1. Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems

2. Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

3. Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

4. Information Networking Security and Assurance Lab National Chung Cheng University 4 Preface Many Unix versions are not backward or forward compatible Four storage options  Local hard drive  Remote media such as floppy disks, USB drives, or tape drives  Hand  Forensic workstation over the network Best time  All are not online

5. Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

6. Information Networking Security and Assurance Lab National Chung Cheng University 6 The minimum information System date and time A list of the users who are currently logged on Time/Date stamps for the entire file system A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the systems that have current or recent connections to the system

7. Information Networking Security and Assurance Lab National Chung Cheng University 7 Follow these steps Execute a trusted shell Record the system time and date Determine who is logged on to the system Record modification, creation, and access times of all files Determine open ports List applications associated with open ports Determine the running processes List current and recent connections Record the system time Record the steps taken Record cryptographic checksums

8. Information Networking Security and Assurance Lab National Chung Cheng University 8 Executing a trusted shell Avoid to log-in with X-window Set-up your PATH equal to dot (.)

9. Information Networking Security and Assurance Lab National Chung Cheng University 9 Recording the system Time and Date This is command

10. Information Networking Security and Assurance Lab National Chung Cheng University 10 Who? command control terminal ttyn: logon at the console ptsn: over the network The local starting time of the connection The time used by all processes attached to that console The processor time used by the current process under the WHAT column

11. Information Networking Security and Assurance Lab National Chung Cheng University 11 Recording file Modification, Access, and Inode Change Times Access time (atime) Modification time (mtime) Inode change time (ctime)

12. Information Networking Security and Assurance Lab National Chung Cheng University 12 Access Time $man ls

13. Information Networking Security and Assurance Lab National Chung Cheng University 13 Inode Change Time Inode change time $man ls

14. Information Networking Security and Assurance Lab National Chung Cheng University 14 Modification Time Modification time

15. Information Networking Security and Assurance Lab National Chung Cheng University 15 Determine which Ports are Open Command

16. Information Networking Security and Assurance Lab National Chung Cheng University 16 Applications associated with Open Ports Command You must be root!!!! PID/Program name

17. Information Networking Security and Assurance Lab National Chung Cheng University 17 Applications associated with Open Ports In some other Unix-Like OS List all running processes and the file descriptors they have open

18. Information Networking Security and Assurance Lab National Chung Cheng University 18 Determine the Running Processes Command Indicate when a process began

19. Information Networking Security and Assurance Lab National Chung Cheng University 19 Recording the Steps Taken Command The file that log the keystrokes you type and output!! Another command: history

20. Information Networking Security and Assurance Lab National Chung Cheng University 20 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

21. Information Networking Security and Assurance Lab National Chung Cheng University 21 The files you want to collect The log files The configuration file The other relevant file

22. Information Networking Security and Assurance Lab National Chung Cheng University 22 Loadable Kernel Module Rootkits Rootkits  Collections of commonly trojaned system processes and scripts that automate many of the actions attackers want to do!!! LKMs are programs that can be dynamically linked into the kernel after the system has booted up

23. Information Networking Security and Assurance Lab National Chung Cheng University 23 Loadable Kernel Module Rootkits Rogue LKMs can lie about the results LKM rootkits  knark  adore  heroin When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide

24. Information Networking Security and Assurance Lab National Chung Cheng University 24 The important logs you must collect!! Binary log files  The utmp file, accessed with the w utility  The wtmp file, accessed with the last suility  The lastlog file, accessed with the lastlog utility  Process accounting logs, accessed with the lastcomm utility

25. Information Networking Security and Assurance Lab National Chung Cheng University 25 The important logs you must collect!! ASCII text log files  Web access logs  Xferlog (ftp log)  History log

26. Information Networking Security and Assurance Lab National Chung Cheng University 26 The important configuration files you want to collect!! /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.equic ~/.rhosts /etc/hosts.allow and /etc/hosts.deny /etc/syslog.conf /etc/rc crontab files /etc/inetd.conf and /etc/xinetd.conf

27. Information Networking Security and Assurance Lab National Chung Cheng University 27 Discovering illicit sniffers on Unix Systems Most Dangerous  More widespread than a single system  Have root-level access

28. Information Networking Security and Assurance Lab National Chung Cheng University 28 Discovering illicit sniffers on Unix Systems No sniffers Sniffers on your system

29. Information Networking Security and Assurance Lab National Chung Cheng University 29 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System

30. Information Networking Security and Assurance Lab National Chung Cheng University 30 What? Pseudo-file system  An interface to kernel data structure Each process has a subdirectory in /proc that corresponds to it’s PID

31. Information Networking Security and Assurance Lab National Chung Cheng University 31 Example Start a executed file PID Go into the subdirectory The command you executed

32. Information Networking Security and Assurance Lab National Chung Cheng University 32 The fd subdirectories Standard Input Standard Output Standard Error The file descriptor opened The file descriptor that socket opened Another socket example!!

33. Information Networking Security and Assurance Lab National Chung Cheng University 33 Dump System Ram Two files your should collect  /proc/kmem  /proc/kcore

34. Information Networking Security and Assurance Lab National Chung Cheng University 34 A tech you can use!!!!! The command line is changed at runtime! Two parameter  argc An integer representing in the argv[] array  argv An array of string values that represent the command-line argument

35. Information Networking Security and Assurance Lab National Chung Cheng University 35 Example tcpdump –x –v –n  argv[0] = tcpdump  argv[1] = -x  argv[2] = -v  argv[3] = -n strcpy(argv[0], “xterm”)

36. Information Networking Security and Assurance Lab National Chung Cheng University 36 Example 2 The two parameter!

37. Information Networking Security and Assurance Lab National Chung Cheng University 37 Example 2 The tech you want to learn!!

38. Information Networking Security and Assurance Lab National Chung Cheng University 38 Example 2 Succeed ^_^