Embed Size (px)
Citation preview
1
Unix/Linux Forensics
2
Simple Linux Commands
• date – display the date• ls – list the files in the current directory• more – display files one screen at a time• cat – display the contents of a file• wc – displays lines, words, and characters• cp, mv, rm, pwd, mkdir, cd, rmdir, chmod, • head – show the first few lines of a file• file – determine a file type• tail – show the last few lines of a file• cal – display calendar• kill – terminate a running command• lpr – send a job to the printer• grep – searches a file for a specific pattern• chmod – change file permissions• fdisk• mount, cat /etc/fstab• last• ….
3
Basic Concepts
• shell• shell scripts• background and foreground
– &– Ctrl-Z, bg, fg, jobs
• Environment variables– env
• passwd
4
The Linux Filesystem Layout
• The basic layout of the filesystem starts with the root directory.–root directory : this is the base of the file system's tree structure. –/bin : binary files for the OS–/dev : the device files–/etc : system configuration files –/sbin: system administrative binaries–/home : conventional location for users’ home directories. –lost+found : storage for recovered files
5
Commonly used command/concepts
• mount/umount• ls: different options• ln• df• tree• chmod, chown, chgrp• find• tar• gzip• dd• stat
6
Commonly used command/concepts
• cksum– checksum and count the bytes in a file
• sum– checksum and count the blocks in a file
• diff– Provide a list of each line that differs
• strings
7
Commonly used command/concepts
• Every file is managed by a data structure called an inode– File location and size– Owner, permission, – Time of creation, time of last access, time of last
modification– stat
• SUID root– Set user ID
8
Ext2 Inode
http://www.tldp.org/LDP/tlk/fs/filesystem.html
9
Network Information System
/etc/nsswitch.confyppasswd
10
Shared System Files
11
Four basic steps
• Collect• Preserve• Analyze• Present (report)
12
Investigating A Unix Host
• Filesystem integrity-checking program– Tripwire: http://sourceforge.net/projects/tripwire/
• TCT– Examining hacked Unix systems– http://www.porcupine.org/forensics/tct.html
• netcat
13
Order of Volatility
• The more volatile the data is, the more difficult it is to capture, and the less time you have to do it.
• The descending order:– CPU storage– System storage– Kernel Tables– Fixed media– Removable media– Paper printouts
• Table 11-4
14
TCT (1)
• TCT – The Coroner’s Toolkit– http://www.porcupine.org/forensics/
• Mostly perl but some C as well• A STATIC tool!
– e.g. changes to filesystem during analysis will NOT be noticed by TCT
– You MUST isolate the system under investigation
15
TCT (2)
• Four major parts:– grave-robber: captures forensics data– The C-tools (ils, icat, pcat, file, etc)
• pcat – low-level memory utilities: copy process memory– pcat PID
• file: determine file type• icat: copies files by inode number• ils: list inode info (usually removed files)
– lazarus• Lazarus: create structure from unstructured data
– mactime• Report on times of files
16
The C-tools (ils, icat, pcat, file, etc)
• pcat – gathers process memory from live system
• ils – gathers inode information– ./ils /dev/sda6
• icat – copy files using inode information to standard out– ./icat /dev/sda6 1405802 (you can use stat to obtain
the inode number)• file – determine file system type
17
lazarus
• Lazarus – classify raw information for analyzing (brings back info from the dead) – Unallocated datablocks with no referent inode
18
mactime
• Three times on ext f/sys:– Modification time– Access time– Change time
• collects information on all three times for specific files– ./mactime -d /root/download/tct-1.16/bin -y
9/29/2006
19
Be nice to your MAC times
• MAC times are sensitive (to changes within the system)
• Running a single command may change last Access time of a file
• Should grab MACtime info before running any further commands on system.
• You’ll use this info to create a timeline of activity.
20
Sleuth kit
• Expands TCT data • Provides low- and high-level access to Xnix
and Windows f/systems.
21
The Sleuth KitFile system tools
• File System Category• Content Category
– dls –f ext –e –l sda6.img» a: the data unit is allocated» f: the data unit is unallocated
– dcat –f ext sda6.img 23456» View the contents of any data unit
• Metadata category» Include data that describe a file: for example, temporal
information, the addresses of the data units, the size of the file.
» istat –f ext sda6.img 163199 - to get the specific metadata entry
» ils –f ext –e sda6.img - list the details of several metadata structures
» icat –f ext sda6.ima 31 - View the contents of the file based on metadata address instead of its file name
22
The Sleuth Kit
• File Name Category» Includes the data that associates a name with a metadata entry» fls: list file names in a given directory» ffind: list which file name corresponds to a given metadata
address• Application Category
» A file system journal records updates to the file system so thatthe file system can be recovered more quickly after a crash
» jls – list the contents of the journal and show which file system blocks are saved in the journal blocks
• Multiple category» mactime: takes temporal data from fls and ils to produce a
timeline of file activity
23
The Sleuth Kit
– Searching tools• sigfind – find binary signature in a file
– Disk tools• disk_stat
– Volume system tools
24
Autopsy
• Developed to automate the investigation process when TSK is being used
• http://www.sleuthkit.org/autopsy/
25
Capture Filesystem• Imaging utilities
– Wipe out analysis drive• dd if=/dev/zero of=/dev/fd0
– One more example• nc –l –p 10001 > syspect.hdb5.image.1of3&• nc –l –p 10002 > syspect.hdb5.image.2of3&• nc –l –p 10003 > syspect.hdb5.image.3of3&
• dd if =/dev/hdb5 count 2000000 bs=1024 | nc 192.168.0.4 10001 –w 3
• dd if =/dev/hdb5 skip 2000000 count 2000000 bs=1024 | nc192.168.0.4 10002 –w 3
• dd if =/dev/hdb5 skip 4000000 count 2000000 bs=1024 | nc192.168.0.4 10003 –w 3
• cat suspect.image1.10f3 >> suspect.hdb5.image• cat suspect.image2.2of3 >> suspect.hdb5.image• cat suspect.image3.3of3 >> suspect.hdb5.image
26
md5
• Create the hash value of collected data and record it– md5 from tct: md5 /dev/sda6– Verify the image file on the collection host
27
Accessing Captured Filesystems for Examination
• Copy the image into a partition that is the same size as the image (partition cleaned using dd)
• Another approach– mkdir /mnt/suspecthost– mount –t ext2 –o ro, loop=/dev/loop0
suspect.hdb5.image /mnt/suspecthost– Treat it like any other filesystem
28
logs
• /etc/syslog.conf
29
logs
30
logs
• /var/log/secure– authpriv.*
• HTTP– /var/log/httpd/*: grep passwd /var/log/httpd/*
31
Examine Account Information
32
Trust Relationship Configuration Files
33
Invisible Files and Directories
• Find invisible files and directories– find . –type d –name “.*” –print0 | cat –a
• Search SUID root executables– find / -user root –perm -4000 –print0 | xargs -0 ls
-l• Search SGID programs
– find / -perm -2000 –print0 | xargs -0 ls -l
34
Signs of Intrusion in /tmp
35
Verifying crontab and at jobs
36
Signs that an Executable File Deserves a Closer Look
37
Shell and Application History
• sh– .sh_history
• csh– .history
• ksh– .sh_history
• bash– .bash_history
• tcsh– .history
38
Signs of Hostile Processes
39
Levels of System Compromise
40
RootKit
• http://www.securityfocus.com/infocus/1811• Increase privileges• Hide activities
– To manipulate the environment and hide evidence
• Gather information– To extend attacks
• One example– Loadable kernel modules (LKM)– http://www.s0ftpj.org/docs/lkm.htm
41
RootKit Content
42
RootKit Content
43
RootKit Content
44
RootKit Content
45
RootKit Content
46
RootKit Content
47
RootKit Content
48
KSTAT Utility
•Kstat –s: display the system call table
49
Detecting Trojan LKMs on Live System
• Detecting trojan LKMs on a live system– Complicated– These tools intercept system calls.
• Port 2222 is open – default Adore LKM port
50
Miscellaneous
• To determine listing applications associated with open ports– netstat –anp
• To determine whether a sniffer is running on a system (promiscuous mode)– ifconfig eth0
• /proc– fd subdirectory: all the files a process has opened– cmdfile: the command-line argument
51
Miscellaneous
• lsof (list open files)– Lists processes with all their open files, network
ports, current directories, and other file system-related information
– An open file can be a regular file, a directory, a library, a stream, or a network socket.
– Example:• For root user: lsof –p PID_of_SSHD• lsof –i: show all processes with active network ports
52
Miscellaneous• ltrace
– Library call monitoring programs– ltrace date > /dev/null
• Show fragment of a library-call trace of the date command
• strace– System call monitoring– strace date > /dev/null
• sysctl– Read/Write access to kernel configuration parameters and
other data– sysctl -a
53
Prepare Analysis Machines
• Boot into Knoppix-STD (or your favorite Linux OS with all the right tools)
• http://en.wikipedia.org/wiki/Knoppix_STD
54
A Summary of the Steps in a Unix Investigation
• Review all pertinent logs• Perform keyword searches• Review relevant files• Identify unauthorized user accounts or groups• Identify rogue processes• Check for unauthorized access points• Analyze trust relationships• Check for kernel module rootkits
55
Compromising a Unix Host
56
Typical Attack Host Exploits
57
Attack Steps• Target Identification• Intelligence Gathering
– Password sniffing and guessing– Compromise network service
• Initial Compromise• Privilege Escalation
– Gain root access• Reconnaissance
– Attackers perform their own forensic examination– Look for security programs– Analyze system and user activities
• Covering the Tracks– System that is owned
• Gain administrative access, clean the tracks, and prepare a returned path
