Unix/Linux Forensics Simple Linux Commands date display the date - - PDF document

1

Unix/Linux Forensics

2

Simple Linux Commands

• date – display the date
• ls – list the files in the current directory
• more – display files one screen at a time
• cat – display the contents of a file
• wc – displays lines, words, and characters
• cp, mv, rm, pwd, mkdir, cd, rmdir, chmod,
• head – show the first few lines of a file
• file – determine a file type
• tail – show the last few lines of a file
• cal – display calendar
• kill – terminate a running command
• lpr – send a job to the printer
• grep – searches a file for a specific pattern
• chmod – change file permissions
• fdisk
• mount, cat /etc/fstab
• last
• ….

3

Basic Concepts

• shell
• shell scripts
• background and foreground

– & – Ctrl-Z, bg, fg, jobs

• Environment variables

– env

• passwd

4

The Linux Filesystem Layout

• The basic layout of the filesystem starts with the root

directory. –root directory : this is the base of the file system's tree structure. –/bin : binary files for the OS –/dev : the device files –/etc : system configuration files –/sbin: system administrative binaries –/home : conventional location for users’ home directories. –lost+found : storage for recovered files

5

Commonly used command/concepts

• mount/umount
• ls: different options
• ln
• df
• tree
• chmod, chown, chgrp
• find
• tar
• gzip
• dd
• stat

6

Commonly used command/concepts

• cksum

– checksum and count the bytes in a file

• sum

– checksum and count the blocks in a file

• diff

– Provide a list of each line that differs

• strings

7

Commonly used command/concepts

• Every file is managed by a data structure

called an inode

– File location and size – Owner, permission, – Time of creation, time of last access, time of last modification – stat

• SUID root

– Set user ID

8

Ext2 Inode

http://www.tldp.org/LDP/tlk/fs/filesystem.html

9

Network Information System

/etc/nsswitch.conf yppasswd

10

Shared System Files

11

Four basic steps

• Collect
• Preserve
• Analyze
• Present (report)

12

Investigating A Unix Host

• Filesystem integrity-checking program

– Tripwire: http://sourceforge.net/projects/tripwire/

• TCT

– Examining hacked Unix systems – http://www.porcupine.org/forensics/tct.html

• netcat

13

Order of Volatility

• The more volatile the data is, the more difficult it is to

capture, and the less time you have to do it.

• The descending order:

– CPU storage – System storage – Kernel Tables – Fixed media – Removable media – Paper printouts

• Table 11-4

14

TCT (1)

• TCT – The Coroner’s Toolkit

– http://www.porcupine.org/forensics/

• Mostly perl but some C as well
• A STATIC tool!

– e.g. changes to filesystem during analysis will NOT be noticed by TCT – You MUST isolate the system under investigation

15

TCT (2)

• Four major parts:

– grave-robber: captures forensics data – The C-tools (ils, icat, pcat, file, etc)

• pcat – low-level memory utilities: copy process memory

– pcat PID

• file: determine file type
• icat: copies files by inode number
• ils: list inode info (usually removed files)

– lazarus

• Lazarus: create structure from unstructured data

– mactime

• Report on times of files

16

The C-tools (ils, icat, pcat, file, etc)

• pcat – gathers process memory from live

system

• ils – gathers inode information

– ./ils /dev/sda6

• icat – copy files using inode information to

standard out

– ./icat /dev/sda6 1405802 (you can use stat to obtain the inode number)

• file – determine file system type

17

lazarus

• Lazarus – classify raw information for

analyzing (brings back info from the dead)

– Unallocated datablocks with no referent inode

18

mactime

• Three times on ext f/sys:

– Modification time – Access time – Change time

• collects information on all three times for

specific files

– ./mactime -d /root/download/tct-1.16/bin -y 9/29/2006

19

Be nice to your MAC times

• MAC times are sensitive (to changes within the

system)

• Running a single command may change last Access

time of a file

• Should grab MACtime info before running any

further commands on system.

• You’ll use this info to create a timeline of activity.

20

Sleuth kit

• Expands TCT data
• Provides low- and high-level access to Xnix

and Windows f/systems.

21

The Sleuth Kit

File system tools

• File System Category
• Content Category

– dls –f ext –e –l sda6.img » a: the data unit is allocated » f: the data unit is unallocated – dcat –f ext sda6.img 23456 » View the contents of any data unit

• Metadata category

» Include data that describe a file: for example, temporal information, the addresses of the data units, the size of the file. » istat –f ext sda6.img 163199 - to get the specific metadata entry » ils –f ext –e sda6.img - list the details of several metadata structures » icat –f ext sda6.ima 31 - View the contents of the file based on metadata address instead of its file name

22

The Sleuth Kit

• File Name Category

» Includes the data that associates a name with a metadata entry » fls: list file names in a given directory » ffind: list which file name corresponds to a given metadata address

• Application Category

» A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash » jls – list the contents of the journal and show which file system blocks are saved in the journal blocks

• Multiple category

» mactime: takes temporal data from fls and ils to produce a timeline of file activity

23

The Sleuth Kit

– Searching tools

• sigfind – find binary signature in a file

– Disk tools

• disk_stat

– Volume system tools

24

Autopsy

• Developed to automate the investigation

process when TSK is being used

• http://www.sleuthkit.org/autopsy/

25

Capture Filesystem

• Imaging utilities

– Wipe out analysis drive

• dd if=/dev/zero of=/dev/fd0

– One more example

• nc –l –p 10001 > syspect.hdb5.image.1of3&
• nc –l –p 10002 > syspect.hdb5.image.2of3&
• nc –l –p 10003 > syspect.hdb5.image.3of3&
• dd if =/dev/hdb5 count 2000000 bs=1024 | nc 192.168.0.4 10001

–w 3

• dd if =/dev/hdb5 skip 2000000 count 2000000 bs=1024 | nc

192.168.0.4 10002 –w 3

• dd if =/dev/hdb5 skip 4000000 count 2000000 bs=1024 | nc

192.168.0.4 10003 –w 3

• cat suspect.image1.10f3 >> suspect.hdb5.image
• cat suspect.image2.2of3 >> suspect.hdb5.image
• cat suspect.image3.3of3 >> suspect.hdb5.image

26

md5

• Create the hash value of collected data and

record it

– md5 from tct: md5 /dev/sda6 – Verify the image file on the collection host

27

Accessing Captured Filesystems for Examination

• Copy the image into a partition that is the same

size as the image (partition cleaned using dd)

• Another approach

– mkdir /mnt/suspecthost – mount –t ext2 –o ro, loop=/dev/loop0 suspect.hdb5.image /mnt/suspecthost – Treat it like any other filesystem

28

logs

• /etc/syslog.conf

29

logs

30

logs

• /var/log/secure

– authpriv.*

• HTTP

– /var/log/httpd/*: grep passwd /var/log/httpd/*

31

Examine Account Information

32

Trust Relationship Configuration Files

33

Invisible Files and Directories

• Find invisible files and directories

– find . –type d –name “.*” –print0 | cat –a

• Search SUID root executables

– find / -user root –perm -4000 –print0 | xargs -0 ls

• l
• Search SGID programs

– find / -perm -2000 –print0 | xargs -0 ls -l

34

Signs of Intrusion in /tmp

35

Verifying crontab and at jobs

36

Signs that an Executable File Deserves a Closer Look

37

Shell and Application History

• sh

– .sh_history

• csh

– .history

• ksh

– .sh_history

• bash

– .bash_history

• tcsh

– .history

38

Signs of Hostile Processes

39

Levels of System Compromise

40

RootKit

• http://www.securityfocus.com/infocus/1811
• Increase privileges
• Hide activities

– To manipulate the environment and hide evidence

• Gather information

– To extend attacks

• One example

– Loadable kernel modules (LKM) – http://www.s0ftpj.org/docs/lkm.htm

41

RootKit Content

42

RootKit Content

43

RootKit Content

44

RootKit Content

45

RootKit Content

46

RootKit Content

47

RootKit Content

48

KSTAT Utility

• Kstat –s: display the system call table

49

Detecting Trojan LKMs on Live System

• Detecting trojan LKMs on a live system

– Complicated – These tools intercept system calls.

• Port 2222 is open – default Adore LKM port

50

Miscellaneous

• To determine listing applications associated

with open ports

– netstat –anp

• To determine whether a sniffer is running on a

system (promiscuous mode)

– ifconfig eth0

• /proc

– fd subdirectory: all the files a process has opened – cmdfile: the command-line argument

51

Miscellaneous

• lsof (list open files)

– Lists processes with all their open files, network ports, current directories, and other file system- related information – An open file can be a regular file, a directory, a library, a stream, or a network socket. – Example:

• For root user: lsof –p PID_of_SSHD
• lsof –i: show all processes with active network ports

52

Miscellaneous

• ltrace

– Library call monitoring programs – ltrace date > /dev/null

• Show fragment of a library-call trace of the date command
• strace

– System call monitoring – strace date > /dev/null

• sysctl

– Read/Write access to kernel configuration parameters and

• ther data

– sysctl -a

53

Prepare Analysis Machines

• Boot into Knoppix-STD (or your favorite

Linux OS with all the right tools)

• http://en.wikipedia.org/wiki/Knoppix_STD

54

A Summary of the Steps in a Unix Investigation

• Review all pertinent logs
• Perform keyword searches
• Review relevant files
• Identify unauthorized user accounts or groups
• Identify rogue processes
• Check for unauthorized access points
• Analyze trust relationships
• Check for kernel module rootkits

55

Compromising a Unix Host

56

Typical Attack Host Exploits

57

Attack Steps

• Target Identification
• Intelligence Gathering

– Password sniffing and guessing – Compromise network service

• Initial Compromise
• Privilege Escalation

– Gain root access

• Reconnaissance

– Attackers perform their own forensic examination – Look for security programs – Analyze system and user activities

• Covering the Tracks

– System that is owned

• Gain administrative access, clean the tracks, and prepare a returned

path