1 / 23

Lecture 3: Initial Assessment

Lecture 3: Initial Assessment. 6/4/2003 CSCE 590 Summer 2003. Collect the Most Volatile Evidence First. Memory Swap space or page file Network status and connections Processes running Storage media Removable media. Preparation. Assemble toolkits Clean your media

cutler
Download Presentation

Lecture 3: Initial Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003

  2. Collect the Most Volatile Evidence First • Memory • Swap space or page file • Network status and connections • Processes running • Storage media • Removable media

  3. Preparation • Assemble toolkits • Clean your media • Before imaging evidence media to your media • # dd if=/dev/zero of={device} • Clean floppy: # dd if=/dev/zero of=/dev/fd0 bs=1024 # dcfldd if=/dev/zero of=/dev/fd0 bs=1024 \> hashwindow=1024 hashlog=a:\hashlog.txt

  4. dd and dcfldd • Low level command • Copies bit for bit • Does not ‘know’ data structure of data • Can copy: • Single file • Piece of a file • Partition • Logical or physical disks • From stdin and stdout • dcfldd – dd with integrated MD5 hashing

  5. dd and dcfldd Usage • Typical arguments: • if=device input file or device • of=device output file or device • bs=# block size, amount of data transferred in one I/O operation (important on tape) • dcfldd • hashlog=a:\hashfile.txt • hashwindow=1024 hash every 1024 bytes

  6. Mystery Tape Block Sizes • # dd if=device bs=128k of=/tmp/tapetest \ > count=1 • Read data, using block size of 128k until it hits the first record gap • If 128k isn’t big enough, you get an error • Else, size of /tmp/tapetest = block size of tape • What kind of tape? tar, cpio, dump? • # file /tmp/tapetest

  7. Splitting an Image up • Copy 600 One Megabyte blocks per image • # dd if=device of=media.slice1.img bs=102400 count=600 • # dd if=device of=media.slice2.img bs=102400 count=600 skip=601 • # dd if=device of=media.slice3.img bs=102400 count=600 skip=1201 • # dd if=device of=media.slice3.img bs=102400 count=600 skip=1801

  8. Typical UNIX Devices • /dev/fd0 (floppy) • /dev/st0 (tape) • /dev/hda first IDE hard drive • /dev/hdb second IDE hard drive • /dev/sda first SCSI hard drive • /dev/sdb second SCSI hard drive

  9. Network dd • No local clean media on victim machine, can’t reboot yet • netcat (nc) and dd (may want encryption too) • Forensic rig with cleaned media: • # nc –l –p 31337 | dd of=(local clean media) • Victim system: • # dd if=(local physical disk) | nc –w 3 \> forensic.rig.net 31337 • nc host port (send to host on port) • -w 3 (wait 3 milliseconds between packets) • -l (listen mode, send mode is default) • -p port (listen on port, use with listen mode)

  10. Date and Time • Windows • Date • Time • Unix • w • date

  11. System Configuration Information • Windows: • psinfo • at • ‘net’ commands: • accounts, file, session, share, start, use, user, view • Unix • df –k • uname –a • ifconfig –a • uptime

  12. Current Users • Windows • psloggedon • Unix • w • who

  13. Network Status and Connections • Windows • arp –a IP to physical addr • netstat –anpr open sockets • fport socket processes • nbtstat systems connected • Unix • arp –a IP to physical addr • netstat -anpr open sockets • lsof -i socket processes • Netstat systems connected

  14. Running Processes • Windows • procinterrogate –list • pslist –x check other options too • UNIX • ps –wwwaux • ps –ef • lsof • kstat –P find LKM hidden processes • LKM = dynamically Loadable Kernel Modules like device drivers) • kstat –s finds clues of LKM rootkits • /proc kernel data structures for processes

  15. Swap Space or Page File • When there isn’t enough memory, chunks of processes will be paged out to disk • Older systems, entire processes are swapped out to disk • Windows: • copy c:\pagefile.sys d: • copy c:\win386.swp d: win9x • Unix: • Can get it when imaging whole drive

  16. Memory • Windows: • Don’t use book’s method • Modified dd at: • http://users.erols.com/gmgarner/forensics/ • # dd if=\\.\PhysicalMemory conv=noerror \> | nc forensic.rig.net 31337 • Or use pmdump • Unix • # dd if=/dev/mem | nc forensic.rig.net 31337 • # dd if=/dev/kmem | nc forensic.rig.net 31337 • # dd if=/dev/kcore | nc forensic.rig.net 31337

  17. Storage Media • Imaging to work on copies • Use MD5 hashes • Write blockers • Software • Hardware • busTRACE: http://www.bustrace.com/ for live imaging

  18. Removable Media • Make to sure to flush pending writes (sync) to removable media before removing • Can be imaged like storage media

  19. Physical Collection Issues • Don’t overlook fingerprints on keyboard and mouse to place person at keyboard • Evidence exposed to hazardous material, chemical weapons, toxic waste • Have it evaluated and approved by HAZMAT experts • Organic chemicals, biological matter, fingerprint, or other forensic tests: • Fingerprinting process (cyanoacrylate) will severely damage electronic media • Scraping can physically damage media (floppy)

  20. Wet Media • Soaked or immersed electronic media: • Keep it immersed in distilled water • Drying in uncontrolled conditions can lead to deposits • photograph any paper labels on magnetic media before immersion in distilled water • Tape or floppy just a little wet • seal in plastic bag, don't immerse • Paper, cellulose based media, printouts: • freeze or freeze dry if wet

  21. Wet Media • Flood damage • Immerse and flush with clean water • Salt water: • Place in container or plastic bag with enough ocean water to keep it immersed • Immerse and flush it in distilled water ASAP • Immersion may cause biological evidence to deteriorate • Separate samples before immersion if they are plentiful or it is easy • Be aware and make judgment calls

  22. Tape: Physical Issues • Age, disuse, poor storage conditions • Layers can become sticky and stick together or to the read head • Static buildup increases read error rates • Unrolling untreated tape can cause oxide layer to be torn from substrate • Collect all pieces, can help with splices • Ship to lab to be processed and reconditioned

  23. Reading for Lectures 2-5: • Mandia/Prosise: Chapters 2-5, 9 • Casey: Chapter 2 (in Reading Room) • Homework 1: Due Monday, June 9, 2003

More Related