Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Similar presentations


Presentation on theme: "Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National."— Presentation transcript:

1 Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National Chung Cheng University

2 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System Information Networking Security and Assurance Lab National Chung Cheng University

3 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System Information Networking Security and Assurance Lab National Chung Cheng University

4 Preface Many Unix versions are not backward or forward compatible Four storage options  Local hard drive  Remote media such as floppy disks, USB drives, or tape drives  Hand  Forensic workstation over the network Best time  All are not online

5 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System Information Networking Security and Assurance Lab National Chung Cheng University

6 The minimum information System date and time A list of the users who are currently logged on Time/Date stamps for the entire file system A list of currently running processes A list of currently open sockets The applications listening on open sockets A list of the systems that have current or recent connections to the system Information Networking Security and Assurance Lab National Chung Cheng University

7 Follow these steps Execute a trusted shell Record the system time and date Determine who is logged on to the system Record modification, creation, and access times of all files Determine open ports List applications associated with open ports Determine the running processes List current and recent connections Record the system time Record the steps taken Record cryptographic checksums

8 Executing a trusted shell Avoid to log-in with X-window Set-up your PATH equal to dot (.) Information Networking Security and Assurance Lab National Chung Cheng University

9 Recording the system Time and Date This is command Information Networking Security and Assurance Lab National Chung Cheng University

10 Who? command control terminal ttyn: logon at the console ptsn: over the network The local starting time of the connection The time used by all processes attached to that console The processor time used by the current process under the WHAT column Information Networking Security and Assurance Lab National Chung Cheng University

11 Recording file Modification, Access, and Inode Change Times Access time (atime) Modification time (mtime) Inode change time (ctime) Information Networking Security and Assurance Lab National Chung Cheng University

12 Access Time $man ls

13 Inode Cahnge Time Inode change time $man ls

14 Modification Time Modification time

15 Determine which Ports are Open Command

16 Applications associated with Open Ports Command You must be root!!!! PID/Program name

17 Applications associated with Open Ports In some other Unix-Like OS List all running processes and the file descriptors they have open

18 Determine the Running Processes Command Indicate when a process began

19 Recording the Steps Taken Command The file that log the keystrokes you type and output!! Another command: history Information Networking Security and Assurance Lab National Chung Cheng University

20 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System Information Networking Security and Assurance Lab National Chung Cheng University

21 The files you want to collect The log files The configuration file The other relevant file Information Networking Security and Assurance Lab National Chung Cheng University

22 Loadable Kernel Module Rootkits Rootkits  Collections of commonly trojaned system processes and scripts that automate many of the actions attackers want to do!!! LKMs are programs that can be dynamically linked into the kernel after the system has booted up Information Networking Security and Assurance Lab National Chung Cheng University

23 Loadable Kernel Module Rootkits Rogue LKMs can lie about the results LKM rootkits  knark  adore  heroin When the LKM is installed, the attacker simply sends a signal 31 (kill -31) to the process she wants to hide

24 The important logs you must collect!! Binary log files  The utmp file, accessed with the w utility  The wtmp file, accessed with the last suility  The lastlog file, accessed with the lastlog utility  Process accounting logs, accessed with the lastcomm utility Information Networking Security and Assurance Lab National Chung Cheng University

25 The important logs you must collect!! ASCII text log files  Web access logs  Xferlog (ftp log)  History log Information Networking Security and Assurance Lab National Chung Cheng University

26 The important configuration files you want to collect!! /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/hosts.equic ~/.rhosts /etc/hosts.allow and /etc/hosts.deny /etc/syslog.conf /etc/rc crontab files /etc/inetd.conf and /etc/xinetd.conf

27 Discovering illicit sniffers on Unix Systems Most Dangerous  More widespread than a single system  Have root-level access Information Networking Security and Assurance Lab National Chung Cheng University

28 Discovering illicit sniffers on Unix Systems No sniffers Sniffers on your system

29 Outline Preface Obtaining Volatile Data Prior to Forensic Duplication Performing an In-Depth, Live Response /proc File System Information Networking Security and Assurance Lab National Chung Cheng University

30 What? Pseudo-file system  An interface to kernel data structure Each process has a subdirectory in /proc that corresponds to it’s PID Information Networking Security and Assurance Lab National Chung Cheng University

31 Example Start a executed file PID Go into the subdirectory The command you executed

32 The fd subdirectories Standard Input Standard Output Standard Error The file descriptor opened The file descriptor that socket opened Another socket example!!

33 Dump System Ram Two files your should collect  /proc/kmem  /proc/kcore Information Networking Security and Assurance Lab National Chung Cheng University

34 A tech you can use!!!!! The command line is changed at runtime! Two parameter  argc An integer representing in the argv[] array  argv An array of string values that represent the command-line argument Information Networking Security and Assurance Lab National Chung Cheng University

35 Example tcpdump –x –v –n  argv[0] = tcpdump  argv[1] = -x  argv[2] = -v  argv[3] = -n strcpy(argv[0], “xterm”) Information Networking Security and Assurance Lab National Chung Cheng University

36 Example 2 The two parameter! Information Networking Security and Assurance Lab National Chung Cheng University

37 Example 2 The tech you want to learn!! Information Networking Security and Assurance Lab National Chung Cheng University

38 Example 2 Succeed ^_^ Information Networking Security and Assurance Lab National Chung Cheng University


Download ppt "Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National."

Similar presentations


Ads by Google