230 likes | 366 Views
Lecture 3: Initial Assessment. 6/4/2003 CSCE 590 Summer 2003. Collect the Most Volatile Evidence First. Memory Swap space or page file Network status and connections Processes running Storage media Removable media. Preparation. Assemble toolkits Clean your media
E N D
Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003
Collect the Most Volatile Evidence First • Memory • Swap space or page file • Network status and connections • Processes running • Storage media • Removable media
Preparation • Assemble toolkits • Clean your media • Before imaging evidence media to your media • # dd if=/dev/zero of={device} • Clean floppy: # dd if=/dev/zero of=/dev/fd0 bs=1024 # dcfldd if=/dev/zero of=/dev/fd0 bs=1024 \> hashwindow=1024 hashlog=a:\hashlog.txt
dd and dcfldd • Low level command • Copies bit for bit • Does not ‘know’ data structure of data • Can copy: • Single file • Piece of a file • Partition • Logical or physical disks • From stdin and stdout • dcfldd – dd with integrated MD5 hashing
dd and dcfldd Usage • Typical arguments: • if=device input file or device • of=device output file or device • bs=# block size, amount of data transferred in one I/O operation (important on tape) • dcfldd • hashlog=a:\hashfile.txt • hashwindow=1024 hash every 1024 bytes
Mystery Tape Block Sizes • # dd if=device bs=128k of=/tmp/tapetest \ > count=1 • Read data, using block size of 128k until it hits the first record gap • If 128k isn’t big enough, you get an error • Else, size of /tmp/tapetest = block size of tape • What kind of tape? tar, cpio, dump? • # file /tmp/tapetest
Splitting an Image up • Copy 600 One Megabyte blocks per image • # dd if=device of=media.slice1.img bs=102400 count=600 • # dd if=device of=media.slice2.img bs=102400 count=600 skip=601 • # dd if=device of=media.slice3.img bs=102400 count=600 skip=1201 • # dd if=device of=media.slice3.img bs=102400 count=600 skip=1801
Typical UNIX Devices • /dev/fd0 (floppy) • /dev/st0 (tape) • /dev/hda first IDE hard drive • /dev/hdb second IDE hard drive • /dev/sda first SCSI hard drive • /dev/sdb second SCSI hard drive
Network dd • No local clean media on victim machine, can’t reboot yet • netcat (nc) and dd (may want encryption too) • Forensic rig with cleaned media: • # nc –l –p 31337 | dd of=(local clean media) • Victim system: • # dd if=(local physical disk) | nc –w 3 \> forensic.rig.net 31337 • nc host port (send to host on port) • -w 3 (wait 3 milliseconds between packets) • -l (listen mode, send mode is default) • -p port (listen on port, use with listen mode)
Date and Time • Windows • Date • Time • Unix • w • date
System Configuration Information • Windows: • psinfo • at • ‘net’ commands: • accounts, file, session, share, start, use, user, view • Unix • df –k • uname –a • ifconfig –a • uptime
Current Users • Windows • psloggedon • Unix • w • who
Network Status and Connections • Windows • arp –a IP to physical addr • netstat –anpr open sockets • fport socket processes • nbtstat systems connected • Unix • arp –a IP to physical addr • netstat -anpr open sockets • lsof -i socket processes • Netstat systems connected
Running Processes • Windows • procinterrogate –list • pslist –x check other options too • UNIX • ps –wwwaux • ps –ef • lsof • kstat –P find LKM hidden processes • LKM = dynamically Loadable Kernel Modules like device drivers) • kstat –s finds clues of LKM rootkits • /proc kernel data structures for processes
Swap Space or Page File • When there isn’t enough memory, chunks of processes will be paged out to disk • Older systems, entire processes are swapped out to disk • Windows: • copy c:\pagefile.sys d: • copy c:\win386.swp d: win9x • Unix: • Can get it when imaging whole drive
Memory • Windows: • Don’t use book’s method • Modified dd at: • http://users.erols.com/gmgarner/forensics/ • # dd if=\\.\PhysicalMemory conv=noerror \> | nc forensic.rig.net 31337 • Or use pmdump • Unix • # dd if=/dev/mem | nc forensic.rig.net 31337 • # dd if=/dev/kmem | nc forensic.rig.net 31337 • # dd if=/dev/kcore | nc forensic.rig.net 31337
Storage Media • Imaging to work on copies • Use MD5 hashes • Write blockers • Software • Hardware • busTRACE: http://www.bustrace.com/ for live imaging
Removable Media • Make to sure to flush pending writes (sync) to removable media before removing • Can be imaged like storage media
Physical Collection Issues • Don’t overlook fingerprints on keyboard and mouse to place person at keyboard • Evidence exposed to hazardous material, chemical weapons, toxic waste • Have it evaluated and approved by HAZMAT experts • Organic chemicals, biological matter, fingerprint, or other forensic tests: • Fingerprinting process (cyanoacrylate) will severely damage electronic media • Scraping can physically damage media (floppy)
Wet Media • Soaked or immersed electronic media: • Keep it immersed in distilled water • Drying in uncontrolled conditions can lead to deposits • photograph any paper labels on magnetic media before immersion in distilled water • Tape or floppy just a little wet • seal in plastic bag, don't immerse • Paper, cellulose based media, printouts: • freeze or freeze dry if wet
Wet Media • Flood damage • Immerse and flush with clean water • Salt water: • Place in container or plastic bag with enough ocean water to keep it immersed • Immerse and flush it in distilled water ASAP • Immersion may cause biological evidence to deteriorate • Separate samples before immersion if they are plentiful or it is easy • Be aware and make judgment calls
Tape: Physical Issues • Age, disuse, poor storage conditions • Layers can become sticky and stick together or to the read head • Static buildup increases read error rates • Unrolling untreated tape can cause oxide layer to be torn from substrate • Collect all pieces, can help with splices • Ship to lab to be processed and reconditioned
Reading for Lectures 2-5: • Mandia/Prosise: Chapters 2-5, 9 • Casey: Chapter 2 (in Reading Room) • Homework 1: Due Monday, June 9, 2003