Upload
doantu
View
223
Download
2
Embed Size (px)
Citation preview
OutlineBasics
Live AnalysisDead Analysis (brief)
Computing forensics: a live analysis
Craig Pearce
April 18th, 2005
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Outline
1 Basics
2 Live Analysis
3 Dead Analysis (brief)
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Objectives
Evidence acquisition
Recovery and examination of suspect digital evidence (thinkWarrick Brown on CSI)
Hardware: servers, workstations, laptops, PDAs, mobiles,cameras pagers
Software: databases, e-mail, Internet cookies, bookmarks,deleted files, unallocated space
Considerations
Integrity: must be able to prove data has not been changed tobe admissible in court
Chain of command:
Legal and social responsibilities: Privacy Act (2001), useragreements
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Things that can get in the way
Encryption: partitions, files, email, instant-messagingcommunication
Anonymity: overlay networks, such as Tor
Volatility: memory-resident contents are lost when machine isrebooted
Unsupported filesystems: many tools yet to support ReiserFS
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Live analysis: Scenario
An attack has taken place. You, theinvestigator have just arrived on thescene. It is expected that theattacker uses encrypted disk volumesIn any case, the machine containsmemory-resident information thatwill be lost after a power cycle.
Reasoning:
Integrity: changes to the suspect host MAY contaminateevidence and WILL not be admissible
Volatility: critical data will be lost (or inaccessible)
May not afford disruption to service
May not litigate but gather info for defence
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Forensics 101: Secure the scene
1 Photograph computer screen
2 Record current system time and note this against an accuratetime source
3 Begin data acquisition in order of volatility (OOV)1 Physical memory, open files, open network connections, swap
space2 Encrypted file systems where you do not have key to unlock3 Temporary file systems (/tmp, /proc)
4 Record current system time (why twice?)
5 Message digests of gathered evidence
Now lets look at doing this with Helix!
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Helix: Open-Source Forensic Toolkit
Knoppix-based bootable CD-ROMFeatures:
NX server for fast remote session management
Can be loaded entirely into RAM (resource permitting)for improved seek times
UnionFS (or Klik) for customisations
Live dumps of Linux/Windows suspected hosts
Tools:
Sleuthkit, Autopsy
PyFLAG, macrobber
md5deep, Ethereal and MUCH moreURL: http://www.e-fense.com/helix
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Set up the scene for data acquisition
Suspect host (Linux or Windows):
1 Load Helix CD-ROM into drive
2 Ensure that your tools do NOTmodify the disk!
3 Use IP addresses instead of hostnames(why?)
4 Used trusted CD-ROM binaries only
5 Send acquired data over encryptednetwork
Investigator:1 Boot machine with Helix, loading it into RAM-Disk for faster
seek times2 Start electronic (Unix ’script’) and paper-based
documentationCraig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Live analysis (1)
Initialise Client:
export safe="/mnt/cdrom"
export nc="/mnt/cdrom/ -w 3 192.168.1.253 65534"
$safe/bash # trusted shell
export PATH=$safe # clear path
Initialise Server (for each command):
nc -l -p 65534 >> forensics.data.txt
Files and Network Connections1 $safe/lsof -nDr | $nc # open files
2 $safe/netstat -nap | $nc # network connections
3 $safe/netstat -nr | $nc # routes
4 $safe/ils -o /dev/hdaN |$nc #deleted & open files
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Live analysis (2)
Processes1 $safe/ps -leaf | $nc # solaris: suspect processes
2 $safe/ps -auxl | $nc # linux: suspect processes
3 $safe/pcat <PID> | $nc # save PID memory space
Users1 $safe/who -iHl | $nc # active users
2 $safe/tar cf - /proc | $nc # system info
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Live analysis (3)
Swap space (already have /proc/kcore)1 $safe/dd if=/dev/SWAPdev bs=2k | $nc # swap space
Encrypted volumes1 $safe/dd if=/dev/hdaN bs=2k | $nc # exact copy
Temporary partition1 $safe/dd if=/dev/TMPdev bs=2k | $nc # temp partition
File access times1 $safe/ls -alRu / | $nc # access times
2 $safe/ls -alRc / | $nc # modification times
3 $safe/ls -alR / | $nc # creation times
4 Why not message digest checksums too?
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Automated Live Analysis
Helix provides a script (linux-ir.sh) that:
pretty much runs the above commands
tools output to STDOUT, allowing easy pipe to netcat server
customisable to specific requirements by script editing
Usage:1 Insert Helix into CD-ROM of live system
2 /bin/mount /mnt/cdrom
3 /mnt/cdrom/Static-Binaries/linux-ir.sh | $nc
A few of Helix’s static built binaries are seg-faulting, so a videodemonstration of this will have to wait for another day ...
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Improvements
Rename trusted commands:
eg rename /mnt/cdrom/pcat to /mnt/cdrom/t-pcat
prevents running suspected host binary that may be trojanedpreserves MAC times on suspected host files
Use Cryptcat in place of Netcat, or pipe through ’des’
des -e -c -k pword | nc # suspect hostnc | des -d -c -k pword | dd of=out.txt # serverGPG gives stronger symmetric key ciphers at a cost of speedand space
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Other issues
Requires suspected host to have a working NIC
Server must start NC receiver for each client NC send request
Large volumes slow to copy bit-for-bit over encrypted network
More time spent in Live Analysis increases increases risk tomodification to physical storage!
Attackers using LKM rootkits
Privacy: depends on the user’s ‘expectation of privacy’
Privacy: to comply with some legal jurisdictions or personalliberties within multi-user systems:
$safe/w <UID> instead of $safe/w$safe/ps -aux <UID> instead of $safe/ps -aux
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Secure the evidence
1 Document and label evidence
2 Transport the evidence3 Shut down the computers
Unix: (if root):
sync; sync; halt
(else) pull out power cableWindows: pull out power cable
4 Begin data analysis of volatile data (already acquired)
5 Begin data aquisition and analyis of non-volatile data(physical disk etc)
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Chain of Custody
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Dead Analysis
Now it is time for in-depth ”after-the-fact” analysis within alaboratory. Don’t forget to document chain of command forpotential evidence!
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Helix setup
Server-side
1 Boot up Helix, load contents into RAM (faster seek times)
2 Change passwords for root, helix (default password is blank!)3 Start FreeNX-server:
nxsetup-knoppix
4 Optionally load additional software with UnionFS or
wget klik.atekon.de/client/install -O - | sh
Client-side
Start NX-client (Unix, Mac, Windows clients available)
Set desktop session type to
/usr/bin/startxfce4
to preserve server resources
Begin dead-analysis via your remote desktop
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Acquisition: What is wrong here?
Image cloning:1 Master boot record
dd if=/dev/hdN of=partition.hdN.mbr count=1 bs=512
2 Partitial table
sfdisk -d /dev/hdN > partition.hdN.pt
3 Partition x of Disk N
partimage -d -b -z1 -o -V700 save /dev/hdNx vol.hdNx.gz
Restoration:1 dd if=partition.hdN.mbr of=/dev/hdN
2 sfdisk /dev/hdN < partition.hdN.pt
3 partimage -e restore /dev/hdNx vol.hdNx.gz.000
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Dead analysis
Some popular tools
Autopsy: graphical front-end to sleuthkit
Sleuthkit: update to The Coroner’s Toolkit (TCT)
PyFLAG: log file analysis for forensics investigations
plenty more...
Techniques
Recover deleted files from unallocated space, slack space, ...
Search for hidden data (steganalysis)
plenty more...
Craig Pearce Computing forensics: a live analysis
OutlineBasics
Live AnalysisDead Analysis (brief)
Conclusion
Briefly discussed:
what Helix is, how it can be used
how to perform a live analysis while maintaining integrity ofdata
KEY POINT: Ensure forensics tools DO NOT write tosuspected host hard disk
Further information
Know Your Enemy (2nd Ed). The Honeynet Project, 2004
Incident Response and Computer Forensics. McGraw-Hill.2003. (Chapter 6)
Questions?
Craig Pearce Computing forensics: a live analysis