Unix Investigations

Topics
• Unix File System
• Stat system call
• Deleting files
• Processes and /proc
• Argv, environment
• Logs
Unix File System
A File System in Unix
Inode Information on Files
Original Unix File system Disk Block
Pointers
The stat system call
Command Line Arguments in C
Accessing the Environment
Use of the stat call
Multiple links
• The system call link(path1, path2)
• Creates a new link to the file specified by path2
• It does not create a new inode
• It creates a new directory entry and uses the same inode number
• It increments the n link field in the inode
• Symbolic Links
• The file contains a path to the file
• Symbolic vs Hard links
• The unlink system call unlink(path) is used to delete files
Deleting a file
• The system call unlink(path)
• Does not really delete the file (at least immediately)
• The directory entry if removed (subject to permissions)
• It checks the nlink field in the inode corresponding to the file and decrements it
• Then if it is non-zero that’s all – the file just has one less link
• If it is zero and no currently running process has it open the the file is deleted.
• Inode is put on the free inode list
• Disk blocks put on the freespace list
File System Check(fsck)
• When a file system is mounted a “file system dirty” bit is set.
• This is to insure the consistency of internal data structures and those stored on
disk.
• Power down gracefully and ungracefully
• Shutdown is run to close everything down gracefully
• When the system is brought back up it will run fsck to check the file system (if the
dirty bit is set.)
• Some versions of fsck will save orphaned files in lost+found
Tools
• Ls
• Find
• Ps
• Dd
• Netstat
• Strings
• Netcat
• Bash
• Vi
• Ifconfig
Trusted tools
• On of the first things a hacker would do is replace these tools with special ones to
hide the presence of the hackers files/processes
• Build a CD of trusted tools
• Executing a trusted shell
Who is logged on and what are they doing?
• Who, w
• Ps –aef
/proc file system
• Pseudo file system that provides an interface to kernel data structures
• Example on erdos or forensicrig
• Ps –aux | grep /root/ir/lo
• But what if the hacker has removed his code “deleted the object file”?
Digital Evidence on UNIX Systems
• UNI X Evidence Acquisition Boot Disc
• File Systems
• Overview of Digital Evidence Processing Tools
• Data Recovery
• Log Files
• File System
• Internet Traces
UNIX Evidence Acquisition Boot Disc
• Linux systems provide an excellent platform for forensic examination with tools
• Notably, an evidence acquisition boot disk with Linux for Intel-based systems can
be used to boot and access a Windows computer.
• For instance, Helix ( is a bootable Linux CD-ROM that can be used to acquire
evidence from Intel-based systems.
File Systems
• Reiser, ext2, and ext3 (Extended File Systems 2 and 3) that have similar
structures.simpler than their Windows, containing only a list of filenames and their
associated inode (index node) numbers which contains all information about the
file, apart from its name.
• each block group contains duplicates of critical file system components, that is,
the superblock and group descriptors, to facilitate recovery if the primary copy is
damaged
• The superblock contains information about the file system such as block size,
number of blocks per block group, the last time the file system was mounted, last
time it was written to, and the sector of the root directory’s inode.2
• Group descriptors for all of the block groups are duplicated in each block group in
case of file system corruption If the inode table itself is damaged, it becomes more
difficult to reconstruct the files in that block group.
Overview of Digital Evidence Processing
Tools
• Linux contains many useful utilities that are designed to work together—the
output of one tool can be fed into another tool easily.
• This ability to pipe output from one program into another creates great flexibility.
• Linux supports many file system types and can be used to examine media from
UNIX, Windows, Macintosh, and other more.
• Linux is open source, creating a large technical support base and allowing digital
evidence examiners to verify and augment its operation.
• The grep command on Linux provides this keyword search capability. Once a
system with useful evidence has been identified, a full bitstream copy can be
made.
• When dealing with hard drives that have multiple partitions, it is advisable to
make a bitstream copy so original drive is preserved.
Data Recovery
• UNIX does not have file slack space. When UNIX creates a new file, it writes the
remainder of the block with zeros and sets them as unallocated.
• Some tools, such as testdisk7 and gpart8 are available for recovering deleted
partitions on UNIX and Windows systems.
• There are only a few tools, such as tarfix, fixcpio, tarx, and tar-aids, for repairing
damaged files on UNIX.
• UNIX-Based Tools
• recovering deleted files on UNIX systems is to search for inodes and recover the
associated data.
• Once the inode number of a deleted file is known, the contents of the file can be
accessed using icat,
• The SMART tool also uses this approach to recover deleted files
Windows-Based Tools
Forensic Toolkit (FTK) recovers deleted files and folders from ext2 file systems into
an area called “[orphan],”Tool uses inode numbers to reference recovered items and
provides convenient representations of recovered files such as the deleted TAR file
File Carving with UNIX
This tool can be instructed to search for any type of file by adding the appropriate
header and footer information to its configuration file, “foremost .conf.”Another
approach to recovering data is implemented in Lazarus from TCT.
Lazarus automatically classifies digital data in the following way:
1. Read a chunk of data (default 1k).
2. Determine if the chunk is text or binary data:a. If text, attempt to classify it on
the basis of its contents (e.g., html).b. If binary, attempt to classify it using the
UNIX file command
Dealing with Password Protection and
Encryption
3. If the chunk was successfully classified, compare it with the previous chunk:
a. If they are of the same class, assume they are in the same file.
b. If they are not of the same class, assume they are in different files.
4. If the chunk was not successfully classified, compare it with the previous chunk:
a. If they are of the same type (binary or text), assume they are in the same file.
b. If they are of different types (binary or text), assume they are in different files.
Dealing with Password Protection and Encryption
UNIX systems, called a “Beowulf cluster,” can be used to attempt to break weak
encryption, this approach is rarely effective against strong encryption like PGP.
UNIX system, it may be possible to bypass the logon password by booting into
single user mode in such cases tools are used.
Log Files ,File System Traces
• Logons and logoffs, or any event on a UNIX computer for that matter, can create
entries in one or more system log files.
• Additionally, servers running on UNIX machines may have logs that can be useful
for reconstructing events
File System Traces
• Applications can leave traces on disk either directly in temporary files or
indirectly through swap space.
• UNIX systems have a “/proc” file system with informationrelating to processes
running in memory that can be useful for gaining a more complete picture of what
was occurring on a system
• When a file is added to or moved out of a directory, the inode change time of the
directory listing (“.”), as well as the last modified and accessed times, is updated.
Internet Traces
• UNIX was specifically designed with networking in mind and has many
applications for accessing the Internet.
Web Browsing
• most common Web browsers on UNIX systems is Mozilla Firefox.
• details such as the date and time a particular Web site was accessed are stored in
other tables in the places.
• sqlite databaseOn versions of UNIX that use the Netscape browser, a history of
Web sites that were accessed is stored in a Berkeley DB file called “history.dat,”
and information about cache files is stored in a Berkeley DB file called
“index.db.”On UNIX systems that receive , incoming messages are held in “/var/
spool/mail” in separate files for each user account until a user accesses them.
• Outgoing messages are stored temporarily in “/var/spool/mqueue/ mail” but are
generally deleted after they are sent.Incoming and outgoing messages may also be
stored in files under the home directories of each user.
• UNIX generally stores in text files, making them easier to process
Network Traces
• As with Windows, individual applications like ncftp retain logs when used to
transfer files from remote computers and SSH can store a list of public keys for
each host that was accessed in files named “known_hosts.”
• UNIX computers can be configured to send logs to remote systems in the /etc/
syslog.conf
• Additionally, the /etc/printcap file is used to send print jobs to remote systems