1 / 25

Bone Collection The Art of Computer Forensics Suraj V. Shankar Yukthi Systems (P) Ltd.

Bone Collection The Art of Computer Forensics Suraj V. Shankar Yukthi Systems (P) Ltd. surajvshankar@yahoo.com. Computer forensics. Who System administrators A relative neophyte in Linux forensic security Why Security threats are rampant

adriel
Download Presentation

Bone Collection The Art of Computer Forensics Suraj V. Shankar Yukthi Systems (P) Ltd.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bone Collection The Art of Computer Forensics Suraj V. Shankar Yukthi Systems (P) Ltd. surajvshankar@yahoo.com

  2. Computer forensics ... • Who • System administrators • A relative neophyte in Linux forensic security • Why • Security threats are rampant • Computer break-ins have expensive business and legal repercussions • To be able to create the right defenses for the future • To help identify attack patterns and possibly the attackers. • What • Tools available • Recommended techniques

  3. Life-cycle of an incident

  4. OOV(Order Of Volatility)RFC 3227 • Registers & Caches • Network Information • Temporary FS • Remote logging and monitoring data • Physical configuration • Archival media

  5. Heisenberg's Principle of System Analysis • The 'more exactly we measure the state of a machine', the 'more we disturb the machine' and its state becomes that much less certain. • As the system cannot be frozen in time (apmd/Vmware/User-mode Linux?), the credibility of the investigation hinges on the ability to collect as much information as possible in a short period of time, and then ensure the integrity of the information that is collected. • The real, Principle of Uncertainty by Werner Heisenberg deals with uncertainty of the exact location of a quantum particles unless the velocity of the particle is disturbed, which then is not the exact position of the particle.

  6. Case study ... • The victim – The compromised host - got_root • The Hunter – The host used for data collection - try_me • Freshly installed machine • Hardened/Firewalled machine • Have device entries in /etc/fstab and not volume labels • Do not run an antivirus Preliminaries ... • Photograph the console • Take notes, preferably using an out-of-band device; notebook, pen?

  7. Stages in the Incident Analysis Phase • Live system analysis – The real challenge. • Is it recommended? • What are the tools available (on Linux)? • Order of collection • Corpse analysis • F/OSS tools available? • Mention of acclaimed closed source alternatives.

  8. Preliminaries to a Live system analysis • Data Stuffing: try_me$ nc –p 6666 –l > file got_root# /mnt/cdrom/bin/cat data | /mnt/cdrom/usr/bin/nc –w 3 try_meIP 6666 • Do have a bash ... got_root# /mnt/cdrom/bin/bash

  9. Magic SysRq key enabled kernel? • echo “1” > /proc/sys/kernel/sysrq • And then ... • ALT + SysRq + m • Will dump current memory info to your console. • ALT + SysRq + t • Will dump a list of current tasks and their information to your console. • ALT + SysRq + i • Send a SIGKILL to all processes, except for init. • ALT + SysRq + 0 - ALT + SysRq + 9 • Sets the console log level

  10. Output from a SysRq-ed process dump cupsd S C03BA280 64 17946 1 2357 (NOTLB) Call Trace: [<c012d99d>] schedule_timeout [kernel] 0x5d (0xf27f3eec)) [<c012d930>] process_timeout [kernel] 0x0 (0xf27f3f0c)) [<c020571c>] sock_poll [kernel] 0x2c (0xf27f3f10)) [<c016576d>] do_select [kernel] 0x12d (0xf27f3f24)) [<c0165c0e>] sys_select [kernel] 0x34e (0xf27f3f60)) [<c01098cf>] system_call [kernel] 0x33 (0xf27f3fc0)) pickup S C03B9880 2148 26844 898 906 (NOTLB) Call Trace: [<c012d99d>] schedule_timeout [kernel] 0x5d (0xc4a2beec)) [<c012d930>] process_timeout [kernel] 0x0 (0xc4a2bf0c)) [<c020571c>] sock_poll [kernel] 0x2c (0xc4a2bf10)) [<c016576d>] do_select [kernel] 0x12d (0xc4a2bf24)) [<c0165c0e>] sys_select [kernel] 0x34e (0xc4a2bf60)) [<c01098cf>] system_call [kernel] 0x33 (0xc4a2bfc0))

  11. Output from a SysRq-ed memory dump Mem-info: Free pages: 34884kB ( 1048kB HighMem) Zone:DMA freepages: 12460kB min: 4224kB low: 4352kB high: 4480kB Zone:Normal freepages: 21376kB min: 3064kB low: 16124kB high: 23164kB Zone:HighMem freepages: 1048kB min: 1008kB low: 2016kB high: 3024kB Free pages: 34884kB ( 1048kB HighMem) ( Active: 92606/4256, inactive_laundry: 117751, inactive_clean: 1738, free: 8721 ) 5*4kB 5*8kB 3*16kB 4*32kB 3*64kB 2*128kB 2*256kB 2*512kB 2*1024kB 4*2048kB = 12460kB) 562*4kB 275*8kB 26*16kB 2*32kB 3*64kB 5*128kB 1*256kB 2*512kB 2*1024kB 6*2048kB = 21376kB) 10*4kB 0*8kB 1*16kB 1*32kB 1*64kB 1*128kB 1*256kB 1*512kB 0*1024kB 0*2048kB = 1048kB) Swap cache: add 0, delete 0, find 0/0, race 0+0 Free swap: 2048248kB 261744 pages of RAM 32368 pages of HIGHMEM 4550 reserved pages 75127 pages shared 0 pages swap cached

  12. /bin/mount Pandora's machine! • Files accessed by mount • *You can avoid access to mtab by using the -n switch • (Marius Bursach, March 22, 2004) • If /bin/mount is a “deadman switch” there isn't much that can be done. • You would have to agitate the system a bit more if • The system needs you to login • There already exists a mounted CDROM in the drive etc.

  13. Network data collection ... • Mac address cache table • arp -an • Kernel route cache table • route -Cn • Current , pending connections and open TCP/UDP ports • netstat -an

  14. Volatile Memory collection ... • Physical Memory • Collect /proc/kcore • Collect /dev/mem • Memget & Mempeek using http://dag.wieers.com/packages/memget/ Process identification ... • ps -auxeww • Also, wherever possible (read as, when collection does not further affect the volatility of the data) collect the same information using as many trusted commands as possible. • ls -d /proc/[0-9]*

  15. /proc – It only lives once ... • Few other proc values that would be useful if nc'ed across: • procget & procsave

  16. LiSt Open Files - lsof • Compile lsof with symbol HASSECURITY defined : dialects/linux/machine.h • lsof -lnPRg +Lwc 0 -Tqs 2>&1 • l : Inhibits the conversion of UID to login names • n : Inhibits the conversion of IP address to hostnames • P : Inhibits the conversion of port numbers to port names • R : Enables Parent Process IDentification number • g : Enables Process Group IDentification number • L : Enables link counts (not available for sockets, most FIFOs & pipes • w : Enables warning messages • c : Max. number of initial characters of the name of the UNIX command associated with a process (Default is 9) • T : Controls the reporting of some TCP/TPI (Transport Provider Interface) information, also reported by netstat • Q -> Queue length • S -> State

  17. lsof showing a deleted file ... COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME myscript 31498 suraj cwd DIR 3,5 8192 32769 /home/suraj myscript 31498 suraj rtd DIR 3,2 4096 2 / myscript 31498 suraj txt REG 3,2 605504 336080 /bin/bash myscript 31498 suraj mem REG 3,2 107716 512116 /lib/ld-2.3.2.so myscript 31498 suraj mem REG 3,2 1575400 608049 /lib/tls/libc-2.3.2.so ... myscript 31498 suraj mem REG 3,2 13016 512062 /lib/libtermcap.so.2.0.8 myscript 31498 suraj mem REG 3,3 33513072 1335662 /usr/lib/locale/locale-archive myscript 31498 suraj mem REG 3,3 21436 847213 /usr/lib/gconv/gconv-modules.cache myscript 31498 suraj 0u CHR 136,0 2 /dev/pts/0 ... myscript 31498 suraj 9u CHR 136,0 2 /dev/pts/0 myscript 31498 suraj 255r REG 3,5 49 33852 /home/suraj/myscript (deleted)

  18. Moot point - LKMs • How far can you go... • Detect, pull the plug; move to corpse analysis mode • This is where live system analysis crumbles • Kernel symbols – They are the exported functions & variables, when a module is registered cat /proc/ksyms • Not available for 2.6 kernels as EXPORT_SYMBOLS are distributed to places that define them; this is to avoid centralization • How real? • Adore / Adore-ng • Knark • rkit

  19. Hunting down LKMs ... • hunter.o is a LKM that uses brute force to find hidden modules. In order to hide modules the unidirectional chain is modified and modules are added to the end of the singly linked chain. • Force insmod on hunter.o, compiled without MODVERSIONS: got_root# /mnt/cdrom/usr/local/sbin/insmod -f /mnt/cdrom/hunter.o • Collect /proc/showmodules and /var/log/messages: try_me# nc -l -p 6666 > moduleListUsingHunter.o got_root# /mnt/cdrom/bin/cat /proc/showmodules && /mnt/cdrom/bin/cat /var/log/messages | /mnt/cdrom/nc try_meIP 6666 try_me# md5sum moduleListUsingHunter.o > moduleListUsingHunter.o.md5 • We could use other tools like kstat or kern_check, but unfortunately all of them use the /boot/System.map file

  20. Corpse analysis ... • script(1) • U.S. DoD* Computer Forensic Lab's Disk Dump • dcfldd (http://sourceforge.net/projects/dcfldd/).Download from http://prdownloads.sourceforge.net/biatchux/dcfldd-1.0.tar.gz?download * DoD – Department of Defense • utmpdump /mnt/compromised/var/run/utmp • utmpdump is a part of the SysVinit package • last -f /mnt/compromised/var/log/wtmp • lastcomm -f /mnt/compromised/var/account/pacct • Process accounting is available only if psacct package is installed Continued ...

  21. Corpse analysis ... ... Continued • less /mnt/compromised/var/log/messages for signs of a network sniffer (interfaces logging a switch over to promiscs mode) • cat /mnt/compromised/$home/.ssh/known_hosts for unidentified connects • Bring up the image in a secure environment and run auditing tools on them • Example : SATAN

  22. The Coroner's Toolkit and The Sleuth Kit • Using mac robber to archive the MAC times of the files in the compromised machine • mactime -d /mnt/readOnlyCompromised/ -g /mnt/readOnlyETC/group -p /readOnlyETC/passwd -R -n "Mon Nov 29 17:30:30 PDT 2004"-"Tue Nov 28 17:30:40 PDT 2004" • Example output: class|host|start_time body|slack|1099081636 md5|file|st_dev|st_ino|st_mode|st_ls|st_nlink|st_uid|st_gid|st_rdev|st_size|st_atime|st_mtime|st_ctime|st_blksize|st_blocks 000|/tct_data|5635|640885|16877|drwxr-xr-x|4|0|0|41518|4096|1099080490|1098529623|1098529623|4096|8 000|/tct_data/blocks/1...txt|5635|545655|33188|-rw-r--r--|1|0|0|41612|16384|1098537352|1098528995|1098528995|4096|32 000|/opt/kde/bin/fileshareset|5635|131959|35309|-rwsr-xr-x|1|0|0|0|10073|1098531772|1024503841|1053621519|4096|24 000|/opt/kde/bin/kdesud|5635|131989|34285|-rwxr-Sr-x|1|0|99|0|43844|1053621519|1063596704|1053621523|4096|88

  23. Lazarus • You'll need at least *220%* of the free disk space of the file system that the file was lost in. The 220% is needed by: • 100% = The unallocated blocks that you'll be recovering • 120% = Roughly the space lazarus will consume. It'll be at least 100% + some additional space. • Andreas Dilger: • In order to ensure that ext3 can safely resume an unlink after a crash, it actually zeros out the block pointers in the inode, whereas ext2 just marks these blocks as unused in the block bitmaps and marks the inode as 'deleted' and leaves the block pointers alone

  24. Stephan C. Tweedie's ext3...

  25. Few useful links ... • http://www.securityfocus.com/infocus/1769 • http://www.securityfocus.com/infocus/1773 • http://www.awprofessional.com/articles/printerfriendly.asp?p=169105 • http://groups.yahoo.com/group/linux_forensics • http://www.phrack.org/phrack/61/p61-0x03_Linenoise.txt • http://www.porcupine.org/forensics/ • http://www.fish.com/security/ Thank You!

More Related