This document provides an overview of key concepts and commands used in Unix/Linux forensics. It discusses basic Linux commands, shell concepts, the Linux filesystem layout, commonly used commands like ls, grep, find, and their functions. It also covers forensic tools like TCT, Sleuthkit, Autopsy that are used to capture, analyze, and investigate Linux systems for evidence. Specific areas that may indicate intrusion like logs, account information, trust configuration files, invisible files are also outlined.
This document provides an overview of key concepts and commands used in Unix/Linux forensics. It discusses basic Linux commands, shell concepts, the Linux filesystem layout, commonly used commands like ls, grep, find, and their functions. It also covers forensic tools like TCT, Sleuthkit, Autopsy that are used to capture, analyze, and investigate Linux systems for evidence. Specific areas that may indicate intrusion like logs, account information, trust configuration files, invisible files are also outlined.
This document provides an overview of key concepts and commands used in Unix/Linux forensics. It discusses basic Linux commands, shell concepts, the Linux filesystem layout, commonly used commands like ls, grep, find, and their functions. It also covers forensic tools like TCT, Sleuthkit, Autopsy that are used to capture, analyze, and investigate Linux systems for evidence. Specific areas that may indicate intrusion like logs, account information, trust configuration files, invisible files are also outlined.
This document provides an overview of key concepts and commands used in Unix/Linux forensics. It discusses basic Linux commands, shell concepts, the Linux filesystem layout, commonly used commands like ls, grep, find, and their functions. It also covers forensic tools like TCT, Sleuthkit, Autopsy that are used to capture, analyze, and investigate Linux systems for evidence. Specific areas that may indicate intrusion like logs, account information, trust configuration files, invisible files are also outlined.
1 Simple Linux Commands • date – display the date • ls – list the files in the current directory • more – display files one screen at a time • cat – display the contents of a file • wc – displays lines, words, and characters • cp, mv, rm, pwd, mkdir, cd, rmdir, chmod, • head – show the first few lines of a file • file – determine a file type • tail – show the last few lines of a file • cal – display calendar • kill – terminate a running command • lpr – send a job to the printer • grep – searches a file for a specific pattern • chmod – change file permissions • fdisk • mount, cat /etc/fstab • last • …. 2 Basic Concepts • shell • shell scripts • background and foreground –& – Ctrl-Z, bg, fg, jobs • Environment variables – env • passwd 3 The Linux Filesystem Layout • The basic layout of the filesystem starts with the root directory. –root directory : this is the base of the file system's tree structure. –/bin : binary files for the OS –/dev : the device files –/etc : system configuration files –/sbin: system administrative binaries –/home : conventional location for users’ home directories. –lost+found : storage for recovered files 4 Commonly used command/concepts • mount/umount • ls: different options • ln • df • tree • chmod, chown, chgrp • find • tar • gzip • dd • stat 5 Commonly used command/concepts • cksum – checksum and count the bytes in a file • sum – checksum and count the blocks in a file • diff – Provide a list of each line that differs • strings
6 Commonly used command/concepts • Every file is managed by a data structure called an inode – File location and size – Owner, permission, – Time of creation, time of last access, time of last modification – stat • SUID root – Set user ID
7 Ext2 Inode
8 http://www.tldp.org/LDP/tlk/fs/filesystem.html Network Information System
11 Investigating A Unix Host • Filesystem integrity-checking program – Tripwire: http://sourceforge.net/projects/tripwire/ • TCT – Examining hacked Unix systems – http://www.porcupine.org/forensics/tct.html • netcat
12 Order of Volatility • The more volatile the data is, the more difficult it is to capture, and the less time you have to do it. • The descending order: – CPU storage – System storage – Kernel Tables – Fixed media – Removable media – Paper printouts • Table 11-4
13 TCT (1) • TCT – The Coroner’s Toolkit – http://www.porcupine.org/forensics/ • Mostly perl but some C as well • A STATIC tool! – e.g. changes to filesystem during analysis will NOT be noticed by TCT – You MUST isolate the system under investigation
14 TCT (2) • Four major parts: – grave-robber: captures forensics data – The C-tools (ils, icat, pcat, file, etc) • pcat – low-level memory utilities: copy process memory – pcat PID • file: determine file type • icat: copies files by inode number • ils: list inode info (usually removed files) – lazarus • Lazarus: create structure from unstructured data – mactime • Report on times of files
15 The C-tools (ils, icat, pcat, file, etc) • pcat – gathers process memory from live system • ils – gathers inode information – ./ils /dev/sda6 • icat – copy files using inode information to standard out – ./icat /dev/sda6 1405802 (you can use stat to obtain the inode number) • file – determine file system type 16 lazarus • Lazarus – classify raw information for analyzing (brings back info from the dead) – Unallocated datablocks with no referent inode
17 mactime • Three times on ext f/sys: – Modification time – Access time – Change time • collects information on all three times for specific files – ./mactime -d /root/download/tct-1.16/bin -y 9/29/2006
18 Be nice to your MAC times • MAC times are sensitive (to changes within the system) • Running a single command may change last Access time of a file • Should grab MACtime info before running any further commands on system. • You’ll use this info to create a timeline of activity.
19 Sleuth kit • Expands TCT data • Provides low- and high-level access to Xnix and Windows f/systems.
20 The Sleuth Kit File system tools • File System Category • Content Category – dls –f ext –e –l sda6.img » a: the data unit is allocated » f: the data unit is unallocated – dcat –f ext sda6.img 23456 » View the contents of any data unit • Metadata category » Include data that describe a file: for example, temporal information, the addresses of the data units, the size of the file. » istat –f ext sda6.img 163199 - to get the specific metadata entry » ils –f ext –e sda6.img - list the details of several metadata structures » icat –f ext sda6.ima 31 - View the contents of the file based on metadata address instead of its file name 21 The Sleuth Kit • File Name Category » Includes the data that associates a name with a metadata entry » fls: list file names in a given directory » ffind: list which file name corresponds to a given metadata address • Application Category » A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash » jls – list the contents of the journal and show which file system blocks are saved in the journal blocks • Multiple category » mactime: takes temporal data from fls and ils to produce a timeline of file activity 22 The Sleuth Kit – Searching tools • sigfind – find binary signature in a file – Disk tools • disk_stat – Volume system tools
23 Autopsy • Developed to automate the investigation process when TSK is being used • http://www.sleuthkit.org/autopsy/
24 Capture Filesystem • Imaging utilities – Wipe out analysis drive • dd if=/dev/zero of=/dev/fd0 – One more example • nc –l –p 10001 > syspect.hdb5.image.1of3& • nc –l –p 10002 > syspect.hdb5.image.2of3& • nc –l –p 10003 > syspect.hdb5.image.3of3&
• cat suspect.image2.2of3 >> suspect.hdb5.image 25 • cat suspect.image3.3of3 >> suspect.hdb5.image md5 • Create the hash value of collected data and record it – md5 from tct: md5 /dev/sda6 – Verify the image file on the collection host
26 Accessing Captured Filesystems for Examination • Copy the image into a partition that is the same size as the image (partition cleaned using dd) • Another approach – mkdir /mnt/suspecthost – mount –t ext2 –o ro, loop=/dev/loop0 suspect.hdb5.image /mnt/suspecthost – Treat it like any other filesystem
35 Signs that an Executable File Deserves a Closer Look
36 Shell and Application History • sh – .sh_history • csh – .history • ksh – .sh_history • bash – .bash_history • tcsh – .history 37 Signs of Hostile Processes
38 Levels of System Compromise
39 RootKit • http://www.securityfocus.com/infocus/1811 • Increase privileges • Hide activities – To manipulate the environment and hide evidence • Gather information – To extend attacks • One example – Loadable kernel modules (LKM) – http://www.s0ftpj.org/docs/lkm.htm
40 RootKit Content
41 RootKit Content
42 RootKit Content
43 RootKit Content
44 RootKit Content
45 RootKit Content
46 RootKit Content
47 KSTAT Utility
•Kstat –s: display the system call table
48 Detecting Trojan LKMs on Live System
• Detecting trojan LKMs on a live system
– Complicated – These tools intercept system calls. • Port 2222 is open – default Adore LKM port 49 Miscellaneous • To determine listing applications associated with open ports – netstat –anp • To determine whether a sniffer is running on a system (promiscuous mode) – ifconfig eth0 • /proc – fd subdirectory: all the files a process has opened – cmdfile: the command-line argument 50 Miscellaneous • lsof (list open files) – Lists processes with all their open files, network ports, current directories, and other file system- related information – An open file can be a regular file, a directory, a library, a stream, or a network socket. – Example: • For root user: lsof –p PID_of_SSHD • lsof –i: show all processes with active network ports
51 Miscellaneous • ltrace – Library call monitoring programs – ltrace date > /dev/null • Show fragment of a library-call trace of the date command • strace – System call monitoring – strace date > /dev/null • sysctl – Read/Write access to kernel configuration parameters and other data – sysctl -a 52 Prepare Analysis Machines • Boot into Knoppix-STD (or your favorite Linux OS with all the right tools) • http://en.wikipedia.org/wiki/Knoppix_STD
53 A Summary of the Steps in a Unix Investigation
• Review all pertinent logs
• Perform keyword searches • Review relevant files • Identify unauthorized user accounts or groups • Identify rogue processes • Check for unauthorized access points • Analyze trust relationships • Check for kernel module rootkits
54 Compromising a Unix Host
55 Typical Attack Host Exploits
56 Attack Steps • Target Identification • Intelligence Gathering – Password sniffing and guessing – Compromise network service • Initial Compromise • Privilege Escalation – Gain root access • Reconnaissance – Attackers perform their own forensic examination – Look for security programs – Analyze system and user activities • Covering the Tracks – System that is owned • Gain administrative access, clean the tracks, and prepare a returned path 57
