1 / 19

COEN 250 Computer Forensics

COEN 250 Computer Forensics. Unix System Life Response. Creating a Response Toolkit. Toolkits depend on the OS. Often, need to compile tools from source. Many Unix versions are not compatible. Creating a Response Toolkit. Tools on the system are often Trojaned.

linore
Download Presentation

COEN 250 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 250 Computer Forensics Unix System Life Response

  2. Creating a Response Toolkit • Toolkits depend on the OS. • Often, need to compile tools from source. • Many Unix versions are not compatible.

  3. Creating a Response Toolkit • Tools on the system are often Trojaned. • Much more than on Windows machines. • Statically link tools. • http://www.incident-response.org

  4. Store information • On local hard drive. • On remote media (floppies, USB, tape) • Record information by hand. • Use netcat or cryptcat to transfer to a forensic workstation over the net.

  5. Collecting Data before a Forensic Duplication • System date and time. • Currently logged-on users. • Time/date stamps for the entire file system. • List of currently open sockets. • Application listening on these sockets. • List of recent connections.

  6. Collecting Data before a Forensic Duplication • Create a trusted shell. • Exit X-windows or other GUI • Log on with root privileges • Mount floppy: mount /dev/fd0 /mnt/floppy • Run shell from floppy (bash) • Set path to . (dot)

  7. Collecting Data before a Forensic Duplication • Use “date” for the time. • Use “w” for current users. • Use ls recursively (R) to record access times, starting at /. • ls –alRu / > floppy/atime • ls –alRc / > floppy/ctime • ls –alR / > floppy/mtime

  8. Collecting Data before a Forensic Duplication • Use “netstat –an” to view all open ports. • Use “netstat –anp” (on Linux) to list all applications associated with open ports. • Use “lsof” (list of open files) utility as in “lsof –i –D r”

  9. Collecting Data before a Forensic Duplication • Take a snapshot of all running processes • ps –eaf on Solaris • ps –aux on FreeBSD and Linux

  10. Collecting Data before a Forensic Duplication • Take Date again • Record all steps (script, history) • Record MD5 sums to prevent challenges of changed data.

  11. Collecting Data before a Forensic Duplication • Obtain all system logs • Obtain important config files • Dump System RAM • Often in /proc/kmem or /proc/kcore • Use it for keyword searches

  12. Rootkits • Rootkits: tools to acquire and keep root access. • File Level Rootkits: Trojan • login • ps • find • who • netstat

  13. Rootkits • Trojaned login • Works as designed. • But lets one special username in. • Trojaned who • Works as designed. • But does not display the user with the special username. • Provides access and protection

  14. Rootkits • Use Tripwire to detect system file alterations. • Use trusted forensics tool to find file level rootkits.

  15. Rootkits • Kernel-Level Rootkits • Create their own kernel. • That is, let users live in a virtual reality that they created. • Loadable Kernel Modules (LKM) • Supported by Linux, Solaris, etc. • Allow to add modules to the kernel.

  16. Rootkits • Rogue LKM can intercept system commands. • Tripwire will not help, system files are still there and unchanged.

  17. Rootkits • Knark • To hide a process, send kill -31. • Knark LKM takes care of the rest. • Forensically sound tools are not circumvented, though.

  18. Sniffers • Used to capture network traffic • Payload are unencrypted login procedures • Payload are email messages • …

  19. Sniffers • Ethernet card needs to be in promiscuous mode for sniffing. • Use ifconfig –i eth0 • Look for keyword PROMISC • Use lsof to find large output files

More Related