Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 250 Computer Forensics Unix System Life Response.

Published byEdwin Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "COEN 250 Computer Forensics Unix System Life Response."— Presentation transcript:

1 COEN 250 Computer Forensics Unix System Life Response

2 Creating a Response Toolkit Toolkits depend on the OS. Often, need to compile tools from source. Many Unix versions are not compatible.

3 Creating a Response Toolkit Tools on the system are often Trojaned. Much more than on Windows machines. Statically link tools. http://www.incident-response.org

4 Store information On local hard drive. On remote media (floppies, USB, tape) Record information by hand. Use netcat or cryptcat to transfer to a forensic workstation over the net.

5 Collecting Data before a Forensic Duplication System date and time. Currently logged-on users. Time/date stamps for the entire file system. List of currently open sockets. Application listening on these sockets. List of recent connections.

6 Collecting Data before a Forensic Duplication Create a trusted shell. Exit X-windows or other GUI Log on with root privileges Mount floppy: mount /dev/fd0 /mnt/floppy Run shell from floppy (bash) Set path to. (dot)

7 Collecting Data before a Forensic Duplication Use “date” for the time. Use “w” for current users. Use ls recursively (R) to record access times, starting at /. ls –alRu / > floppy/atime ls –alRc / > floppy/ctime ls –alR / > floppy/mtime

8 Collecting Data before a Forensic Duplication Use “netstat –an” to view all open ports. Use “netstat –anp” (on Linux) to list all applications associated with open ports. Use “lsof” (list of open files) utility as in “lsof –i –D r”

9 Collecting Data before a Forensic Duplication Take a snapshot of all running processes ps –eaf on Solaris ps –aux on FreeBSD and Linux

10 Collecting Data before a Forensic Duplication Take Date again Record all steps (script, history) Record MD5 sums to prevent challenges of changed data.

11 Collecting Data before a Forensic Duplication Obtain all system logs Obtain important config files Dump System RAM Often in /proc/kmem or /proc/kcore Use it for keyword searches

12 Rootkits Rootkits: tools to acquire and keep root access. File Level Rootkits: Trojan login ps find who netstat

13 Rootkits Trojaned login Works as designed. But lets one special username in. Trojaned who Works as designed. But does not display the user with the special username. Provides access and protection

14 Rootkits Use Tripwire to detect system file alterations. Use trusted forensics tool to find file level rootkits.

15 Rootkits Kernel-Level Rootkits Create their own kernel. That is, let users live in a virtual reality that they created. Loadable Kernel Modules (LKM) Supported by Linux, Solaris, etc. Allow to add modules to the kernel.

16 Rootkits Rogue LKM can intercept system commands. Tripwire will not help, system files are still there and unchanged.

17 Rootkits Knark To hide a process, send kill -31. Knark LKM takes care of the rest. Forensically sound tools are not circumvented, though.

18 Sniffers Used to capture network traffic Payload are unencrypted login procedures Payload are email messages …

19 Sniffers Ethernet card needs to be in promiscuous mode for sniffing. Use ifconfig –i eth0 Look for keyword PROMISC Use lsof to find large output files

Download ppt "COEN 250 Computer Forensics Unix System Life Response."

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.

Backdoors A backdoor is a program that allows attackers to bypass normal security controls on a system, gaining access on the attacker’s own terms.
2-UNIX L IVE R ESPONSE John P. Abraham Professor University of Texas Pan American.

2-UNIX L IVE R ESPONSE John P. Abraham Professor University of Texas Pan American.
Some history PDP versions BSD/Version 7 split VAX virtual memory implementations End of line 4.4 BSD System V merges Modern versions OSF/1, Solaris, HPUX.

Some history PDP versions BSD/Version 7 split VAX virtual memory implementations End of line 4.4 BSD System V merges Modern versions OSF/1, Solaris, HPUX.
16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.

16/03/2009Igor Neri - Sicurezza Informatica1/34 Rootkit: Analysis, Detection and Protection Igor Neri Sicurezza Informatica – Prof. Bistarelli.
KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.

KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM Keamanan Jaringan 2012/2013 KOM Keamanan Jaringan 2012/2013.
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *

WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
COEN 252 Computer Forensics Remote Sniffer Detection.

COEN 252 Computer Forensics Remote Sniffer Detection.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
CIS 240 Introduction to UNIX Instructor: Sue Sampson.

CIS 240 Introduction to UNIX Instructor: Sue Sampson.
電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.

電腦攻擊與防禦 The Attack and Defense of Computers Dr. 許 富 皓.
A Guide to Unix Using Linux Fourth Edition

A Guide to Unix Using Linux Fourth Edition
Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.

Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
LECTURE 14 Operating Systems and Utility Programs

LECTURE 14 Operating Systems and Utility Programs

Similar presentations

Ads by Google