COEN 250 Computer Forensics Unix System Life Response

COEN 250 Computer Forensics

Unix System Life Response

Creating a Response Toolkit

Toolkits depend on the OS. Often, need to compile tools from

source. Many Unix versions are not

compatible.

Creating a Response Toolkit

Tools on the system are often Trojaned.

Much more than on Windows machines.

Statically link tools. http://www.incident-response.org

Store information

On local hard drive. On remote media (floppies, USB,

tape) Record information by hand. Use netcat or cryptcat to transfer

to a forensic workstation over the net.

Collecting Data before a Forensic Duplication

System date and time. Currently logged-on users. Time/date stamps for the entire file

system. List of currently open sockets. Application listening on these

sockets. List of recent connections.


Create a trusted shell. Exit X-windows or other GUI Log on with root privileges Mount floppy: mount /dev/fd0

/mnt/floppy Run shell from floppy (bash) Set path to . (dot)


Use “date” for the time. Use “w” for current users. Use ls recursively (R) to record

access times, starting at /. ls –alRu / > floppy/atime ls –alRc / > floppy/ctime ls –alR / > floppy/mtime


Alternative find / printf “%m;%Ax;%AT;%TX;%TT;%Cx;%CT;%U;%G%s;%p\n”

Collecting Data before a Forensic Duplication Find open TCP / UDP ports

Goal: Find open backdoors

Use “netstat –an” to view all open ports. Use “netstat –anp” (on Linux) to list all

applications associated with open ports. Check normal use of open ports:

www.portsdb.org (currently down) http://logs.sofaware.com/resolveport/?portnumber

=80&protocol=TCP Use “lsof” (list of open files) utility as in

“lsof –i –D r”


Take a snapshot of all running processes

ps –eaf on Solaris ps –aux on FreeBSD and Linux


Open Files lsof


Internal Routing Table netstat –rn

Goal: Evidence of man in the middle attack


Loaded Kernel Module Used to be standard way to install a

rootkit Use lsmod command Warning: Knark and other loadable

kernel module rootkits will subvert this program


Mounted File Systems df command Example: Mounted NFS shares can be

used by an intruder to transfer data


System version and patch level uname -a


Obtain all system logs /var/run/utmp log contains currently

logged on users Warning: tools like “zap2” delete these

entries http://www.packetstormsecurity.com/

/var/log/wtmp History of logins

Syslog logs in syslog.conf


User accounts Look for evidence of backdoors in

password files /etc/passwd

For suspicious users, check user history files


Obtain important config files Dump System RAM

Often in /proc/kmem or /proc/kcore Use it for keyword searches

Collecting Data before a Forensic Duplication Suspicious files

Assume attacker runs a binary such as datapipe and then deletes it.

Binary is kept in /proc file system /proc does not exist on the hard drive To collect binary image of process pid

1234: Change into /proc/1234 Copy exe to forensics workstation using cat and

netstat fd directory contains all open files for a

particular process.


Take Date again Record all steps (script, history) Record MD5 sums to prevent

challenges of changed data.

Rootkits Rootkits: tools to acquire and keep

root access. File Level Rootkits: Trojan

login ps find who netstat

Rootkits Trojaned login

Works as designed. But lets one special username in.

Trojaned who Works as designed. But does not display the user with the

special username. Provides access and protection

Rootkits

Use Tripwire to detect system file alterations.

Use trusted forensics tool to find file level rootkits.

Rootkits

Kernel-Level Rootkits Create their own kernel. That is, let users live in a virtual

reality that they created. Loadable Kernel Modules (LKM)

Supported by Linux, Solaris, etc. Allow to add modules to the kernel.

Rootkits

Rogue LKM can intercept system commands.

Tripwire will not help, system files are still there and unchanged.

Rootkits

Knark To hide a process, send kill -31. Knark LKM takes care of the rest. Forensically sound tools are not

circumvented, though.

Rootkits

Detection Look for inconsistencies in the data Example:

lsof output contains file /tmp/.kde find does not list /tmp/.kde Discrepancy is strong hint at existence of

a rootkit set to hide /tmp/.kde

Sniffers

Used to capture network traffic Payload are unencrypted login

procedures Payload are email messages …

Sniffers

Ethernet card needs to be in promiscuous mode for sniffing.

Use ifconfig –i eth0 Look for keyword PROMISC Use lsof to find large output files

Documents

COEN 250 Computer Forensics Unix System Life Response