190 likes | 279 Views
COEN 250 Computer Forensics. Unix System Life Response. Creating a Response Toolkit. Toolkits depend on the OS. Often, need to compile tools from source. Many Unix versions are not compatible. Creating a Response Toolkit. Tools on the system are often Trojaned.
E N D
COEN 250 Computer Forensics Unix System Life Response
Creating a Response Toolkit • Toolkits depend on the OS. • Often, need to compile tools from source. • Many Unix versions are not compatible.
Creating a Response Toolkit • Tools on the system are often Trojaned. • Much more than on Windows machines. • Statically link tools. • http://www.incident-response.org
Store information • On local hard drive. • On remote media (floppies, USB, tape) • Record information by hand. • Use netcat or cryptcat to transfer to a forensic workstation over the net.
Collecting Data before a Forensic Duplication • System date and time. • Currently logged-on users. • Time/date stamps for the entire file system. • List of currently open sockets. • Application listening on these sockets. • List of recent connections.
Collecting Data before a Forensic Duplication • Create a trusted shell. • Exit X-windows or other GUI • Log on with root privileges • Mount floppy: mount /dev/fd0 /mnt/floppy • Run shell from floppy (bash) • Set path to . (dot)
Collecting Data before a Forensic Duplication • Use “date” for the time. • Use “w” for current users. • Use ls recursively (R) to record access times, starting at /. • ls –alRu / > floppy/atime • ls –alRc / > floppy/ctime • ls –alR / > floppy/mtime
Collecting Data before a Forensic Duplication • Use “netstat –an” to view all open ports. • Use “netstat –anp” (on Linux) to list all applications associated with open ports. • Use “lsof” (list of open files) utility as in “lsof –i –D r”
Collecting Data before a Forensic Duplication • Take a snapshot of all running processes • ps –eaf on Solaris • ps –aux on FreeBSD and Linux
Collecting Data before a Forensic Duplication • Take Date again • Record all steps (script, history) • Record MD5 sums to prevent challenges of changed data.
Collecting Data before a Forensic Duplication • Obtain all system logs • Obtain important config files • Dump System RAM • Often in /proc/kmem or /proc/kcore • Use it for keyword searches
Rootkits • Rootkits: tools to acquire and keep root access. • File Level Rootkits: Trojan • login • ps • find • who • netstat
Rootkits • Trojaned login • Works as designed. • But lets one special username in. • Trojaned who • Works as designed. • But does not display the user with the special username. • Provides access and protection
Rootkits • Use Tripwire to detect system file alterations. • Use trusted forensics tool to find file level rootkits.
Rootkits • Kernel-Level Rootkits • Create their own kernel. • That is, let users live in a virtual reality that they created. • Loadable Kernel Modules (LKM) • Supported by Linux, Solaris, etc. • Allow to add modules to the kernel.
Rootkits • Rogue LKM can intercept system commands. • Tripwire will not help, system files are still there and unchanged.
Rootkits • Knark • To hide a process, send kill -31. • Knark LKM takes care of the rest. • Forensically sound tools are not circumvented, though.
Sniffers • Used to capture network traffic • Payload are unencrypted login procedures • Payload are email messages • …
Sniffers • Ethernet card needs to be in promiscuous mode for sniffing. • Use ifconfig –i eth0 • Look for keyword PROMISC • Use lsof to find large output files