COEN 250 Computer Forensics Unix System Life Response

Creating a Response Toolkit    Toolkits depend on the OS.

Often, need to compile tools from source.

Many Unix versions are not compatible.

Creating a Response Toolkit     Tools on the system are often Trojaned.

Much more than on Windows machines.

Statically link tools.

http://www.incident-response.org

Store information     On local hard drive.

On remote media (floppies, USB, tape) Record information by hand.

Use netcat or cryptcat to transfer to a forensic workstation over the net.

Collecting Data before a Forensic Duplication       System date and time.

Currently logged-on users.

Time/date stamps for the entire file system.

List of currently open sockets.

Application listening on these sockets.

List of recent connections.

Collecting Data before a Forensic Duplication       Create a trusted shell.

Exit X-windows or other GUI Log on with root privileges Mount floppy: mount /dev/fd0 /mnt/floppy Run shell from floppy (bash) Set path to . (dot)

Collecting Data before a Forensic Duplication    Use “date” for the time.

Use “w” for current users.

Use ls recursively (R) to record access times, starting at /.

 ls –alRu / > floppy/atime   ls –alRc / > floppy/ctime ls –alR / > floppy/mtime

Collecting Data before a Forensic Duplication  Alternative  find / printf “%m;%Ax;%AT;%TX;%TT;%Cx;%CT;%U;% G%s;%p\n”

Collecting Data before a Forensic Duplication   Find open TCP / UDP ports     Goal:  Find open backdoors Use “netstat –an” to view all open ports.

Use “netstat –anp” (on Linux) to list all applications associated with open ports.

Check normal use of open ports:   www.portsdb.org

(currently down) http://logs.sofaware.com/resolveport/?portnumber=80& protocol=TCP Use “lsof” (list of open files) utility as in “lsof –i –D r”

Collecting Data before a Forensic Duplication    Take a snapshot of all running processes ps –eaf on Solaris ps –aux on FreeBSD and Linux

Collecting Data before a Forensic Duplication  Open Files  lsof

Collecting Data before a Forensic Duplication  Internal Routing Table  netstat –rn  Goal: Evidence of man in the middle attack

Collecting Data before a Forensic Duplication  Loaded Kernel Module    Used to be standard way to install a rootkit Use lsmod command Warning: Knark and other loadable kernel module rootkits will subvert this program

Collecting Data before a Forensic Duplication    Mounted File Systems df command Example: Mounted NFS shares can be used by an intruder to transfer data

Collecting Data before a Forensic Duplication  System version and patch level  uname -a

Collecting Data before a Forensic Duplication  Obtain all system logs   /var/run/utmp log contains currently logged on users  Warning: tools like “zap2” delete these entries  http://www.packetstormsecurity.com/ /var/log/wtmp  History of logins  Syslog logs in syslog.conf

Collecting Data before a Forensic Duplication  User accounts   Look for evidence of backdoors in password files  /etc/passwd For suspicious users, check user history files

Collecting Data before a Forensic Duplication   Obtain important config files Dump System RAM   Often in /proc/kmem or /proc/kcore Use it for keyword searches

Collecting Data before a Forensic Duplication  Suspicious files   Assume attacker runs a binary such as datapipe and then deletes it.

Binary is kept in /proc file system  /proc does not exist on the hard drive  To collect binary image of process pid 1234:  Change into /proc/1234   Copy exe to forensics workstation using cat and netstat fd directory contains all open files for a particular process.

Collecting Data before a Forensic Duplication    Take Date again Record all steps (script, history) Record MD5 sums to prevent challenges of changed data.

Rootkits   Rootkits: tools to acquire and keep root access.

File Level Rootkits: Trojan      login ps find who netstat

Rootkits    Trojaned login  Works as designed.

 But lets one special username in.

Trojaned who   Works as designed.

But does not display the user with the special username.

Provides access and protection

Rootkits   Use Tripwire to detect system file alterations.

Use trusted forensics tool to find file level rootkits.

Rootkits   Kernel-Level Rootkits   Create their own kernel.

That is, let users live in a virtual reality that they created.

Loadable Kernel Modules (LKM)   Supported by Linux, Solaris, etc.

Allow to add modules to the kernel.

Rootkits   Rogue LKM can intercept system commands.

Tripwire will not help, system files are still there and unchanged.

Rootkits  Knark    To hide a process, send kill -31.

Knark LKM takes care of the rest.

Forensically sound tools are not circumvented, though.

Rootkits  Detection   Look for inconsistencies in the data Example:  lsof output contains file /tmp/.kde

  find does not list /tmp/.kde

Discrepancy is strong hint at existence of a rootkit set to hide /tmp/.kde

Sniffers     Used to capture network traffic Payload are unencrypted login procedures Payload are email messages …

Sniffers     Ethernet card needs to be in promiscuous mode for sniffing.

Use ifconfig –i eth0 Look for keyword PROMISC Use lsof to find large output files