1 / 38

Incident Response & Computer Forensics

INSA. Information Networking Security and Assurance Lab National Chung Cheng University. Incident Response & Computer Forensics. Chapter 6 Live Data Collection from Unix Systems. INSA. Information Networking Security and Assurance Lab National Chung Cheng University. Outline. Preface

qabil
Download Presentation

Incident Response & Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INSA Information Networking Security and Assurance Lab National Chung Cheng University Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Jai, 2004

  2. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System

  3. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System

  4. Preface • Many Unix versions are not backward or forward compatible • Four storage options • Local hard drive • Remote media such as floppy disks, USB drives, or tape drives • Hand • Forensic workstation over the network • Best time • All are not online

  5. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System

  6. INSA Information Networking Security and Assurance Lab National Chung Cheng University The minimum information • System date and time • A list of the users who are currently logged on • Time/Date stamps for the entire file system • A list of currently running processes • A list of currently open sockets • The applications listening on open sockets • A list of the systems that have current or recent connections to the system

  7. Follow these steps • Execute a trusted shell • Record the system time and date • Determine who is logged on to the system • Record modification, creation, and access times of all files • Determine open ports • List applications associated with open ports • Determine the running processes • List current and recent connections • Record the system time • Record the steps taken • Record cryptographic checksums

  8. INSA Information Networking Security and Assurance Lab National Chung Cheng University Executing a trusted shell • Avoid to log-in with X-window • Set-up your PATH equal to dot (.)

  9. INSA Information Networking Security and Assurance Lab National Chung Cheng University Recording the system Time and Date This is command

  10. INSA Information Networking Security and Assurance Lab National Chung Cheng University Who? The local starting time of the connection command The time used by all processes attached to that console control terminal ttyn: logon at the console ptsn: over the network The processor time used by the current process under the WHAT column

  11. INSA Information Networking Security and Assurance Lab National Chung Cheng University Recording file Modification, Access, and Inode Change Times • Access time (atime) • Modification time (mtime) • Inode change time (ctime)

  12. Access Time Access Time $man ls

  13. Inode Cahnge Time Inode change time $man ls

  14. Modification Time Modification time

  15. Determine which Ports are Open Command

  16. Applications associated with Open Ports You must be root!!!! Command PID/Program name

  17. Applications associated with Open Ports In some other Unix-Like OS List all running processes and the file descriptors they have open

  18. Determine the Running Processes Command Indicate when a process began

  19. INSA Information Networking Security and Assurance Lab National Chung Cheng University Recording the Steps Taken The file that log the keystrokes you type and output!! Command Another command: history

  20. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System

  21. INSA Information Networking Security and Assurance Lab National Chung Cheng University The files you want to collect • The log files • The configuration file • The other relevant file

  22. INSA Information Networking Security and Assurance Lab National Chung Cheng University Loadable Kernel Module Rootkits • Rootkits • Collections of commonly trojaned system processes and scripts that automate many of the actions attackers want to do!!! • LKMs are programs that can be dynamically linked into the kernel after the system has booted up

  23. Loadable Kernel Module Rootkits • Rogue LKMs can lie about the results • LKM rootkits • knark • adore • heroin • When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide

  24. INSA Information Networking Security and Assurance Lab National Chung Cheng University The important logs you must collect!! • Binary log files • The utmp file, accessed with the w utility • The wtmp file, accessed with the last suility • The lastlog file, accessed with the lastlog utility • Process accounting logs, accessed with the lastcomm utility

  25. INSA Information Networking Security and Assurance Lab National Chung Cheng University The important logs you must collect!! • ASCII text log files • Web access logs • Xferlog (ftp log) • History log

  26. The important configuration files you want to collect!! • /etc/passwd • /etc/shadow • /etc/group • /etc/hosts • /etc/hosts.equic • ~/.rhosts • /etc/hosts.allow and /etc/hosts.deny • /etc/syslog.conf • /etc/rc • crontab files • /etc/inetd.conf and /etc/xinetd.conf

  27. INSA Information Networking Security and Assurance Lab National Chung Cheng University Discovering illicit sniffers on Unix Systems • Most Dangerous • More widespread than a single system • Have root-level access

  28. Discovering illicit sniffers on Unix Systems No sniffers Sniffers on your system

  29. INSA Information Networking Security and Assurance Lab National Chung Cheng University Outline • Preface • Obtaining Volatile Data Prior to Forensic Duplication • Performing an In-Depth, Live Response • /proc File System

  30. INSA Information Networking Security and Assurance Lab National Chung Cheng University What? • Pseudo-file system • An interface to kernel data structure • Each process has a subdirectory in /proc that corresponds to it’s PID

  31. Example Start a executed file PID Go into the subdirectory The command you executed

  32. The fd subdirectories Standard Input Standard Output Standard Error The file descriptor opened Another socket example!! The file descriptor that socket opened

  33. INSA Information Networking Security and Assurance Lab National Chung Cheng University Dump System Ram • Two files your should collect • /proc/kmem • /proc/kcore

  34. INSA Information Networking Security and Assurance Lab National Chung Cheng University A tech you can use!!!!! • The command line is changed at runtime! • Two parameter • argc • An integer representing in the argv[] array • argv • An array of string values that represent the command-line argument

  35. INSA Information Networking Security and Assurance Lab National Chung Cheng University Example • tcpdump –x –v –n • argv[0] = tcpdump • argv[1] = -x • argv[2] = -v • argv[3] = -n • strcpy(argv[0], “xterm”)

  36. INSA Information Networking Security and Assurance Lab National Chung Cheng University Example 2 The two parameter!

  37. INSA Information Networking Security and Assurance Lab National Chung Cheng University Example 2 The tech you want to learn!!

  38. INSA Information Networking Security and Assurance Lab National Chung Cheng University Example 2 Succeed ^_^

More Related