Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems
Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance Lab National Chung Cheng University 4 Preface Many Unix versions are not backward or forward compatible Four storage options Local hard drive Remote media such as floppy disks, USB drives, or tape drives Hand Forensic workstation over the network Best time All are not online
Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance Lab National Chung Cheng University 6 The minimum information System date and time A list of the users who are currently logged on Time/Date stamps for the entire file system A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the systems that have current or recent connections to the system
Information Networking Security and Assurance Lab National Chung Cheng University 7 Follow these steps Execute a trusted shell Record the system time and date Determine who is logged on to the system Record modification, creation, and access times of all files Determine open ports List applications associated with open ports Determine the running processes List current and recent connections Record the system time Record the steps taken Record cryptographic checksums
Information Networking Security and Assurance Lab National Chung Cheng University 8 Executing a trusted shell Avoid to log-in with X-window Set-up your PATH equal to dot (.)
Information Networking Security and Assurance Lab National Chung Cheng University 9 Recording the system Time and Date This is command
Information Networking Security and Assurance Lab National Chung Cheng University 10 Who? command control terminal ttyn: logon at the console ptsn: over the network The local starting time of the connection The time used by all processes attached to that console The processor time used by the current process under the WHAT column
Information Networking Security and Assurance Lab National Chung Cheng University 11 Recording file Modification, Access, and Inode Change Times Access time (atime) Modification time (mtime) Inode change time (ctime)
Information Networking Security and Assurance Lab National Chung Cheng University 12 Access Time $man ls
Information Networking Security and Assurance Lab National Chung Cheng University 13 Inode Change Time Inode change time $man ls
Information Networking Security and Assurance Lab National Chung Cheng University 14 Modification Time Modification time
Information Networking Security and Assurance Lab National Chung Cheng University 15 Determine which Ports are Open Command
Information Networking Security and Assurance Lab National Chung Cheng University 16 Applications associated with Open Ports Command You must be root!!!! PID/Program name
Information Networking Security and Assurance Lab National Chung Cheng University 17 Applications associated with Open Ports In some other Unix-Like OS List all running processes and the file descriptors they have open
Information Networking Security and Assurance Lab National Chung Cheng University 18 Determine the Running Processes Command Indicate when a process began
Information Networking Security and Assurance Lab National Chung Cheng University 19 Recording the Steps Taken Command The file that log the keystrokes you type and output!! Another command: history
Information Networking Security and Assurance Lab National Chung Cheng University 20 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance Lab National Chung Cheng University 21 The files you want to collect The log files The configuration file The other relevant file
Information Networking Security and Assurance Lab National Chung Cheng University 22 Loadable Kernel Module Rootkits Rootkits Collections of commonly trojaned system processes and scripts that automate many of the actions attackers want to do!!! LKMs are programs that can be dynamically linked into the kernel after the system has booted up
Information Networking Security and Assurance Lab National Chung Cheng University 23 Loadable Kernel Module Rootkits Rogue LKMs can lie about the results LKM rootkits knark adore heroin When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide
Information Networking Security and Assurance Lab National Chung Cheng University 24 The important logs you must collect!! Binary log files The utmp file, accessed with the w utility The wtmp file, accessed with the last suility The lastlog file, accessed with the lastlog utility Process accounting logs, accessed with the lastcomm utility
Information Networking Security and Assurance Lab National Chung Cheng University 25 The important logs you must collect!! ASCII text log files Web access logs Xferlog (ftp log) History log
Information Networking Security and Assurance Lab National Chung Cheng University 26 The important configuration files you want to collect!! /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.equic ~/.rhosts /etc/hosts.allow and /etc/hosts.deny /etc/syslog.conf /etc/rc crontab files /etc/inetd.conf and /etc/xinetd.conf
Information Networking Security and Assurance Lab National Chung Cheng University 27 Discovering illicit sniffers on Unix Systems Most Dangerous More widespread than a single system Have root-level access
Information Networking Security and Assurance Lab National Chung Cheng University 28 Discovering illicit sniffers on Unix Systems No sniffers Sniffers on your system
Information Networking Security and Assurance Lab National Chung Cheng University 29 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System
Information Networking Security and Assurance Lab National Chung Cheng University 30 What? Pseudo-file system An interface to kernel data structure Each process has a subdirectory in /proc that corresponds to it’s PID
Information Networking Security and Assurance Lab National Chung Cheng University 31 Example Start a executed file PID Go into the subdirectory The command you executed
Information Networking Security and Assurance Lab National Chung Cheng University 32 The fd subdirectories Standard Input Standard Output Standard Error The file descriptor opened The file descriptor that socket opened Another socket example!!
Information Networking Security and Assurance Lab National Chung Cheng University 33 Dump System Ram Two files your should collect /proc/kmem /proc/kcore
Information Networking Security and Assurance Lab National Chung Cheng University 34 A tech you can use!!!!! The command line is changed at runtime! Two parameter argc An integer representing in the argv[] array argv An array of string values that represent the command-line argument
Information Networking Security and Assurance Lab National Chung Cheng University 35 Example tcpdump –x –v –n argv[0] = tcpdump argv[1] = -x argv[2] = -v argv[3] = -n strcpy(argv[0], “xterm”)
Information Networking Security and Assurance Lab National Chung Cheng University 36 Example 2 The two parameter!
Information Networking Security and Assurance Lab National Chung Cheng University 37 Example 2 The tech you want to learn!!
Information Networking Security and Assurance Lab National Chung Cheng University 38 Example 2 Succeed ^_^