COEN 250 Computer Forensics Unix System Life Response.

Slides:



Advertisements
Similar presentations
COEN 250 Computer Forensics Unix System Life Response.
Advertisements

Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.
2-UNIX L IVE R ESPONSE John P. Abraham Professor University of Texas Pan American.
Some history PDP versions BSD/Version 7 split VAX virtual memory implementations End of line 4.4 BSD System V merges Modern versions OSF/1, Solaris, HPUX.
16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.
KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM Keamanan Jaringan 2012/2013 KOM Keamanan Jaringan 2012/2013.
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
COEN 252 Computer Forensics Remote Sniffer Detection.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.
CIS 240 Introduction to UNIX Instructor: Sue Sampson.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
A Guide to Unix Using Linux Fourth Edition
Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
LECTURE 14 Operating Systems and Utility Programs
Capturing Computer Evidence Extracting Information.
Linux Shell. 2 Linux Command-Line Interface ■ Linux shells: A shell is a command interpreter that allows you to type commands from the keyboard to interact.
SUSE Linux Enterprise Server Administration (Course 3037) Chapter 7 Connect the SUSE Linux Enterprise Server to the Network.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Remote Control and Advanced Techniques. Remote Control Software What do they do? Connect through dial-in and/or TCP/IP. Replicate remote screen on local.
Overview of Linux CS3530 Spring 2014 Dr. José M. Garrido Department of Computer Science.
A Guide to Unix Using Linux Fourth Edition
COEN 252 Computer Forensics
Hands-On Virtual Computing
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
File Recovery and Forensics
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
An Introduction to UNIX System --- Cosc513 Presentation n Instructor: Morteza Anvari n Author: Yonghong Pan n ID#: n Date: Jan.29, 2001.
CIS 450 – Network Security Chapter 15 – Preserving Access.
COEN 252 Computer Forensics Collecting Network-based Evidence.
CHAPTER FOUR COMPUTER SOFTWARE.
Live Forensics Investigations Computer Forensics 2013.
CIS 450 – Network Security Chapter 16 – Covering the Tracks.
COEN 250 Computer Forensics Windows Life Analysis.
Day 14 Introduction to Networking. Unix Networking Unix is very frequently used as a server. –Server is a machine which “serves” some function Web Server.
Xen Basics A Primer for the CPS 110 Programming Assignments Angela Dalton.
Linux Administration. Pre-Install Different distributions –Redhat, Caldera, mandrake, SuSE, FreeBSD Redhat Server Install –Check HCL –Significant issues.
Rootkits. Agenda Introduction Definition of a Rootkit Types of rootkits Existing Methodologies to Detect Rootkits Lrk4 Knark Conclusion.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Operating System What is an Operating System? A program that acts as an intermediary between a user of a computer and the computer hardware. An operating.
Lesson 2-Touring Essential Programs. Overview Development of UNIX and Linux. Commands to execute utilities. Communicating instructions to the shell. Navigating.
Unix Security.  Security architecture  File system and user accounts  Integrity management  Auditing and intrusion detection.
Remote Forensic Tools --- PDIR and EEE Tool review - remote forensic preservation and examination tools Editor : Eoghan Casey, Aaron Stanley Source : Digital.
X-WindowsP.K.K.Thambi The X Window System Module 5.
Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003.
COEN 250 Computer Forensics Windows Life Analysis.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Backdoors and Rootkits.
Investigating Sophisticated Security Breaches Digital Forensics has proven tough in the age of sophisticated Intruders.
CSI3131 – Lab 1 Observing Process Behaviour. Running Linux under Virtual PC  Start Virtual PC  This Windows program provides a virtual machine to run.
1 Lecture 6 Introduction to Process Management COP 3353 Introduction to UNIX.
Rootkits, Backdoors, and Trojans ECE 4112 – Lab 5 Summary – Spring 2006 Group 9 Greg Sheridan Terry Harvey Group 10 Matthew Bowman Laura Silaghi Michael.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Introduction to UNIX Karl Harrison September 2004.
Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.
Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
Main Features of iSafe All-in-One Keylogger Universal keylogger of isafe, Inc. Suitable for home parental control,corporate employee monitoring and cheating.
Overview of Linux Fall 2016 Dr. Donghyun Kim
I have edited and added material.
File System Implementation
Remote Control and Advanced Techniques
Chapter 3. Basic Dynamic Analysis
I have edited and added material.
Rootkits Jonathan Hobbs.
Presentation transcript:

COEN 250 Computer Forensics Unix System Life Response

Creating a Response Toolkit Toolkits depend on the OS. Often, need to compile tools from source. Many Unix versions are not compatible.

Creating a Response Toolkit Tools on the system are often Trojaned. Much more than on Windows machines. Statically link tools.

Store information On local hard drive. On remote media (floppies, USB, tape) Record information by hand. Use netcat or cryptcat to transfer to a forensic workstation over the net.

Collecting Data before a Forensic Duplication System date and time. Currently logged-on users. Time/date stamps for the entire file system. List of currently open sockets. Application listening on these sockets. List of recent connections.

Collecting Data before a Forensic Duplication Create a trusted shell. Exit X-windows or other GUI Log on with root privileges Mount floppy: mount /dev/fd0 /mnt/floppy Run shell from floppy (bash) Set path to. (dot)

Collecting Data before a Forensic Duplication Use “date” for the time. Use “w” for current users. Use ls recursively (R) to record access times, starting at /. ls –alRu / > floppy/atime ls –alRc / > floppy/ctime ls –alR / > floppy/mtime

Collecting Data before a Forensic Duplication Use “netstat –an” to view all open ports. Use “netstat –anp” (on Linux) to list all applications associated with open ports. Use “lsof” (list of open files) utility as in “lsof –i –D r”

Collecting Data before a Forensic Duplication Take a snapshot of all running processes ps –eaf on Solaris ps –aux on FreeBSD and Linux

Collecting Data before a Forensic Duplication Take Date again Record all steps (script, history) Record MD5 sums to prevent challenges of changed data.

Collecting Data before a Forensic Duplication Obtain all system logs Obtain important config files Dump System RAM Often in /proc/kmem or /proc/kcore Use it for keyword searches

Rootkits Rootkits: tools to acquire and keep root access. File Level Rootkits: Trojan login ps find who netstat

Rootkits Trojaned login Works as designed. But lets one special username in. Trojaned who Works as designed. But does not display the user with the special username. Provides access and protection

Rootkits Use Tripwire to detect system file alterations. Use trusted forensics tool to find file level rootkits.

Rootkits Kernel-Level Rootkits Create their own kernel. That is, let users live in a virtual reality that they created. Loadable Kernel Modules (LKM) Supported by Linux, Solaris, etc. Allow to add modules to the kernel.

Rootkits Rogue LKM can intercept system commands. Tripwire will not help, system files are still there and unchanged.

Rootkits Knark To hide a process, send kill -31. Knark LKM takes care of the rest. Forensically sound tools are not circumvented, though.

Sniffers Used to capture network traffic Payload are unencrypted login procedures Payload are messages …

Sniffers Ethernet card needs to be in promiscuous mode for sniffing. Use ifconfig –i eth0 Look for keyword PROMISC Use lsof to find large output files

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.