Presentation is loading. Please wait.

Presentation is loading. Please wait.

NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Coroner’s Toolkit: An Introduction Victor Hazlewood

Published byMadlyn Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Coroner’s Toolkit: An Introduction Victor Hazlewood"— Presentation transcript:

1 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Coroner’s Toolkit: An Introduction Victor Hazlewood victor@sdsc.edu San Diego Supercomputer Center HTCIA Meeting September 10, 2001

2 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER TCT Tutorial Goal Goal of this lecture and tutorial is to expose you to the Coroner’s Toolkit (TCT) Not trying to make you an expert! Will explain where to get it what it can do Will give some quick demonstrations Opportunity for you to try a few TCT tools

3 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER TCT Overview TCT is a collection of programs written by Dan Farmer and Wietse Venema for performing a post-mortem analysis of UNIX after a break-in or suspected break-in Available at http://www.porcupine.org/forensics/ http://www.porcupine.org/forensics/ Requires C compiler and Perl 5.004 or later Not a point and click tool so the novice or intermediate UNIX user will need to spend some time getting to know TCT

4 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER TCT Overview A good collection of DDJ articles about the uses of TCT can be found at http://www.porcupine.org/forensics/column.html http://www.porcupine.org/forensics/column.html Tested on the following Solaris 2.4, 2.5.1, 2.6, 7.0, 8 FreeBSD 2.2.1, 3.4, 4.0 RedHat 5.2, 6.1 BSD/OS 2.1, 4.1 OpenBSD 2.5 SunOS 4.1.3_U1, 4.1.4

5 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Short Lab Install TCT into /tmp Download from http://www.porcupine.org/forensics/ ftp://www.porcupine.org/forensics/ http://www.porcupine.org/forensics/ gunzip it % gunzip tct-1.07.tar.gz Untar the file % tar xvf tct-1.07.tar Change directory to tct-1.07 Perform a make % make

6 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER TCT – Tool Overview mactimes - report on times of files ils - list inode info (usually removed files) icat - copies files by inode number unrm - copies unallocated data blocks lazarus - create structure from unstructured data file - determine file type pcat - copy process memory grave-robber - captures forensic data

7 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER mactime mactime is shorthand reference to the three time attributes - mtime, atime, and ctime atime - time of last access mtime - time of last modification ctime - time of last status change of inode dtime - time of deletion (Linux only) Examples # mactime -d /var/adm -y 1/1/1970 # mactime –R -d /var/log -y 1/1/1970 # mactime –R –d / -y 7/1/2001

8 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER mactime Examples # mactime -d /var/adm -y 1/1/1970 # mactime –R -d /var/log -y 1/1/1970 # mactime –R –d / -y 7/1/2001

9 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Mactime Most Useful Options -d dir list a specific dir on running system -h put output in HTML format -y list output with year first -t output in machine format (Epoch time) -u user in HTML output put this user in a diff color -R recursively go through subdirectories See What are MACtimes article mactime demonstration

10 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER ils ils lists inode information of removed files. Can be used to identify deleted files for possible attempt to undelete with icat. Specify a device file which contains a file system. Example ils /dev/hdb1 ils demonstration

11 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER icat icat copies files by inode number from a device which contains a file system. Can be used to recover a deleted file (when intact) Example icat /dev/hdb1 17 icat demonstration

12 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER unrm unrm – copies unallocated data blocks Used to copy unallocated blocks to an output file in order to be processed by lazarus. WARNING! This can take a lot of disk space Example # unrm /dev/hdb1 > /tmp/unrm.of.hdb1 Demonstration, if possible

13 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER lazarus lazarus – attempts to make sense out of raw data blocks Use to process the output from unrm. WARNING! This can take a lot of disk space. Saves blocks into files that lazarus thinks are associated in blocks directory Output controlled by lazarus.cf file Example # lazarus /tmp/unrm.of.hdb1 # lazarus –h /tmp/unrm.of.hdb1

14 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER lazarus Typical output looks something like atttttccccccpppptttttattcccppptttt otherwise output is in html files (-h option) See lazarus man page for translation of characters lazarus demonstration, if possible

15 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER file File – determine file type Similar to UNIX System V file command, but may generate better indication of file type

16 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER pcat Pcat – copies process memory using ptrace or /proc file system. This is used to try to understand what a program is (doing), especially when the executable file has been deleted. (See Strangers in the Night article) Modern UNIX systems have a /proc filesystem that makes process information available in a convenient manner, including the executable file, current directory, and process memory.

17 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER pcat Process attributes available in /proc executable/proc/pid/exe memory/proc/pid/mem memory map/proc/pid/maps

18 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER grave-robber grave-robber captures system forensic data Runs many of TCT tools under the covers Three types of options general options where output goes, verbosity, etc micro options finer control over what data is collected macro options puts micro data collection into logical groups

19 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER grave-robber Can take a loooong time to run Leaving this as a exercise for the student

20 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Other Tools You May Need The following tools you should have on a CDROM toolkit because on a suspected compromised machine you can’t trust the local versions lsof – list open files netstat, ifconfig – network info ls, df, ps – files, file systems, process info od – dump file into octal, hex, etc. Don’t forget to use UNIX accounting tools if you can for more audit trails

21 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Try These Exercises Use mactime to find all mac time information about all files in /var/log recursively Use ils to discover all the deleted files on one device on your system Make a copy of /usr/sbin/tcpdump Use ls –li to determine the inode # of the copy Delete your tcpdump copy Use icat to recover your deleted copy Build a tar file. Repeat above exercise with this tar file

22 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Try These Exercises If there is a SMALL partition on your system then create a file called needle.in.a.haystack on another partition. Copy needle.in.a haystack to the small partition. Sync your file systems Delete the needle.in.a.haystack from your small partition Use unrm to copy the unallocated blocks Use lazarus to profile the unallocated blocks can you find your needle.in.a.haystack?

23 NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER My slides Slides http://www.sdsc.edu/~victor -> Coroners Toolkit presentation

Download ppt "NATIONAL PARTNERSHIP FOR ADVANCED COMPUTATIONAL INFRASTRUCTURE SAN DIEGO SUPERCOMPUTER CENTER Coroner’s Toolkit: An Introduction Victor Hazlewood"

Similar presentations

Va-scanCopyright 2002, Marchany Unit 8 – Solaris File Systems Randy Marchany VA Tech Computing Center.

Va-scanCopyright 2002, Marchany Unit 8 – Solaris File Systems Randy Marchany VA Tech Computing Center.
COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
Learning Unix/Linux Bioinformatics Orientation 2008 Eric Bishop.

Learning Unix/Linux Bioinformatics Orientation 2008 Eric Bishop.
OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.

OPEN SOURCE TOOLS Dr. Abraham Professor UTPA. Open Source Freely redistributable Provides access to source code End user may modify source code.
Operating-System Structures

Operating-System Structures
PacNOG 6: Nadi, Fiji Using Commands in Linux Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Using Commands in Linux Hervey Allen Network Startup Resource Center.
ATS Programming Short Course I INTRODUCTORY CONCEPTS Tuesday, Jan. 27 th, 2009 Essential Unix Commands.

ATS Programming Short Course I INTRODUCTORY CONCEPTS Tuesday, Jan. 27 th, 2009 Essential Unix Commands.
Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.

Introducing the Command Line CMSC 121 Introduction to UNIX Much of the material in these slides was taken from Dan Hood’s CMSC 121 Lecture Notes.
Tcpdump Tutorial EE122 Fall 2006 Dilip Antony Joseph, Vern Paxson, Sukun Kim.

Tcpdump Tutorial EE122 Fall 2006 Dilip Antony Joseph, Vern Paxson, Sukun Kim.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Basic Unix Dr Tim Cutts Team Leader Systems Support Group Infrastructure Management Team.

Basic Unix Dr Tim Cutts Team Leader Systems Support Group Infrastructure Management Team.
Standard Operating and Maintenance Procedures

Standard Operating and Maintenance Procedures
A Mini UNIX Tutorial. What’s UNIX?  An operating system run on many servers/workstations  Invented by AT&T Bell Labs in late 60’s  Currently there.

A Mini UNIX Tutorial. What’s UNIX?  An operating system run on many servers/workstations  Invented by AT&T Bell Labs in late 60’s  Currently there.
CS 141 Labs are mandatory. Attendance will be taken in each lab. Make account on moodle. Projects will be submitted via moodle.

CS 141 Labs are mandatory. Attendance will be taken in each lab. Make account on moodle. Projects will be submitted via moodle.
File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.

File System and Directory Structure in Linux. What is File System In a computer, a file system is the way in which files are named and where they are.
Using the “CLI” Unix / Linux Preparation Course May 25 Djibouti.

Using the “CLI” Unix / Linux Preparation Course May 25 Djibouti.
Introduction to UNIX/Linux Exercises Dan Stanzione.

Introduction to UNIX/Linux Exercises Dan Stanzione.
CprE 288 – Quick intro for compiling C in Linux

CprE 288 – Quick intro for compiling C in Linux
1 Chapter One A First Program Using C#. 2 Objectives Learn about programming tasks Learn object-oriented programming concepts Learn about the C# programming.

1 Chapter One A First Program Using C#. 2 Objectives Learn about programming tasks Learn object-oriented programming concepts Learn about the C# programming.
Guide To UNIX Using Linux Fourth Edition

Guide To UNIX Using Linux Fourth Edition

Similar presentations

Ads by Google