Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003.

Published byLionel Mark Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003."— Presentation transcript:

1 Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003

2 Collecting Volatile Data Trusted toolkit Book recommends renaming trusted tools –Avoids accidents –i.e. tls, tnetstat Same considerations as before – is a tradeoff Unplugging from network causes many UNIX systems to start writing error messages to the log and the console

3 w – what Find out who is logged in and what they’re doing USER field: username logged in TTY field – control terminal assigned to the session –ttyn – n >= 0 integer. Console logon –ptsn or ttypn may signify a network connection FROM field – where they’ve logged in from (hyphen for at the console) LOGIN@ field – local starting time of connection

4 w - what IDLE field – length of time since last process was run JCPU field – total time used by all processes connected to that terminal PCPU field – processor time time used by process listed in WHAT column WHAT field – process currently running on that terminal

5 Running Processes ps –eaf (System V) ps –wwwaux (BSD) Either on Linux and newer operating systems Note the START field – when a process started If the COMMAND field of a process contains bizarre characters, may indicate the presence of a buffer overflow attack Bizarre characters or strangely formatted fields may also indicate a trojaned copy of ps that isn’t compiled quite right for your OS

6 lsof List of every open file used by a process On UNIX an open file can be: –Regular file –Directory –Block special file (disk drive) –Character special file (tty terminal) –A library –A stream –Network file (Internet socket, NFS file or UNIX domain socket)

7 lsof No options gives full list of all open files and sockets +d dirname: search for all open files and directories directly within in dirname (does not recurse or follow symbolic links) +D dirname: above + recursion -I: all open Internet files and connections, alternative to netstat -D r: option tells lsof to not create a cache file (possible system change in live response)

8 lsof Output COMMAND – command that was run PID – process ID listed from /proc USER – user associated with process FD – either File Descriptor of file (followed by r, w, u mode + some other possible codes) or: –cwd – current working directory of process –ltx – shared library text (code and data) –Mxx hex memory-mapped type number xx –mem memory-mapped file –pd parent directory –rtd root directory –txt program text (code and data)

9 lsof Output TYPE – type of node associated with the file DEVICE – device numbers for character special, block special, regular, directory, or NFS files SIZE – size of file or file offset in bytes NODE – inode number of file NAME – name of mount point or file system on which file resides

10 Loadable Kernel Modules Instead of trojaning executables like ps, rootkits (collections of trojaned system utilities) may actually use LKMs to hide their tracks Insidious for live response: –UNIX kernel is a single program –LKMs can be dynamically linked into the kernel after it is booted –These change the way the operating system works –Use the kernel to hide your tracks – it lies to your trusted tools which have to use system calls to interface with the kernel. This is the point where the kernel can lie to you knark, adore, heroin

11 kstat LKM Detector Checks memory (/dev/kmem) for info about host, including LKMs Options: –-P: displays all processes –-p pid: display process with process id pid –-M: display kernel’s LKMs’ linked list –-m addr: display info about module at addr –-s: display info about system call table

12 Finding knark with kstat kstat –s –sys_fork 0xc284652c WARNING! Should be at 0xc0108c88 –LKM rootkits typically change system call table and generates warnings –Older kstat used System.map file, now compiled in –Use warnings as a signature of particular rootkits –knark changes 7 system calls: sys_fork, sys_read, sys_execve, sys_kill, sys_ioctl, sys_settimeofday, sys_clone

13 Other LKM Rootkits adore: –7 calls as well –sys_fork, sys_kill, sys_clone, sys_write, sys_close, sys_mkdir, sys_getdents rkit –Only change one system call –sys_setuid

14 kstat -P Shows all processes running Including those hidden by LKM rootkits Compare against output of ps and lsof to see if anything is missing compared to output of kstat –P

15 Other LKM Rootkit Detectors Chkrootkit Does regular rootkits as well Excellent refernce links on web site –http://www.chkrootkit.org/ rkscan –http://www.hsc.fr/ressources/outils/rkscan/index.html.en Carbonite –LKM itself that does an lsof/ps at the kernel level. “Freezes” the status of every process in Linux's task_struct –http://www.foundstone.com/index.htm?subnav=resources/navigation.htm &subcontent=/resources/proddesc/carbonite.htm http://packetstormsecurity.nl/docs/hack/LKM_HACKING.html

16 Finding Sniffers Use ifconfig to collect information about network interface configuration Also look for interfaces in promiscuous mode (sniffing) –Usually interfaces only pay attention to packets addressed to them or to the broadcast address –PROMISC tells the to pay attention to all packets going by on the wire –Some systems (Solaris) do not set promiscuous flag

17 MAC Times Collect those time stamps Using ls: –ls –alRu (atime access times) –ls –alRc (ctime change times) –Ls –alR (mtime modification times) Could also use our sleuth tools

18 System Logs Can be volatile if the system is going to remain up If you are going to shut it down for imaging, these might be able to wait –Check /var/log or /var/adm Logs of interest (platform dependent) –utmp – (w utility reads info from here) –wtmp – (last utility reads from here) –lastlog – (lastlog utility) –Process accounting logs (lastcomm utility) –Messages –Web logs, history files, ftp Xferlog –Syslogs (/etc/syslog.conf for locations)

19 Configuration Files You may want to collect these during initial response: –/etc/passwd –/etc/shadow –/etc/groups –/etc/hosts –/etc/hosts.equiv –/etc/ssh_known_hosts and /etc/ssh_known_hosts2 –~/.rhosts and ~/.shosts –~/.ssh/known_hosts and ~/.ssh/known_hosts2

20 Configuration Files More configuration files: –/etc/hosts.allow –/etc/hosts.deny –/etc/syslog.conf –/etc/rc* –/etc/inetd.conf –Crontab files in /var/spool/cron (and anacron) –Iptables, ipchains rules –It might be good to grab all of /etc

21 Other System Configuration df –k uname –a uptime date who arp –a md5sums

22 Memory Grab memory –# dd if=/proc/kmem | nc forensic.rig.net 31337 –# dd if=/proc/kcore | nc forensic.rig.net 31337 –# dd if=/dev/mem | nc forensic.rig.net 31337 –# dd if=/dev/kmem | nc forensic.rig.net 31337 –# dd if=/dev/kcore | nc forensic.rig.net 31337 Also might check for crash dumps and core dumps

Download ppt "Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003."

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.

Linux can be generally divided into four major components: 1. KERNEL – OS, ultimate boss The kernel is the core program that runs programs and manages.
Operating-System Structures

Operating-System Structures
Lesson 10-Controlling User Processes. Overview Managing and processing processes. Managing jobs. Exiting/quitting when jobs have been stopped.

Lesson 10-Controlling User Processes. Overview Managing and processing processes. Managing jobs. Exiting/quitting when jobs have been stopped.
Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Unix Refresher This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
CS 497C – Introduction to UNIX Lecture 26: - The Process Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 26: - The Process Chin-Chih Chang
1 UNIX 1 History of UNIX 2 Overview of UNIX 3 Processes in UNIX 4 Memory management in UNIX 5 The UNIX file system 6 Input/output in UNIX.

1 UNIX 1 History of UNIX 2 Overview of UNIX 3 Processes in UNIX 4 Memory management in UNIX 5 The UNIX file system 6 Input/output in UNIX.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.

電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.

Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.
1 Case Study 1: UNIX and LINUX Chapter 10 10.1 History of unix 10.2 Overview of unix 10.3 Processes in unix 10.4 Memory management in unix 10.5 Input/output.

1 Case Study 1: UNIX and LINUX Chapter History of unix 10.2 Overview of unix 10.3 Processes in unix 10.4 Memory management in unix 10.5 Input/output.
A Guide to Unix Using Linux Fourth Edition

A Guide to Unix Using Linux Fourth Edition
Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003.

Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
Lecture 02CS311 – Operating Systems 1 1 CS311 – Lecture 02 Outline UNIX/Linux features – Redirection – pipes – Terminating a command – Running program.

Lecture 02CS311 – Operating Systems 1 1 CS311 – Lecture 02 Outline UNIX/Linux features – Redirection – pipes – Terminating a command – Running program.
Chapter 3 Unix Overview. Figure 3.1 Unix file system.

Chapter 3 Unix Overview. Figure 3.1 Unix file system.
Linux Networking CIS230.0325. Why Linux/Unix? Configurability ▫Customizable System to satisfy unique needs. Scalability ▫Able to serve an increasing number.

Linux Networking CIS Why Linux/Unix? Configurability ▫Customizable System to satisfy unique needs. Scalability ▫Able to serve an increasing number.

Similar presentations

Ads by Google