1 / 29

CSCD 496 Computer Forensics

Lecture 10 More Unix for Forensics Winter 2010. CSCD 496 Computer Forensics. Introduction. Last time looked at file systems in Unix/Linux systems Files, file systems, partitions Today Native Unix commands useful for forensics investigations Examine places for evidence – Unix/Linux.

kort
Download Presentation

CSCD 496 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 10 More Unix for Forensics Winter 2010 CSCD 496Computer Forensics

  2. Introduction • Last time looked at file systems in Unix/Linux systems • Files, file systems, partitions • Today • Native Unix commands useful for forensics investigations • Examine places for evidence – Unix/Linux

  3. Where to look for files • Where would you look for user information in Linux/Unix?

  4. Where to look for files • Where would you find user files Linux/Unix? /etc/passwd • User Id, encrypted password or *, • User Number, Group number, User's Name, Login Shell • If password = * ? /etc/shadow Shadow password file, has actual encrypted passwords /home/[user id] • User directory, similar to Windows

  5. More Linux Files • /etc/hosts • DNS entries • /etc/syslog.conf • Shows location of log files • Other Places • /tmp – temporary files – cleaned out at boot • /var – spool files, log files, other transient files

  6. More Linux Files • Temporary Internet Files - Mozilla /usr/[user id]/.mozilla/4y0d767z.default/Cache • Temporary Internet Files/Mail – Opera /usr/[user_id]/.opera/cache4 /usr/[user_id]/.opera/mail • Linux has a Trash folder • Where is it? /usr/[user id]/.local/share/.Trash • Book has table • Nice table Table 8-4, Chapter 8, shows system file differences Unix/Linux

  7. Unix Internals • Bash shell • Allows users to keep history of commands used • Users can edit commands and re-run them • History command • File is in: /home/[user id]/.bash_history • Special environment variables • Set by default from config files in /etc or from user’s home directory .bashrc and .bash_profile • User’s environment provides clues to activities • Type: env and see all environment variables

  8. Unix Shells User: ctaylor $ env HISTFILESIZE = 1000 TERM=ansi PATH=/usr/local/bin:/bin:/usrX11R6;/home/ctaylor/bin SHELL=/bin/bash PS1 = \$ BASH_ENV = /home/ctaylor/.bashrc . . . History size – number of commands saved in history file PS1 – default prompt

  9. Unix Shells • History of commands • Only saved when shell is exited • Otherwise, stays in memory until maximum is reached • Written to .bash_history • If system is powered down without being shut down properly – history of running process is lost • Useful for seeing last commands done on computer

  10. Unix Partitions • Hard drive often has more than 1 file system, each in its own partition • All OS’s have something like fdisk that lets you look at partitions and file systems $ /sbin/fdisk /dev/hda Device Boot Start End Blocks Id System /dev/hda1 * 1 9 18112+ 83 Linux /dev/hda2 10 789 1572480 5 Extended /dev/hda5 10 756 1505920+ 83 Linux /dev/hda6 757 789 66496+ 82 Linux swap

  11. Sfdisk command Linux $sudo sfdisk -l /dev/sda Disk /dev/sda: 9729 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sda1 * 0+ 9352 9353- 75127941 83 Linux /dev/sda2 9353 9728 376 3020220 f W95 Ext'd (LBA)‏ /dev/sda3 0 - 0 0 0 Empty /dev/sda4 0 - 0 0 0 Empty /dev/sda5 9353+ 9728 376- 3020188+ 82 Linux swap / Solaris start: (c,h,s) expected (1023,254,63) found (0,1,1)‏ end: (c,h,s) expected (1023,254,63) found (375,254,63)‏

  12. Mounted File System • Mount • Concept in Unix or mounting a file system • What does mount command do? • Loads inode list into the kernel • Can even mount DOS and NT file systems • Mounting non-Unix file systems • Not complete functionality of normal Unix file system • Can still examine them using Unix tools • Can mount Windows filesystem read only • Example of this later in lecture ...

  13. Mounted File Systems • Run command mount $mount /dev/hda5 on / type ext2 (rw)‏ None on /proc type proc (rw)‏ /dev/hda1 on /boot type ext2 (rw)‏ None on /dev/pts type devpts (rw, gid=5, mode=620)‏ /dev/hdc on /mnt/cdrom type iso9660 (ro,nosuid, nodev)‏

  14. Mounted File System • /etc/fstab command • fstab stands for file systems table file is commonly found on Unix and Unix-like systems and is part of the system configuration • fstab file typically lists all used disks and disk partitions • Shows how they are to be used or otherwise integrated into the overall system's file system

  15. fstab Not all of them are mounted Also to see if a network file system is normally mounted $cat /etc/fstab name mount point type mounted at boot dump fsck run? /dev/hda5 / ext2 defaults 1 1 /dev/hda1 /boot ext2 defaults 1 2 /dev/cdrom /mnt/cdrom iso9660 noauto, owner, ro 0 0 /dev/fd0 /mnt/floppy ext2 noauto, owner 0 0 none /proc proc defaults 0 0 none /dev/pts devpts gid=5, mode=620 0 0 matrix:/mnt/tmp /mnt/matrix/tmp nfs defaults 0 0

  16. Other Unix Commands • Script command • Use it for keeping a record of analysis steps • Can record date and system name $script filename $date $uname -a Do your analysis $date When you are at end of analysis ^D to end the script

  17. Other Unix Commands • File command • Tries to figure out what kind of file • Tries 3 ways • 1. file system test • Runs the stat command to see if file is special device or other identified file type • 2. Looks at static file types, executables magic numbers • Looks at /usr/share/file/magic (Linux)‏ • 3. Looks at language definitions, ASCII, Unicode

  18. Other Commands • Helpful in Forensics work • Help you ID foreign object code • If doing analysis on different platform than one that created file system, file command can help ID binaries as native or not to suspect file systems • File Command • Example: $file /bin/bash /bin/bash: ELF 32 bit LSB executable Intel 80386, version 1, dynamically linked (uses shared libs), stripped

  19. Other Commands • Lots more text manipulation tools • Sort, head, tail, uniq, pr, cat –v , cut, paste • Can go to any system and type: man command • to access information about that command $ Cat –v • Will display non-printable characters • Useful to see file names with embedded control characters $ ls –l | cat –v • Displays file names with non-printable characters

  20. Unix Programming Environment • Stat File – Prints inode info $stat myfile.c • File timestamps • Important for logging activities on a system ... • Most things in Unix written in C • Most projects use make utility • Make is based on time of last file access • Touch command • Updates time - can force programs to be compiled $touch myfile.c Changes access and modify time to now

  21. Unix Programming Environment • Touch • Can also use touch to change time file was last modified (doesn’t alter the change time)‏ $touch –t 199912250001.15 myutility.c $stat myutility.c ….. Access: Sat Dec 25 00:01:15 1999 Modify: Sat Dec 25 00:01:15 1999 Change: Fri Apr 28 01:40:42 2000 Sets access and modify to Dec. 25, 1999 at 1:15 Casually looking at file, assume it was modified last in 1999 The change date can actually be different so it is not conclusive that the file was backdated What is the change time of a file?

  22. Ctime • This is often referred to as a file's change time • Its the inode change time • Time when file's meta-information last changed • One common example of this is when the permissions of a file change • Changing permissions doesn't access file, so atime doesn't change • Nor does it modify the file, so the mtime doesn't change • Yet, something about the file itself has changed, and this must be noted somewhere • Another operation that modifies a file's ctime without affecting the others is renaming • In any case, it is not possible, in normal operations, for a user to change the ctime field to a user-specified value Nice reference for file MAC time changes http://www.securityfocus.com/infocus/1738

  23. dd copy tool • dd is the most commonly recommended copy tool • Normally used to copy entire file systems or drive • Can copy large amounts of data between devices • Example: $dd if = /dev/fd0 > floppy.image $dd if = floppy.image of = /dev/fd0

  24. dd copy tool • Notes • Can use cat command and cp also • But, advantage of dd • Can copy data using a specified block size • dd reports how many blocks it copied • Can use it to first wipe your analysis drive to insure no previous data still resides that could corrupt your evidence $ dd if=/dev/zero of=/dev/fd0 2>/home/smith/test/wipedrive • Look at it with disk editor to confirm a string of zeros was written

  25. More Tools and Techniques • File System Analysis – Loopback • Image files of both Unix or other file systems can be mounted like real file systems • First create a directory mount point • Next, mount it read-only using loopback device • Loopback device different than network loopback concept

  26. More Tools and Techniques File System Analysis Continued ... $mkdir /mnt/suspecthost $mount –t ext2 -o ro,loop=/dev/loop0 suspect.image.hda1 /mnt/suspecthost etc2 file system, ro = readonly, Or image from a DOS filesystem $mount –t dos -o ro,loop=/dev/loop0 suspect.image.dos /mnt/suspecthost • Can treat it like any other file system • cd into it, copy from it, use find within it and other commands • Example next time using this concept ...

  27. Summary • Need to know about Unix and Linux file systems and system utilities • Not just for current systems or systems you use • Past systems, unfamiliar systems are also important to know about • Unix is heavily used in the Server world • Chances are one will be compromised • Good to know basic tools that exist on the machine

  28. Resources File system references http://heather.cs.ucdavis.edu/~matloff/unix.html Linux knowledge base and tutorial http://www.linux-tutorial.info/ Law Enforcement and Forensic Examiner’s Guide to Linux ftp://ftp.hq.nasa.gov/pub/ig/ccd/linuxintro/

  29. Finish • New Assignment !!! • No Lab this week • Take-home Midterm Wed – Lab part of test • Go through a case study using Unix tools • dd and others • Text – Chapter 8

More Related