Live Data Collection from

Unix Systems
Topics
•Creating a Response
•Toolkit
•Storing Obtained
•Information
•Obtaining Volatile Data
•Prior to Forensic
•Duplication
•Data to Collect
•Unix File Deletion
•Executing a Trusted
•Shell
•Gathering Info
Introduction

•Unix allows the deletion of a program after it executes.

•Many Unix variants are neither backwards nor forwards

compatible.
Creating a Response Toolkit

•Many Unix distributions requires their own

unique toolkit.
•Prior to incident, create response toolkits.
•Only use trusted commands.
Storing Information Obtained
During the Initial Response
•Options include:
•Local hard drive
•Remote media
•Record information by hand
•For digital transport, use netcat or cryptcat
Best Time

•After selecting how you will retrieve data from

the target system, you must consider the
optimum time to respond.

• Volatile data refers to the

information stored in a system's
temporary storage areas, like the
RAM or physical memory, and in
active processes or services.
 Obtaining Volatile Data Prior to
Forensic Duplication
•Volatile data includes:
• Currently open sockets
• Running processes
• Contents of system RAM
• Location of unlinked files.

•Unlinked files are files marked for deletion

when the processes that access them
terminate.
Data to Collect
•System date and time
•Users currently logged on
•Time/date stamps for the entire files system
•Currently running processes
•Currently open sockets
•Applications listening on open sockets
•Systems that have current or recent system
•connections
 Sample Data Collection
Process
•Execute trusted shell
•Record system time and date
•Determine who is logged on
•Record modification, creation, ans access times to all files
•Determine open ports
•List applications associated with open ports
•Determine running processes
•List current and recent connections
•Record the system time
•Record the steps taken
•Record cryptographic checksums
Unix File Deletion
•Unix tracks a file’s link count
• Positive integer represents the number of processes
currently using the file
•When link count equals zero, it means that no process
is using or needs the file. So it will be deleted.
•When an attacker deletes his rogue program:
• Program on the hard drive is removed from the directory
chain,
.
• Link count is decremented by one ,and
• File’s deletion time is set.
•. Note, link count does not equal zero until process
terminates.
 Executing a Trusted Shell
Two Unix modes
1. Console mode
2. Windows (GUI)
 Exit XWindows before you initiate response.
 Log on locally at the victim console to avoid
generating network traffic
 Be sure to log on with root level privileges
Mount trusted device e.g. for a floppy
mount /dev/fd0 /mnt/floppy
 Gathering Info

 Record System Date and Time

 Date command
 Determine who is logged on
 Who command
 Gather File Info

 Record file modification, access, and Inode

change times. For example:

ls –alRu / > /floppy/atime

ls –alRc /> /floppy/ctime
ls –alR / > /floppy/mtime
 Ports and Processes

 Ports
netstat –an
 Processes
netstat –anp
 Note, average Unix system has many more
processes running than Windows system.
 Processes
ps command
Checksums

 Record checksums of all recorded files

 Consider scripting initial response
 Live Response In Depth
 Use dd, cat, netcat, and des, or crypt cat to obtain log
files, configuration files and any other relevant files.
 Rootkits freely available.
 Most advanced rootkits are loadable kernel modules

(LKMs)
 Unix kernel is a single program
 LKMs are programs that can be dynamically linked into
the kernel after the system has booted up
 Rogue LKMs installed by attackers can intercept

system commands such as netstat, ifconfig, ps, and ls

and create false results

Can also hide files and/or process as well as create
back doors
 Obtaining the System Logs
During Live Response
 Most Unix flavors keep their log files in /var/adm or /
var/logsubdirectories
 Log files can be obtained with a combination of
netcat, cryptcat, dd, and des
 Interesting logs
 Utmp
 Wtmp
 Last log
 Process accounting logs
 /etc/syslog.comf
Sample Configuration Files

/etc/passwd
/etc/shadow
/etc/groups
/etc/hosts
/etc/hosts.equiv
 Discovering Illicit Sniffers
A sniffer can increase an attack’s severity.
Also indicates attacker had root privileges
Hackers use sniffer software to capture, decode, and
analyze packets of data sent over a network using
TCP/IP or other protocols.
What is sniffing and spoofing?

Sniffing is the process of intercepting

and collecting network traffic as it
passes over a digital network.

Spoofing is the act of disguising a

communication from an unknown
source as being trustworthy. Using a
packet analyzing (sniffing) or spoofing
tool, intercept network traffic.
 Reviewing the /Proc File System

 On many Unix distros, the /proc file system is

a pseudo-file system used as an interface to
kernel data structures.
 By changing in to /proc, you are really accessing
kernel data structures, rather than a conventional
directory.
 Each process has a subdirectory in /proc the
corresponds to its PID.
 The Exe Link in the /Proc File
System
 The exe link allows investigators to recover
deleted files as long as they are still running.
 By examining the fd (file descriptor)
subdirectory, you can identify all of the files a
process has open.
 Dumping System RAM

 Traditionally a challenging process.

 Usually transfer the /proc/kmem file from the
target system

File contains the contents of system RAM in
a non-contiguous arrangement.
Thank you