Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National Chung Cheng University

Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System Information Networking Security and Assurance Lab National Chung Cheng University

Preface Many Unix versions are not backward or forward compatible Four storage options  Local hard drive  Remote media such as floppy disks, USB drives, or tape drives  Hand  Forensic workstation over the network Best time  All are not online

The minimum information System date and time A list of the users who are currently logged on Time/Date stamps for the entire file system A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the systems that have current or recent connections to the system Information Networking Security and Assurance Lab National Chung Cheng University

Follow these steps Execute a trusted shell Record the system time and date Determine who is logged on to the system Record modification, creation, and access times of all files Determine open ports List applications associated with open ports Determine the running processes List current and recent connections Record the system time Record the steps taken Record cryptographic checksums

Executing a trusted shell Avoid to log-in with X-window Set-up your PATH equal to dot (.) Information Networking Security and Assurance Lab National Chung Cheng University

Recording the system Time and Date This is command Information Networking Security and Assurance Lab National Chung Cheng University

Who? command control terminal ttyn: logon at the console ptsn: over the network The local starting time of the connection The time used by all processes attached to that console The processor time used by the current process under the WHAT column Information Networking Security and Assurance Lab National Chung Cheng University

Recording file Modification, Access, and Inode Change Times Access time (atime) Modification time (mtime) Inode change time (ctime) Information Networking Security and Assurance Lab National Chung Cheng University

Access Time $man ls

Inode Cahnge Time Inode change time $man ls

Modification Time Modification time

Determine which Ports are Open Command

Applications associated with Open Ports Command You must be root!!!! PID/Program name

Applications associated with Open Ports In some other Unix-Like OS List all running processes and the file descriptors they have open

Determine the Running Processes Command Indicate when a process began

Recording the Steps Taken Command The file that log the keystrokes you type and output!! Another command: history Information Networking Security and Assurance Lab National Chung Cheng University

The files you want to collect The log files The configuration file The other relevant file Information Networking Security and Assurance Lab National Chung Cheng University

Loadable Kernel Module Rootkits Rootkits  Collections of commonly trojaned system processes and scripts that automate many of the actions attackers want to do!!! LKMs are programs that can be dynamically linked into the kernel after the system has booted up Information Networking Security and Assurance Lab National Chung Cheng University

Loadable Kernel Module Rootkits Rogue LKMs can lie about the results LKM rootkits  knark  adore  heroin When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide

The important logs you must collect!! Binary log files  The utmp file, accessed with the w utility  The wtmp file, accessed with the last suility  The lastlog file, accessed with the lastlog utility  Process accounting logs, accessed with the lastcomm utility Information Networking Security and Assurance Lab National Chung Cheng University

The important logs you must collect!! ASCII text log files  Web access logs  Xferlog (ftp log)  History log Information Networking Security and Assurance Lab National Chung Cheng University

The important configuration files you want to collect!! /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.equic ~/.rhosts /etc/hosts.allow and /etc/hosts.deny /etc/syslog.conf /etc/rc crontab files /etc/inetd.conf and /etc/xinetd.conf

Discovering illicit sniffers on Unix Systems Most Dangerous  More widespread than a single system  Have root-level access Information Networking Security and Assurance Lab National Chung Cheng University

Discovering illicit sniffers on Unix Systems No sniffers Sniffers on your system

What? Pseudo-file system  An interface to kernel data structure Each process has a subdirectory in /proc that corresponds to it’s PID Information Networking Security and Assurance Lab National Chung Cheng University

Example Start a executed file PID Go into the subdirectory The command you executed

The fd subdirectories Standard Input Standard Output Standard Error The file descriptor opened The file descriptor that socket opened Another socket example!!

Dump System Ram Two files your should collect  /proc/kmem  /proc/kcore Information Networking Security and Assurance Lab National Chung Cheng University

A tech you can use!!!!! The command line is changed at runtime! Two parameter  argc An integer representing in the argv[] array  argv An array of string values that represent the command-line argument Information Networking Security and Assurance Lab National Chung Cheng University

Example tcpdump –x –v –n  argv[0] = tcpdump  argv[1] = -x  argv[2] = -v  argv[3] = -n strcpy(argv[0], “xterm”) Information Networking Security and Assurance Lab National Chung Cheng University

Example 2 The two parameter! Information Networking Security and Assurance Lab National Chung Cheng University

Example 2 The tech you want to learn!! Information Networking Security and Assurance Lab National Chung Cheng University

Example 2 Succeed ^_^ Information Networking Security and Assurance Lab National Chung Cheng University

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Similar presentations

Presentation on theme: "Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Similar presentations

Presentation on theme: "Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National."— Presentation transcript:

Similar presentations

About project

Feedback