Incident Response & Computer Forensics

Jai, 2004

Incident Response & Computer Forensics

Chapter 6

Live Data Collection from Unix Systems

Information Networking Security and Assurance LabNational Chung Cheng University

Outline

Preface Obtaining Volatile Data Prior to Forensic

Duplication Performing an In-Depth, Live Response /proc File System


Outline




Preface

Many Unix versions are not backward or forward compatible

Four storage options Local hard drive Remote media such as floppy disks, USB drives, or

tape drives Hand Forensic workstation over the network

Best time All are not online

Outline




The minimum information

System date and time A list of the users who are currently logged on Time/Date stamps for the entire file system A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the systems that have current or recent

connections to the system


Follow these steps Execute a trusted shell Record the system time and date Determine who is logged on to the system Record modification, creation, and access times of all

files Determine open ports List applications associated with open ports Determine the running processes List current and recent connections Record the system time Record the steps taken Record cryptographic checksums

Executing a trusted shell

Avoid to log-in with X-window Set-up your PATH equal to dot (.)


Recording the system Time and Date

This is command


Who?command

control terminalttyn: logon at the console

ptsn: over the network

The local starting time of the connection

The time used by all processes attached to that

console

The processor time used by the current process under the WHAT

column


Recording file Modification, Access, and Inode Change Times

Access time (atime) Modification time (mtime) Inode change time (ctime)


Access Time Access Time

$man ls

Inode Cahnge TimeInode change time

$man ls

Modification TimeModification time

Determine which Ports are Open

Command

Applications associated with Open Ports

Command

You must be root!!!!

PID/Program name

Applications associated with Open Ports

In some other Unix-Like OS

List all running processes and the file descriptors they have open

Determine the Running Processes

Command

Indicate when a process began

Recording the Steps Taken

Command The file that log the keystrokes you type and output!!

Another command: history


Outline




The files you want to collect

The log files The configuration file The other relevant file


Loadable Kernel Module Rootkits

RootkitsCollections of commonly trojaned system proc

esses and scripts that automate many of the actions attackers want to do!!!

LKMs are programs that can be dynamically linked into the kernel after the system has booted up


Loadable Kernel Module Rootkits

Rogue LKMs can lie about the results LKM rootkits

knarkadoreheroin

When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide

The important logs you must collect!! Binary log files

The utmp file, accessed with the w utilityThe wtmp file, accessed with the last suilityThe lastlog file, accessed with the lastlog utilit

yProcess accounting logs, accessed with the la

stcomm utility


The important logs you must collect!! ASCII text log files

Web access logsXferlog (ftp log)History log


The important configuration files you want to collect!! /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.equic ~/.rhosts /etc/hosts.allow and /etc/hosts.deny /etc/syslog.conf /etc/rc crontab files /etc/inetd.conf and /etc/xinetd.conf

Discovering illicit sniffers on Unix Systems Most Dangerous

More widespread than a single systemHave root-level access


Discovering illicit sniffers on Unix Systems No sniffers

Sniffers on your system

Outline




What?

Pseudo-file systemAn interface to kernel data structure

Each process has a subdirectory in /proc that corresponds to it’s PID


Example Start a executed file

PID

Go into the subdirectory

The command you executed

The fd subdirectories Standard Input

Standard Output

Standard Error

The file descriptor opened

The file descriptor that socket opened

Another socket example!!

Dump System Ram

Two files your should collect /proc/kmem /proc/kcore


A tech you can use!!!!!

The command line is changed at runtime! Two parameter

argc An integer representing in the argv[] array

argv An array of string values that represent the comma

nd-line argument


Example

tcpdump –x –v –nargv[0] = tcpdumpargv[1] = -xargv[2] = -vargv[3] = -n

strcpy(argv[0], “xterm”)


Example 2

The two parameter!Information Networking Security and Assurance LabNational Chung Cheng University

Example 2

The tech you want to learn!!


Example 2

Succeed ^_^


Documents

Incident Response & Computer Forensics