COEN 250 Computer Forensics Unix System Life Response.

Slides:



Advertisements
Similar presentations
Password Cracking, Network Sniffing, Man-in-the-Middle attacks, and Virtual Private Networks Lab 2 – Class Discussion Group 3 Ruhull Alam Bhuiyan Keon.
Advertisements

Rootkits CIS 413 This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr.
Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.
2-UNIX L IVE R ESPONSE John P. Abraham Professor University of Texas Pan American.
Some history PDP versions BSD/Version 7 split VAX virtual memory implementations End of line 4.4 BSD System V merges Modern versions OSF/1, Solaris, HPUX.
16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.
Linux Booting Procedure
Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Chapter 3 Unix Overview. Figure 3.1 Unix file system.
COEN 252: Computer Forensics Router Investigation.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Standard Operating and Maintenance Procedures
Capturing Computer Evidence Extracting Information.
Linux Shell. 2 Linux Command-Line Interface ■ Linux shells: A shell is a command interpreter that allows you to type commands from the keyboard to interact.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
Linux Filesystem Management
Remote Control and Advanced Techniques. Remote Control Software What do they do? Connect through dial-in and/or TCP/IP. Replicate remote screen on local.
Overview of Linux CS3530 Spring 2014 Dr. José M. Garrido Department of Computer Science.
Hands-On Virtual Computing
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
File Recovery and Forensics
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Unix Basics Chapter 4.
CIS 450 – Network Security Chapter 15 – Preserving Access.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Live Forensics Investigations Computer Forensics 2013.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
Securing Operating Systems Rootkits - TAPTI SAHA.
COEN 250 Computer Forensics Windows Life Analysis.
Guide to Linux Installation and Administration, 2e1 Chapter 10 Managing System Resources.
LINUX ROOTKITS Chirk Chu Chief Security Officer University of Alaska Statewide System Information Technology Services.
Linux Administration. Pre-Install Different distributions –Redhat, Caldera, mandrake, SuSE, FreeBSD Redhat Server Install –Check HCL –Significant issues.
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Hands On UNIX II Dorcas Muthoni. Processes A running instance of a program is called a "process" Identified by a numeric process id (pid)‏  unique while.
Manage Directories and Files in Linux. 2 Objectives Understand the Filesystem Hierarchy Standard (FHS) Identify File Types in the Linux System Change.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003.
COEN 250 Computer Forensics Windows Life Analysis.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
Linux Overview Why Linux ? Not-so-ancient history –Torvalds, Linus Torvalds, 002 the Helsinki University, as a student, low budget, work home –rapid and.
1 LINUX SECURITY. 2 Outline Introduction Introduction - UNIX file permission - UNIX file permission - SUID / SGID - SUID / SGID - File attributes - File.
CSI3131 – Lab 1 Observing Process Behaviour. Running Linux under Virtual PC  Start Virtual PC  This Windows program provides a virtual machine to run.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
COEN 250 Computer Forensics Unix System Life Response.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Rootkits.
Lecture 02 File and File system. Topics Describe the layout of a Linux file system Display and set paths Describe the most important files, including.
The Kernel At a high level, the kernel in an operating system serves as the bridge between applications and the actual data processing of the hardware.
Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Linux Administration – Finding You Way on the Command Line The Linux File Directory or Tree.
Using Linux Kaya Oğuz Room: 310.
I have edited and added material.
Backdoor Attacks.
UBUNTU INSTALLATION
Remote Control and Advanced Techniques
I have edited and added material.
Rootkits Jonathan Hobbs.
Crisis and Aftermath Morris worm.
Presentation transcript:

COEN 250 Computer Forensics Unix System Life Response

Creating a Response Toolkit  Toolkits depend on the OS.  Often, need to compile tools from source.  Many Unix versions are not compatible.

Creating a Response Toolkit  Tools on the system are often Trojaned.  Much more than on Windows machines.  Statically link tools. 

Store information  On local hard drive.  On remote media (floppies, USB, tape)  Record information by hand.  Use netcat or cryptcat to transfer to a forensic workstation over the net.

Collecting Data before a Forensic Duplication  System date and time.  Currently logged-on users.  Time/date stamps for the entire file system.  List of currently open sockets.  Application listening on these sockets.  List of recent connections.

Collecting Data before a Forensic Duplication  Create a trusted shell.  Exit X-windows or other GUI  Log on with root privileges  Mount floppy: mount /dev/fd0 /mnt/floppy  Run shell from floppy (bash)  Set path to. (dot)

Collecting Data before a Forensic Duplication  Use “date” for the time.  Use “w” for current users.  Use ls recursively (R) to record access times, starting at /.  ls –alRu / > floppy/atime  ls –alRc / > floppy/ctime  ls –alR / > floppy/mtime

Collecting Data before a Forensic Duplication  Alternative  find / printf “%m;%Ax;%AT;%TX;%TT;%Cx;%CT;%U;% G%s;%p\n”

Collecting Data before a Forensic Duplication  Find open TCP / UDP ports  Goal:  Find open backdoors  Use “netstat –an” to view all open ports.  Use “netstat –anp” (on Linux) to list all applications associated with open ports.  Check normal use of open ports:  (currently down)  protocol=TCP protocol=TCP  Use “lsof” (list of open files) utility as in “lsof –i –D r”

Collecting Data before a Forensic Duplication  Take a snapshot of all running processes  ps –eaf on Solaris  ps –aux on FreeBSD and Linux

Collecting Data before a Forensic Duplication  Open Files  lsof

Collecting Data before a Forensic Duplication  Internal Routing Table  netstat –rn  Goal: Evidence of man in the middle attack

Collecting Data before a Forensic Duplication  Loaded Kernel Module  Used to be standard way to install a rootkit  Use lsmod command  Warning: Knark and other loadable kernel module rootkits will subvert this program

Collecting Data before a Forensic Duplication  Mounted File Systems  df command  Example: Mounted NFS shares can be used by an intruder to transfer data

Collecting Data before a Forensic Duplication  System version and patch level  uname -a

Collecting Data before a Forensic Duplication  Obtain all system logs  /var/run/utmp log contains currently logged on users  Warning: tools like “zap2” delete these entries   /var/log/wtmp  History of logins  Syslog logs in syslog.conf

Collecting Data before a Forensic Duplication  User accounts  Look for evidence of backdoors in password files  /etc/passwd  For suspicious users, check user history files

Collecting Data before a Forensic Duplication  Obtain important config files  Dump System RAM  Often in /proc/kmem or /proc/kcore  Use it for keyword searches

Collecting Data before a Forensic Duplication  Suspicious files  Assume attacker runs a binary such as datapipe and then deletes it.  Binary is kept in /proc file system  /proc does not exist on the hard drive  To collect binary image of process pid 1234:  Change into /proc/1234  Copy exe to forensics workstation using cat and netstat  fd directory contains all open files for a particular process.

Collecting Data before a Forensic Duplication  Take Date again  Record all steps (script, history)  Record MD5 sums to prevent challenges of changed data.

Rootkits  Rootkits: tools to acquire and keep root access.  File Level Rootkits: Trojan  login  ps  find  who  netstat

Rootkits  Trojaned login  Works as designed.  But lets one special username in.  Trojaned who  Works as designed.  But does not display the user with the special username.  Provides access and protection

Rootkits  Use Tripwire to detect system file alterations.  Use trusted forensics tool to find file level rootkits.

Rootkits  Kernel-Level Rootkits  Create their own kernel.  That is, let users live in a virtual reality that they created.  Loadable Kernel Modules (LKM)  Supported by Linux, Solaris, etc.  Allow to add modules to the kernel.

Rootkits  Rogue LKM can intercept system commands.  Tripwire will not help, system files are still there and unchanged.

Rootkits  Knark  To hide a process, send kill -31.  Knark LKM takes care of the rest.  Forensically sound tools are not circumvented, though.

Rootkits  Detection  Look for inconsistencies in the data  Example:  lsof output contains file /tmp/.kde  find does not list /tmp/.kde  Discrepancy is strong hint at existence of a rootkit set to hide /tmp/.kde

Sniffers  Used to capture network traffic  Payload are unencrypted login procedures  Payload are messages  …

Sniffers  Ethernet card needs to be in promiscuous mode for sniffing.  Use ifconfig –i eth0  Look for keyword PROMISC  Use lsof to find large output files

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.