Coen 252 computer forensics
This presentation is the property of its rightful owner.
Sponsored Links
1 / 114

COEN 252 Computer Forensics PowerPoint PPT Presentation


  • 82 Views
  • Uploaded on
  • Presentation posted in: General

COEN 252 Computer Forensics. Data Analysis Techniques for Hard Drives. Data Analysis Techniques. Create forensic duplicate. Protect original as best evidence. Review image file (with tools). Report. Testify. Data Analysis Techniques.

Download Presentation

COEN 252 Computer Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Coen 252 computer forensics

COEN 252 Computer Forensics

Data Analysis Techniques for Hard Drives


Data analysis techniques

Data Analysis Techniques

  • Create forensic duplicate.

  • Protect original as best evidence.

  • Review image file (with tools).

  • Report.

  • Testify.


Data analysis techniques1

Data Analysis Techniques

  • Need collaboration between forensics investigators and case workers.


Data analysis techniques2

Data Analysis Techniques

  • Sources of Evidence

    • Existing Files

    • Deleted Files

    • Logs

    • Special system files (registry, cron)

    • Email archives, printer spools

    • Administrative settings

    • Special types of files (lnk, prefetch)


Data analysis techniques3

Data Analysis Techniques

  • File restoration techniques

    • FAT, NTFS

      • By hand with a hexeditor

      • Specialty tools like Norton undelete

      • Forensics software like encase, FTK

      • Mount drive on UNIX system and use UNIX tools (Fatback)


Data analysis techniques4

Data Analysis Techniques

  • Unix system

    • With a hex editor edit the link count in inodes, file will then be linked to Lost&Found

    • debugfs to relink a file to Lost&Found in ext2


Data analysis techniques5

Data Analysis Techniques

Deleted files are overwritten if

  • Drive is wiped (e.g. part of PGP suite)

  • New files are created on the partition

  • New software is installed on the partition

  • Applications running may update the partition


Data analysis techniques6

Data Analysis Techniques

Deleted files are overwritten if

  • The partition stores the %systemroot% directory and Windows modifies it for internal housekeeping.

  • If the partition contains the web browser cache

  • If the volume contains the TEMP directory

  • At system shutdown / startup


Data analysis techniques7

Data Analysis Techniques

Free, slack and unallocated space

  • Use a hex-editor 

  • Use a specialty tool that generates a file by appending all slack and free space

  • Use a forensics tool 

    Free: Outside of a partition.

    Slack: Allocated, but unused overhang in the last cluster of a file

    Unallocated: Not assigned to a current file.


Data analysis techniques8

Data Analysis Techniques

First Task:

  • Generate database of all files

    • Full path.

    • MAC-dates & -times.

    • Logical size of file.

    • MD5 hash (to counteract evidence deterioration).


Data analysis techniques9

Data Analysis Techniques

  • Generate database of all files

    • Use MD5 hash to exclude well-known files from investigation.


Data analysis techniques10

Data Analysis Techniques

  • Prepare drive for string searches.

    • Forensics tools do this automatically.

    • Need to deal with proprietary formats.

    • Compressed files need to be uncompressed.

    • Encrypted files need to be unencrypted.


Data analysis techniques11

Data Analysis Techniques

  • Perform string searches

    • On UNIX, use grep.

    • Forensics tools preprocess forensic duplicates.


Data analysis techniques12

Data Analysis Techniques

  • Perform String Searches

    • The “How” is easier than the “What”.

    • Investigator and analyst need to work together:

      • “What are we looking for?”

      • “What information do we need?”


Data analysis techniques13

Data Analysis Techniques

Example:

The hard drive of a robbery suspect contains numerous references to his “little excursions”.

To tie the suspect to the computer, establish usage by suspect alone by:

  • Finding personal pictures (look for jpg).

  • Restore old emails.

  • Restore chat sessions.

    http://www.signonsandiego.com/news/metro/santana/20010312-9999_1n12compute.html


Data analysis techniques what to look for

Data Analysis TechniquesWhat to look for

Email

  • Primary Source of Evidence.

  • Email in transit is protected by the EPCA and other statutes.

  • Checking email after transition is treated similar to searches of files.


Data analysis techniques what to look for1

Data Analysis TechniquesWhat to look for

  • Print Spooler Files.

    • Typically deleted right after printing

    • Usually not be overwritten

    • Not used by modern printers


Data analysis techniques what to look for2

Data Analysis TechniquesWhat to look for

  • Web Cache Evidence

    • All web browsers cache.

    • Some delete files after session closes.

  • Ex.: United States v. Tucker:

    The government introduced Internet conversations taken from Tucker's computer which showed that while he was looking for pictures he stated that he was into "young action" and would "like to start trading (3)27" and introduced a listing of Internet conversations documenting Tucker's trading of such images.

    United States Court of Appeals, Eleventh Circuit.No. 97-2767


Data analysis techniques what to look for3

Data Analysis TechniquesWhat to look for

  • Swap Files / Virtual Memory Files

    • Can be very large.

    • Use Forensics Tools like Encase

    • Alternatively: Hex Editors, Norton Disk Commander (under Windows)


Windows data analysis

Windows Data Analysis

  • Perform keyword searches.

  • Review Logs.

  • Review Registry.

  • Review swap files.

  • Review special application files:

    • Internet Cache

    • Recycle Bin

    • Printer Spool

    • Email Files


Windows data analysis text searches

Windows Data Analysis: Text Searches

  • Raw Data Level

    • BinText (Foundstone)

    • Disk Investigator (K. Soloway)

    • SectorSpyXP (McCamy, Lexun Freeware)

  • Forensics Tools

    • Encase

    • FTK

    • Mareswares


Windows data analysis text searches1

Windows Data Analysis: Text Searches


Windows data analysis logs

Windows Data AnalysisLogs

Windows NT, 2000, XP, 2003, 7 maintain log files

  • System Log

  • Application Log

  • Security Log


Windows data analysis logs1

Windows Data AnalysisLogs

Live System:

  • Use Event Viewer


Windows data analysis logs2

Windows Data AnalysisLogs

Event Log Dump

  • Use PsLogList (sysinternal)

  • dumpel (Win2000 Resource Kit)


Windows data analysis logs3

Windows Data AnalysisLogs

From forensics duplicate

  • secevent.evt

  • appevent.evt

  • sysevent.evt


Windows data analysis logs4

Windows Data AnalysisLogs

Drawbacks

  • Default security logging is “no logging”.

  • Do not record IP addresses

  • Application log uses localized settings.

    (Forensics workstation will not interpret these.)


Windows data analysis logs5

Windows Data AnalysisLogs

Internet Information Services (IIS) has its own set of logs.

  • Uses W3C standards as a default


Windows data analysis logs6

Windows Data AnalysisLogs

  • Need to be enabled.

  • More important for incidence response than for law enforcement.

  • Get HTTP status codes.


Windows data analysis logs7

Windows Data AnalysisLogs

  • Many other applications log:

    • Internal firewalls.

  • Create your own log from the timestamp of files around critical times.

    • FileList (www.forensics-intl.com) will do this for you.


Windows data analysis reviewing relevant files

Windows Data AnalysisReviewing Relevant Files

  • Recycle Bin

    • Folder Recycled in Win95/98.

    • Folder Recycler in WinNT/2000/XP.

  • Date and Time of Deletion in

    • System file INFO in Win95

    • System file INFO2 in Win98

  • Information available in Win2000, WinXP


Windows data analysis reviewing relevant files1

Windows Data AnalysisReviewing Relevant Files

  • Windows moves deleted file into the recycle bin.

  • It deletes from there.

  • Thus, files can be retrieved from deleted recycle bin entries.


Windows data analysis reviewing relevant files2

Windows Data AnalysisReviewing Relevant Files

  • $Logfile entry in the MFT contains the log of all file system transactions

  • Deletion of a file leaves several entries in $Logfile

  • Not unusual to find files that are no longer on the disk

  • Shows that file was used by the system


Windows data analysis reviewing relevant files3

Windows Data AnalysisReviewing Relevant Files

  • Shortcuts can contain relevant information.

  • Stored in the desktop folder.

A special agent of the Illinois Attorney General’s Office investigated a case involving child pornography. The agent located a shortcut file in the Windows/Desktop folder whose target was a screensaver program. Upon examining the screensaver program, the agent found that it caused 30 images depicting child pornography to be displayed on the computer’s monitor when the shortcut was activated. Casey, p. 153


Windows data analysis reviewing relevant files4

Windows Data AnalysisReviewing relevant files

  • Prefetch files

    • Give better performance

    • Used to collect information on what is necessary to run a program

    • Stored in Windows/prefetch

    • Various tools to parse prefetch files

    • Forensic significance:

      • Suggests that program has been executed

      • Gives last time application was run

      • Gives number of runs


Reviewing relevant files

Reviewing Relevant Files

  • Scheduled Tasks

    • Windows 2000, XP, 2003 in Windows\Tasks

    • Windows 7 Windows\System32\Tasks

      • .job files

    • Scheduled task log SchedLgU.txt in Windows\Tasks


Windows data analysis reviewing relevant files5

Windows Data AnalysisReviewing Relevant Files

  • JUMP lists

    • List of files recently opened in Windows 7

    • Appdata\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

    • First 16 characters of file name identify application

    • Uses .lnk file format

    • Gives time stamps

    • Various analyzers exist


Windows data analysis reviewing relevant files6

Windows Data AnalysisReviewing Relevant Files

  • Thumbs.db (System file)

    • Contains thumbs pictures for folder.

    • Not perfectly synchronized with folder.

    • Deleted images might still be available.


Windows data analysis reviewing relevant files7

Windows Data AnalysisReviewing Relevant Files

  • Temporary files

    • Files with extension tmp

    • Created by many applications

  • Emails with large attachments:

    • Attachments are probably stored as temp files. (Depends on email system.)

  • Look for file extensions .tmp .


Windows data analysis reviewing relevant files8

Windows Data AnalysisReviewing Relevant Files

  • Internet Explorer (as well as other browsers) use a cache.

  • index.dat contains internet explorer cached websites.

  • Written in binary.

  • Use Pasco from Foundstone.


Windows data analysis reviewing relevant files9

Windows Data AnalysisReviewing Relevant Files


Windows data analysis reviewing relevant files10

Windows Data AnalysisReviewing Relevant Files


Windows data analysis reviewing relevant files11

Windows Data AnalysisReviewing Relevant Files

  • Browser Cache

    • C:\Documents and Settings\ Username\ Local Settings\Temporary Internet Files

      Or

    • C:\Program Files\Netscape\Users\ Username\Cache


Windows data analysis reviewing relevant files12

Windows Data AnalysisReviewing Relevant Files


Windows data analysis reviewing relevant files13

Windows Data AnalysisReviewing Relevant Files

  • Cookies can be partially decyphered.

  • Use galleta from foundstone.


Windows data analysis reviewing relevant files14

Windows Data AnalysisReviewing Relevant Files

  • Typically, concatenate all cookies.

  • Redirect galleta into an excel file.

  • Investigate the excel file.


Windows data analysis reviewing relevant files15

Windows Data AnalysisReviewing Relevant Files

  • Dial-up Networking

    • rasautou –s gives autodial addresses


Windows data analysis registry

Windows Data AnalysisRegistry

  • Database that stores settings and options for 32b MSWin OS

  • Contains information and setting for

    • Hardware

    • Software

    • Users

    • Preferences


Windows data analysis registry1

Windows Data AnalysisRegistry

Win95, Win98

  • USER.DAT, SYSTEM.DAT in Windows

    WinME

  • USER.DAT, SYSTEM.DAT, CLASSES.DAT

    WinNT, 2000, XP

  • In %SystemRoot%\System32\Config


Windows data analysis registry2

Windows Data AnalysisRegistry

  • Use RegEdit to access.

  • Before experimentation, make a backup of the registry.


Windows data analysis registry3

Windows Data AnalysisRegistry

  • Hierarchical structure

  • Main branches are Hives

  • Hives contain keys.

  • Keys can contain subkeys and values


Windows data analysis registry4

Windows Data AnalysisRegistry


Windows data analysis registry5

Windows Data AnalysisRegistry

  • Six main branches

    • HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.

    • HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.


Windows data analysis registry6

Windows Data AnalysisRegistry

  • HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.

  • HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.


Windows data analysis registry7

Windows Data AnalysisRegistry

  • HKEY_CURRENT_CONFIG - links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

  • HKEY_DYN_DATA - points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dynamic and will change as devices are added and removed from the system.


Windows data analysis registry8

Windows Data AnalysisRegistry

  • Registry Editor can import and export registry settings to / from a text file.

  • Copy registry hive files from the forensic duplicate to your forensic work station.

  • Import them into regedit.

    IF YOU MESS UP THE REGISTRY, YOU NEED TO REBUILD YOUR SYSTEM.


Windows data analysis registry9

Windows Data AnalysisRegistry

In a recent investigation by the Los Angeles County Sheriff’s Computer Crime Unit, a detective investigated an employee suspected of misappropriating confidential computer information stored by his company. When the detective examined one of the workplace computers, he found remnants of a key-trapping program in the registry. During an interview, the suspect admitted to having installed, used, and deleted the key-trapping program for the purposes of obtaining user names and passwords of coworkers.


Windows data analysis registry10

Windows Data AnalysisRegistry

  • Use the registry to

    • Find installed software (such as L0phtcrack).

    • Manually deleted software.

  • Use backups of the registry to trace the installation and uninstallation of software.

  • Find data on user accounts


Windows data analysis registry11

Windows Data AnalysisRegistry

  • Use the registry to

    • obtain listing of applications that are set to run automatically

    • obtain registry entries that have been modified lately

      • Registry keys have LastWrite time

        • 64b value representing 100 nanoseconds since January 1, 1601.

    • User accounts


Windows data analysis ms word files

Windows Data AnalysisMS Word files

  • Word documents contain a revision log.

    • Used by Richard M. Smith to investigate a press release by PM Blair.

    • Turned out that press released was mainly a copy of an Middle East Review of International Affairs article.

  • .pdf, .html, … files generated from .doc files do not have this revision history.


Windows data analysis pfd files

Windows Data Analysis.pfd files

  • .pdf files also contain meta-data

    • Accessible in Adobe Reader


Windows data analysis unusual or hidden files

Windows Data AnalysisUnusual or Hidden Files

  • NTSF uses a feature from Mac Hierarchical File System to store multiple entry under one file entry. “Data Streams”

  • Allow us to hide a file

  • cp nc.exe logo.jpg:nc.exe

  • Now nc.exe is hidden.

  • Use SFind (foundstone) to find stremed files.


Windows data analysis print spooler files

Windows Data Analysis Print Spooler Files

  • Print Spooler Files. (EMF under Win).

  • EMF files are deleted after printing.

    • “Gap-Toothed Bandit”, Micheal Craig Dickman, used proceeds from bank robberies to support his struggling biotech start-up.

    • Arrested after a heist in La Jolla, 1999.

    • SD RCFL found the demand notes as a deleted EMF file on his laptop.


Data analysis techniques what to look for4

Data Analysis TechniquesWhat to look for

  • Print Spooling uses temporary files.

    • contain data to be printed.

    • data on the print job.

  • Two methods, RAW and EMF

    • Shadow file .SHD info on print job

    • .SPL contains data to be printed (RAW)

    • .SPL contains file name, method, list of files with print data EMF****.TMP


Data analysis techniques what to look for5

Data Analysis TechniquesWhat to look for

Department of Consumer Affairs in Orange County, CA, arrested a suspect for selling counterfeit state license certificates and seized his computer. Although the examiners had seized some of the counterfeit certificates from victims, they were unable to locate evidence on the computer. When the examiners requested a second review from the California Department of Insurance, Fraud Division, the Computer Forensics Team identified several deleted enhanced metafiles that exactly matched the paper copies that had been seized during the investigation. The only evidence present on the drive were the enhanced metafiles. The defendant was convicted at trial. Casey, p. 163


Windows data analysis rogue processes

Windows Data AnalysisRogue Processes

To find rogue processes on a duplicate image

  • Restore the file system.

  • Run a virus software.

  • Disable writing to restored volume.


Windows data analysis find hidden doors

Windows Data AnalysisFind Hidden Doors

  • Schedule an event

    remote /s “cmd.exe” mysystem

  • Remote command from NT Resource Kit

    remote /c “cmd.exe” mysystem

  • Allows to connect with a command prompt from outside the system

  • Schedule this with the at or the soon utility


Windows data analysis find hidden doors1

Windows Data AnalysisFind Hidden Doors

  • at will find any jobs that have been scheduled:


Windows data analysis review last searches

Windows Data AnalysisReview last searches

  • Use AFind (foundstone) to look for the last few files accessed.

  • Look at the Find scrollbox.


Unix data analysis

UNIX Data Analysis

  • Review all pertinent logs

  • Perform keyword searches

  • Review relevant files

  • Identify unauthorized user accounts or groups

  • Identify rogue processes

  • Check for unauthorized access points

  • Analyze trust relationships

  • Check for kernel module rootkits


Unix data analysis logs

Unix Data AnalysisLogs

  • Unix maintains a variety of logs.

  • A hacker could change the logs.

  • But you need to look at them.

  • Placed in directories depending on UNIX flavor

    • /var/log

    • usr/adm

    • Var/adm


Unix data analysis logs1

UNIX Data AnalysisLogs

  • syslog

  • Controlled by /etc/syslog.conf

  • Uses syslogd

  • Can be used to log remotely


Unix data analysis logs2

Unix Data AnalysisLogs

  • Look at the syslog.conf

  • Three fields:

    • Facility field: subsystem that produced the log (e.g. mail)

    • Priority field: debug, info, notice, warning, err, crit, alert, emerg

    • Action field: how is the log recorded, typically name of log field (or IP address)


Unix data analysis logs3

Unix Data AnalysisLogs

  • Log entries

    • In ASCII

    • Usually world-readable

    • Only writable by root


Unix data analysis logs4

Unix Data AnalysisLogs

Remote Syslog Server logs

  • Attackers with root privileges can change the logs

  • Use a remote syslog server for safety

  • Attacker can add spurious entries to the remote syslog

  • Harden remote syslog server


Unix data analysis logs5

Unix Data AnalysisLogs

TCP Wrappers

  • Host based access control for TCP and UDP services

  • Any connection attempt are logged via syslog

    May 13 23:11:45 victim sshd[12528]: ROOT LOGIN REFUSED FROM www.scu.edu

    May 13 23:19:03 victim in.tftpd[524]: connect from 10.10.10.10


Unix data analysis logs6

Unix Data AnalysisLogs

Other network logs

  • Server specific logs, e.g. for FTP


Unix data analysis host logging

Unix Data AnalysisHost Logging

  • su command logs

    • Part of syslog

    • Stored in var/log/messages

  • Currently logged in users

    • Stored in utmp or wtmp

    • Use w, who, finger, last to read

    • Modified by many hacker tools


Unix data analysis host logging1

Unix Data AnalysisHost Logging

Logon attempt logs

  • Recorded on most UNIX machines

  • /var/messages in LINUX


Unix data analysis host logging2

Unix Data AnalysisHost Logging

cron

  • Allows users to schedule programs for future execution

  • Often used for attacks

  • Logged, typically in /var/cron/log


Unix data analysis user activity logging

Unix Data AnalysisUser Activity Logging

  • Every command by every user can be logged

  • Shells store history files for each user


Unix data analysis logging

Unix Data AnalysisLogging

  • Attacker gains root access to system

  • Deletes .bash-history file

  • Links file to /dev/null

  • Can no longer log

  • Look for the shell log:

    [linuxbox] # ls –al

    total 52

    drwxr-x--- 5 root root 4096Dec 12 04:47 .

    drwxr-x--- 5 root root 4096Dec 8 01:27 ..

    -rw------- 1root root 108Dec 12 04:47.XAuthority

    -rw-r--r-- 1root root 1198Aug 23 04:47.XDefaults

    lrwxrwxrwx 1root tty 9 Dec 8 14:12.bash_history -> /dev/null


  • Unix data analysis string searches

    UNIX Data AnalysisString Searches

    grep

    • String search within a file

    • String search within a binary file

    • Recursive searches

    # grep root /etc/passwd

    root:x:0:0:root: /root: /bin/bash

    # grep PROMIC /sbin/ifconfig

    Binary file /sbin/ifconfig matches

    # grep –r –I password /


    Unix data analysis string searches1

    UNIX Data AnalysisString Searches

    find

    • Use to search for a file by name

    • E.g., find “…” (a typical hacker trick to hide a file)

    • Found one.

    # find / -name “\.\.\.” –print

    /home/hacker/MDAc/temp/…/root/…


    Unix data analysis relevant files

    UNIX Data AnalysisRelevant Files

    • Finding relevant files after an incident is an art.

    • Careful about destroying evidence by running system commands that will change times.

    • Mount evidence drive read-only or better, duplicate.


    Unix data analysis relevant files1

    UNIX Data AnalysisRelevant Files

    • Identify the time of the incident.

    • Look for files accessed, created or modified around that time.

    • Use find with –atime, -ctime, -mtime option


    Unix data analysis relevant files suid programs

    UNIX Data AnalysisRelevant Files: SUID Programs

    • UNIX allows applications to set the user-id (SUID) and set the group-id (SGID).

    • Programs runs with privileges of owner, typically root.

    • Programs are source of most privilege escalation attacks.


    Unix data analysis relevant files suid programs1

    UNIX Data AnalysisRelevant Files: SUID Programs

    • Sometimes unprivileged users need to accomplish tasks that require high privileges.

    • For example, passwd needs to access the password file in /etc/passwd

    • But users should not be given access to /etc/passwd


    Unix data analysis relevant files suid programs2

    UNIX Data AnalysisRelevant Files: SUID Programs

    • User invokes passwd

    • passwd changes its UID (with SUID)

    • passwd now runs with root UID

    • passwd can now access the password file.


    Unix data analysis relevant files suid programs3

    UNIX Data AnalysisRelevant Files: SUID Programs

    • You recognize these programs with ls –l

    • File permission have an s instead of an x

    • -rwsr-xr-- SUID program

    • -rwxr-sr-- SGID program


    Unix data analysis relevant files suid programs4

    UNIX Data AnalysisRelevant Files: SUID Programs

    SECURITY INCIDENT EXAMPLE

    • Superuser is logged on as root and leaves terminal unattended

    • Creates SUID shell.

    • Anyone invoking /tmp/break-account gets root privileges.

    # cp /bin/sh /tmp/break-acct

    #chmod 4755 /tmp/break-acct


    Unix data analysis relevant files suid programs5

    UNIX Data AnalysisRelevant Files: SUID Programs

    Old Break-in

    • /usr/lib/preserve is used by vi and ex editors to make an automatic backup of a file that is edited when the users suddenly disconnects.

    • preserve writes file changes to a temp file in a special directory


    Unix data analysis relevant files suid programs6

    UNIX Data AnalysisRelevant Files: SUID Programs

    • preserve uses /bin/mail to send the user a notification that the file has been saved.

    • This temp file should not be accessible by world.

    • Thus, preserve needs root privileges


    Unix data analysis relevant files suid programs7

    UNIX Data AnalysisRelevant Files: SUID Programs

    • preserve was installed as SUID root.

    • preserve ran /bin/mail as root.

    • preserve executed the mail program with the system function call.

    • system uses sh to parse the string that it executes.


    Unix data analysis relevant files suid programs8

    UNIX Data AnalysisRelevant Files: SUID Programs

    Problem:

    • Shell variable IFS tells sh how to interpret the white spaces.

    • Normally sets white spaces to be space, tab, enter, etc.

    • Attacker sets white spaces to “/”


    Unix data analysis relevant files suid programs9

    UNIX Data AnalysisRelevant Files: SUID Programs

    • Attacker runs vi.

    • Attacker crashes system.

    • preserve runs.

    • system interprets /bin/mail as “bin mail”

    • Thus, it executes any program called bin with argument mailas root.


    Unix data analysis relevant files suid programs10

    UNIX Data AnalysisRelevant Files: SUID Programs

    • Find all SUID SGID with the following command:

    • find starts in /

    • Looks for files with permission 002000 (SGID) or 004000 (SUID)

    • Know what to expect.

    # find / \( -perm -00400 –o –perm -002000 \) –type f -print


    Unix data analysis relevant files hidden files

    UNIX Data AnalysisRelevant Files: Hidden Files

    Hide “bad” files

    • By giving them innocuous names

    • By giving a name similar to a reasonable name “ syslog” vs. “syslog”

    • Calling a directory “…” (“.” current directory, “..” parent directory)


    Unix data analysis relevant files configuration files

    UNIX Data AnalysisRelevant Files: Configuration Files

    • Primary target to keep access for a hacker.

    • etc/hosts.allow etc/hosts.deny determine access policy.

    • /etc/inetd.conf controls network services


    Unix data analysis relevant files configuration files1

    UNIX Data AnalysisRelevant Files: Configuration Files

    • Add an entry to inetd.conf:

    • Simple backdoor that listens on port 55000

    • Same telnet server as the one for port 23.

    • Port 55000 might not be monitored

    telnet2streamtcp nowait root /usr/sbin/tcpd in.telnetd


    Unix data analysis relevant files cron

    UNIX Data AnalysisRelevant Files: cron

    • cron facility used to schedule future executions of programs

    • /var/spool/cron /usr/spool/cron stores cron jobs

    • /etc/rc.d contains a listing of programs that start when UNIX boots.

    • Check all startup scripts for trojans.


    Unix data analysis phone home

    UNIX Data AnalysisPhone Home

    • Outgoing traffic is usually not monitored.

    • Compromised system uses cron to initiate a connection to an outside system.

    • Outside system can control the compromised system.


    Unix data analysis relevant files startup

    UNIX Data AnalysisRelevant Files: Startup

    • User home directory contain startup files.

    • .login

    • .profile

    • .cshrc


    Unix data analysis relevant files tmp

    UNIX Data AnalysisRelevant Files: /tmp

    • Only world-writable file system on a typical UNIX system.

    • Hangout for nefarious tools.


    Unix data analysis user accounts

    UNIX Data AnalysisUser Accounts

    • Each user has an entry in /etc/passwd

      dvader:x:512:516:Darth Vader:/home/dvader:/bin/bash

      • User name

      • Password (shadowed)

      • User Id

      • Group Id

      • Comment field

      • Home directory

      • Default login shell


    Unix data analysis user accounts1

    UNIX Data AnalysisUser Accounts

    • /etc/groups defines groups:

      root::0:root, tschwarz

      bin::2:root,bin,daemon

      sys::3:root,bin,sys,adm

      adm::4:root,adm,daemon

      uucp::5:root,uucp

    User names


    Unix data analysis user accounts2

    UNIX Data AnalysisUser Accounts

    • If suspicious of compromise, investigate user accounts and group accounts.


    Unix data analysis checking for unauthorized access points

    UNIX Data AnalysisChecking for Unauthorized Access Points

    • Investigate all network services for potential access points.

      • X-server

      • FTP

      • Telnet

      • DNS

      • Sendmail

    • finger

    • SNMP

    • IMAP

    • POP

    • HTTP

    • HTTPS


    Unix data analysis analyzing trust relationships

    UNIX Data AnalysisAnalyzing Trust Relationships

    • If machine A trusts machine B, then anyone on machine B can access services on machine A.

    • Don’t set up trust relationships.

      • They allow an attacker to escalate privileges to other machines

    • Check files such as /etc/hosts.equiv or .rhosts


    Unix data analysis analyzing trust relationships1

    UNIX Data AnalysisAnalyzing Trust Relationships

    • Network topology routes data through other computers.

    • Sniffing (esp. for passwords).

    • Even possible in a switched environment: arpredirect in dsniff


    Unix data analysis loadable kernel modules

    UNIX Data AnalysisLoadable Kernel Modules

    • LKM can by dynamically loaded with root-level access.

    • Used to let a hacker maintain access.

    • Adore, Knark, Itf


    Unix data analysis loadable kernel modules1

    UNIX Data AnalysisLoadable Kernel Modules

    • Trojan system utilities used to detect them.

    • Look for discrepancies between internal and external scans.

    • Detection tools are available.


  • Login