Transcript SUproject
Incident Response and
Forensic Course Disk Image
Cataloging Project
Concepts and Deliverables
Major Goals
• Guide implementation of several GenII
“Honeywalls” (honeynets)
• Capture images of compromised systems
• Enter these (and “clean” images) into a database
for retrieval or comparison
• Implement a client/server in FIRE for loading
these images onto systems over the network
• Implement some integrity checking functions in
FIRE to simplify analysis
Honeynet Research Alliance
• “Pacific Northwest Honeynet Project” (?)
• Open to UW, SU, ISU (etc?) students
• Related to this project, but only as much as
it benefits the project
•
•
•
•
More hands/eyes to install, monitor, test…
Network diversity
Honeypot diversity
Increased chances of “interesting” activity
Honeynets
• Locations: UW, SU, ISU networks
• Using new GenII “Honeywall CD-ROM”
• Intel PC with three NICs
• >20GB hard drive
• 512MB RAM
• Honeypots will be Windows 2000, Linux
• One or more honeypots per honeynet
• Start independent, then centralize logs later
Honeypots
• Preparation
• Entire drive written with zeros (no residue)
• Partitions as small as possible (minimize footprint in
database and network transfer time)
• 2 - 3 partitions on each drive
• Operating System “live” partition
• Image copy of OS (not mounted)
• Swap partition (if OS requires one)
• MD5 hash both OS partitions before going “live”
(to verify integrity)
• MD5 hash all blocks (to find changes faster)
• [Automate using database & client/server]
Database
• Index on useful attributes
•
•
•
•
•
•
•
•
•
OS type (e.g., Windows, Linux)
OS version (e.g., Win2k, RH7.2)
Services enabled
Partitions used
Partition sizes
MD5/SHA1 hashes of partitions
MD5/SHA1 hashes of blocks on OS partition
Status (e.g., Clean, Compromised)
Etc…
Front end
• Runs on custom FIRE CD
• User interface to database
• Client/server to manage bits on disk
•
•
•
•
Upload bits on disk to database
Hash partitions/blocks, gather attributes, etc.
Chose image, prep drive, load
Chose image, compare with bits on disk (detect
changes since install)
Use in Forensic Course Lab
• Student boots lab system using custom
FIRE CD
• Chooses which compromised system to
analyze
• Bits loaded to disk, verified
• Student performs analysis, answers specific
questions (which are compared with
analysis in database)
• Repeat…
Use by Honeynet Alliance group
• Do once for each unique honeypot
•
•
•
•
Zero drive
Install/configure OS and services
Reboot w/custom FIRE CD
Hash partitions/blocks while loading into database
• From then on…
• Boot w/ custom FIRE CD
• Chose honeypot to clone
• Go get coffee/tea/Jolt while honeypot is cloned
Resources
• “The Use of Honeynets to Detect Exploited Systems
Across Large Enterprise Networks”
http://www.tracking-hackers.com/papers/gatechhoneynet.pdf
• http://project.honeynet.org/alliance/
• http://staff.washington.edu/dittrich/pnw-honeynet/reading/