suspect.hdb5.image cat suspect.image2.2of3 >> suspect.hdb5.image cat suspect.image3.3of3 >> suspect.hdb5.image 25
md5 Create the hash value of collected data and record it md5 from tct: md5 /dev/sda6 Verify the image file on the collection host 26
Accessing Captured Filesystems for Examination Copy the image into a partition that is the same size as the image (partition cleaned using dd) Another approach mkdir /mnt/suspecthost mount t ext2 o ro, loop=/dev/loop0 suspect.hdb5.image /mnt/suspecthost Treat it like any other filesystem 27
logs /etc/syslog.conf 28
logs 29
logs /var/log/secure authpriv.* HTTP /var/log/httpd/*: grep passwd /var/log/httpd/* 30
Examine Account Information 31
Trust Relationship Configuration Files 32
Invisible Files and Directories Find invisible files and directories find. type d name.* print0 cat a Search SUID root executables find / -user root perm -4000 print0 xargs -0 ls -l Search SGID programs find / -perm -2000 print0 xargs -0 ls -l 33
Signs of Intrusion in /tmp 34
Verifying crontab and at jobs 35
Signs that an Executable File Deserves a Closer Look 36
Shell and Application History sh.sh_history csh.history ksh.sh_history bash.bash_history tcsh.history 37
Signs of Hostile Processes 38
Levels of System Compromise 39
RootKit http://www.securityfocus.com/infocus/1811 Increase privileges Hide activities To manipulate the environment and hide evidence Gather information To extend attacks One example Loadable kernel modules (LKM) http://www.s0ftpj.org/docs/lkm.htm 40
RootKit Content 41
RootKit Content 42
RootKit Content 43
RootKit Content 44
RootKit Content 45
RootKit Content 46
RootKit Content 47
KSTAT Utility Kstat s: display the system call table 48
Detecting Trojan LKMs on Live System Detecting trojan LKMs on a live system Complicated These tools intercept system calls. Port 2222 is open default Adore LKM port 49
Miscellaneous To determine listing applications associated with open ports netstat anp To determine whether a sniffer is running on a system (promiscuous mode) ifconfig eth0 /proc fd subdirectory: all the files a process has opened cmdfile: the command-line argument 50
Miscellaneous lsof (list open files) Lists processes with all their open files, network ports, current directories, and other file systemrelated information An open file can be a regular file, a directory, a library, a stream, or a network socket. Example: For root user: lsof p PID_of_SSHD lsof i: show all processes with active network ports 51
Miscellaneous ltrace Library call monitoring programs ltrace date > /dev/null Show fragment of a library-call trace of the date command strace System call monitoring strace date > /dev/null sysctl Read/Write access to kernel configuration parameters and other data sysctl -a 52
Prepare Analysis Machines Boot into Knoppix-STD (or your favorite Linux OS with all the right tools) http://en.wikipedia.org/wiki/knoppix_std 53
A Summary of the Steps in a Unix Investigation Review all pertinent logs Perform keyword searches Review relevant files Identify unauthorized user accounts or groups Identify rogue processes Check for unauthorized access points Analyze trust relationships Check for kernel module rootkits 54
Compromising a Unix Host 55
Typical Attack Host Exploits 56
Attack Steps Target Identification Intelligence Gathering Password sniffing and guessing Compromise network service Initial Compromise Privilege Escalation Gain root access Reconnaissance Attackers perform their own forensic examination Look for security programs Analyze system and user activities Covering the Tracks System that is owned Gain administrative access, clean the tracks, and prepare a returned path 57