1 / 22

Lecture 17: UNIX Forensics

Lecture 17: UNIX Forensics. 6/30/2003 CSCE 590 Summer 2003. Shutdown Command. BSD-ish shutdown shutdown –r now shutdown –h 16:30 shutdown –r +5 “Please save your files” System V shutdown –i6 –g0 –y “Please save your files” (reboot) shutdown –i0 –g 60 –y (halt in one minute) reboot

alaina
Download Presentation

Lecture 17: UNIX Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 17: UNIX Forensics 6/30/2003 CSCE 590 Summer 2003

  2. Shutdown Command • BSD-ish shutdown • shutdown –r now • shutdown –h 16:30 • shutdown –r +5 “Please save your files” • System V • shutdown –i6 –g0 –y “Please save your files” (reboot) • shutdown –i0 –g 60 –y (halt in one minute) • reboot • halt

  3. NFS • Network File System • Allows you to mount disk space from a remote machine • NFS server: • /etc/exports • exportfs • NFS client: • /etc/fstab • mount • /etc/mtab - mounted filesystems table • /etc/rmtab – remote mounted filesystems table

  4. hosts File • /etc/hosts • Can be used as a supplement to DNS • Mappings of IP addresses to names that may not be in DNS • May indicate other machines that were targeted if intruder found hosts file • 127.0.0.1 localhost.localdomain localhost • 129.252.131.42 forensicrig.cse.sc.edu forensicrig

  5. resolv.conf • /etc/resolv.conf • List of domains to search for machines names in • Lists of DNS servers to use to resolve names • search cse.sc.edu • nameserver 129.252.131.9 • nameserver 129.252.21.12 • nameserver 129.252.21.13

  6. Mail aliases File • /etc/aliases • /etc/mail/aliases • Lists of email address that redirected to another email address postmaster: root,wright abuse:postmaster trouble:postmaster security:wright,ronni,ken codered:ronni,wright,ken,johnf@gwm.sc.edu, mcgowanb@gwm.sc.edu,kaiser@psc.sc.edu, kirk@engr.sc.edu, gallaghd@gwm.sc.edu

  7. RC Files • Configuration files that are run when a user logs in or a shell is started • Can contain commands, set environment variables • .login • .profile • .bashrc • .cshrc • .tcshrc • /etc/bashrc • /etc/csh.cshrc • /etc/csh.login

  8. Cron files • Example: 10 3 * * 0,4 /etc/cron.d/logchecker 58 23 * * * /usr/lib/newsyslog 0 5 * * * /usr/lib/newweblog 3 0 * * 1 /usr/lib/newsyslog.weekly # Run Statistics Collection */5 * * * * /data/nmis/bin/nmis.pl • fields and allowed values • minute 0-59 • hour 0-23 • day of month 1-31 • month 1-12 (or names) • day of week 0-7 (0 or 7 is Sun, or names)

  9. Printing - LPRng • lpr, lpd, lpq, lprm, lpc • /var/spool/lpd/printer_name - spool directories • Default name is lp • /etc/printcap • /etc/lpd.perms • /var/spool/printer*/printer - lock file for queue control • /var/spool/printer*/control.printer - queue control • /var/spool/printer*/active.printer - active job • /var/spool/printer*/log.printer - log file

  10. Spool Files • dfA<Job_Number><Source> • Data file – what is to be printed • cfA<Job_Number><Source> • Control file – control info about job • hfA<Job_Number> • Header file – info about print job

  11. Spool Directory

  12. Print Job Control Files

  13. sysctl.conf • Kernel sysctl configuration file • Configuration options for kernel • Example: # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # whether core dumps append the PID to core filename kernel.core_uses_pid = 1

  14. Pluggable Authentication Modules (PAM) • Can individually configure how different applications will do authentication • Standalone authentication modules for different methods of authenticating • Modules are ‘stackable’ • /etc/pam.conf or /etc/pam.d directory • Dynamically change authentication methods

  15. PAM • Separates aspects of authentication into 4 tasks • account: account verification tasks (expired password?) • auth: authentication tasks – is user who they claim to be • password: password management/changing • session: maintenance tasks of authentication, audit trails/logs, mounting user’s home directory

  16. Recovering Deleted UNIX Files with Sleuthkit • Very similar to Windows NTFS file recovery • fls –f linux-ext3 -r -d -m / /dev/hda2 |more • ils –f linux-ext3 -r -m /dev/hda2 |more • icat -f linux-ext3 /dev/hda2 212018 > locale.alias • more locale.alias • Do not have to tack -128-4 onto inode/MFT like NTFS to get data

  17. Advanced Sleuthkit Sorter • Configuration files • /usr/local/sleuthkit/share/sorter • default.sort freebsd.sort • images.sort linux.sort • openbsd.sort solaris.sort • windows.sort • Not specified on command line, you get default.sort and the OS for the filesystem type • “-f ntfs” you also get windows.sort • Add config files to default with “-c config_file.sort”

  18. Custom Sorter Configuration Files • /usr/local/sleuthkit/share/sorter/images.sort • “-C” option means use only this config file • Combine –C with –s and –U, and it will recover and index only file types defined in your custom configuration file. It indexes the rest of the files as unknown, but does not recover them • IF you use these options, sorter makes a number of .sorterxxx files in the base of the output directory that need to be deleted when sorter is finished. They take a LOT of room!! Do an “ls –la” to see them.

  19. Sorter Configuration Files • Format of category line: • category CATEGORY_NAME FILE_REG_EXP • category is the keyword • CATEGORY_NAME is the name of the category you want them sorted into • Anything that doesn’t match on a category gets placed in the ‘unknown’ category • ignore – special category that ignores files completely, not even ‘unknown’ • FILE_REG_EXP is a regular expression that will match on the output of the file command if it were run on a file of this type

  20. Sorter Configuration Files • Format of extension line: • ext EXTENSION_LIST FILE_REG_EXP • ext is the keyword • EXTENSION_LIST is the a comma separated list of file extensions for that file type • Anything that doesn’t match on a category gets flagged as an extension mismatch • Place it under category line to make it more specific • FILE_REG_EXP is a regular expression that will match on the output of the file command if it were run on a file of this type

  21. Sorter Configuration Files • Example1: category images image data ext jpg,jpeg,jpe JPEG image data ext gif GIF image data • Example2: category mail data extension dbx data

  22. References • http://www.sleuthkit.org/informer/sleuthkit-informer-43.html • http://www.sleuthkit.org/informer/sleuthkit-informer-4.html • http://www.sleuthkit.org/informer/sleuthkit-informer-5.html

More Related