Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
Jai, 2004
Incident Response & Computer Forensics
Chapter 6
Live Data Collection from Unix Systems
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
Preface Obtaining Volatile Data Prior to Forensic
Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
Preface Obtaining Volatile Data Prior to Forensic
Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance LabNational Chung Cheng University
Preface
Many Unix versions are not backward or forward compatible
Four storage options Local hard drive Remote media such as floppy disks, USB drives, or
tape drives Hand Forensic workstation over the network
Best time All are not online
Outline
Preface Obtaining Volatile Data Prior to Forensic
Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance LabNational Chung Cheng University
The minimum information
System date and time A list of the users who are currently logged on Time/Date stamps for the entire file system A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the systems that have current or recent
connections to the system
Information Networking Security and Assurance LabNational Chung Cheng University
Follow these steps Execute a trusted shell Record the system time and date Determine who is logged on to the system Record modification, creation, and access times of all
files Determine open ports List applications associated with open ports Determine the running processes List current and recent connections Record the system time Record the steps taken Record cryptographic checksums
Executing a trusted shell
Avoid to log-in with X-window Set-up your PATH equal to dot (.)
Information Networking Security and Assurance LabNational Chung Cheng University
Recording the system Time and Date
This is command
Information Networking Security and Assurance LabNational Chung Cheng University
Who?command
control terminalttyn: logon at the console
ptsn: over the network
The local starting time of the connection
The time used by all processes attached to that
console
The processor time used by the current process under the WHAT
column
Information Networking Security and Assurance LabNational Chung Cheng University
Recording file Modification, Access, and Inode Change Times
Access time (atime) Modification time (mtime) Inode change time (ctime)
Information Networking Security and Assurance LabNational Chung Cheng University
Applications associated with Open Ports
In some other Unix-Like OS
List all running processes and the file descriptors they have open
Recording the Steps Taken
Command The file that log the keystrokes you type and output!!
Another command: history
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
Preface Obtaining Volatile Data Prior to Forensic
Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance LabNational Chung Cheng University
The files you want to collect
The log files The configuration file The other relevant file
Information Networking Security and Assurance LabNational Chung Cheng University
Loadable Kernel Module Rootkits
RootkitsCollections of commonly trojaned system proc
esses and scripts that automate many of the actions attackers want to do!!!
LKMs are programs that can be dynamically linked into the kernel after the system has booted up
Information Networking Security and Assurance LabNational Chung Cheng University
Loadable Kernel Module Rootkits
Rogue LKMs can lie about the results LKM rootkits
knarkadoreheroin
When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide
The important logs you must collect!! Binary log files
The utmp file, accessed with the w utilityThe wtmp file, accessed with the last suilityThe lastlog file, accessed with the lastlog utilit
yProcess accounting logs, accessed with the la
stcomm utility
Information Networking Security and Assurance LabNational Chung Cheng University
The important logs you must collect!! ASCII text log files
Web access logsXferlog (ftp log)History log
Information Networking Security and Assurance LabNational Chung Cheng University
The important configuration files you want to collect!! /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.equic ~/.rhosts /etc/hosts.allow and /etc/hosts.deny /etc/syslog.conf /etc/rc crontab files /etc/inetd.conf and /etc/xinetd.conf
Discovering illicit sniffers on Unix Systems Most Dangerous
More widespread than a single systemHave root-level access
Information Networking Security and Assurance LabNational Chung Cheng University
Outline
Preface Obtaining Volatile Data Prior to Forensic
Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance LabNational Chung Cheng University
What?
Pseudo-file systemAn interface to kernel data structure
Each process has a subdirectory in /proc that corresponds to it’s PID
Information Networking Security and Assurance LabNational Chung Cheng University
The fd subdirectories Standard Input
Standard Output
Standard Error
The file descriptor opened
The file descriptor that socket opened
Another socket example!!
Dump System Ram
Two files your should collect /proc/kmem /proc/kcore
Information Networking Security and Assurance LabNational Chung Cheng University
A tech you can use!!!!!
The command line is changed at runtime! Two parameter
argc An integer representing in the argv[] array
argv An array of string values that represent the comma
nd-line argument
Information Networking Security and Assurance LabNational Chung Cheng University
Example
tcpdump –x –v –nargv[0] = tcpdumpargv[1] = -xargv[2] = -vargv[3] = -n
strcpy(argv[0], “xterm”)
Information Networking Security and Assurance LabNational Chung Cheng University
Example 2
The two parameter!Information Networking Security and Assurance LabNational Chung Cheng University
Example 2
The tech you want to learn!!
Information Networking Security and Assurance LabNational Chung Cheng University