Transcript Forensics

CSC 382: Computer Security
Forensics
CSC 382: Computer Security
Slide #1
Computer Forensics
1.
2.
3.
4.
5.
6.
7.
8.
Forensic Toolkit
Live Data Collection
Forensic Duplication
Network Data Collection
Evidence Handling
Disk Data Analysis
UNIX Forensics
Network Data Analysis
CSC 382: Computer Security
Slide #2
Forensic Toolkit
Forensic investigation required trusted set of tools to
collect and analyze data.
Hardware/Media:
– CD-ROM containing tools.
– USB drive or floppy for saving collected data.
– Laptop for network data collection and/or saving larger
quantities of data.
– Secure data analysis workstation
• Hard drive space for analyzing drive images.
• Drive bays and controllers for analyzing multiple
types of hard disks.
CSC 382: Computer Security
Slide #3
Forensic Toolkit Software
bash: known good copy of shell (cmd.exe for Win)
dd: create bit level images of disks
find and ls: examine directory listings
ifconfig: network configuration (ipconfig for Win)
lsmod: list loaded kernel modules (modinfo for Sun)
lsof: list open files (and network connections)
md5sum: generate/validate file checksums
netcat or cryptcat: save collected data via network
netstat: collect status of network connections
ps: collect process data (pslist for Win)
script: records terminal session
strace: system call tracer (truss for Sun)
strings: list text strings in binaries
vim: edit and/or
view binary/text files
CSC 382: Computer Security
Slide #4
Forensic Toolkit Software
Live CD toolkits
– FIRE: Forensic & Incident Response Environment
– Helix Forensics CD: Contains Sleuthkit.
Specialized Forensics Tools
– Sleuthkit (http://www.sleuthkit.org/)
• Includes Autoposy Forensic Browser.
– The Coroner’s Toolkit
• http://www.porcupine.org/forensics/tct.html
– Encase
• Commercial MS Windows toolkit.
CSC 382: Computer Security
Slide #5
Live Data Collection
• In-memory system state is volatile and must be
collected before system is shutdown.
• These types of data will be lost on shutdown:
–
–
–
–
Running processes.
Open network connections.
Deleted binaries whose programs are still executing.
Deleted files in use by a running program.
• Caveat: Even using tools from CD-ROM will
modify system state, both memory (perhaps
including swap) and disk files.
CSC 382: Computer Security
Slide #6
Saving Live Data
• Floppy drive
– small but ubiquitous.
• USB drive
– larger but not on older systems.
• Network storage
– Use netcat listener on remote host.
• nc –l –p 2222 >output
– Pipe to netcat on machine you’re investigating:
• /mnt/cdrom/bin/date | /mnt/cdrom/bin/nc –w
3 destIP 2222
– Use cryptcat or pipe through DES for security.
CSC 382: Computer Security
Slide #7
Live Data Procedure
1. Mount forensic toolkit media
•
mount –n /mnt/cdrom
2. Start trusted shell
•
•
/mnt/cdrom/bin/bash
export PATH=/mnt/cdrom/bin
3. Record current date
•
date
4. ARP and route cache tables
•
•
arp –an
route -Cn
CSC 382: Computer Security
Slide #8
Live Data Procedure
5. Logged-in users
•
w
6. File-modification times
•
•
•
atime: ls –alRu /
ctime: ls –clRu /
mtime: ls –alR
7. Open network connections/sniffers
•
•
ifconfig -a
netstat –anp
8. Physical memory image
•
dd if=/proc/kcore | nc remoteIP port
CSC 382: Computer Security
Slide #9
Live Data Procedure
9. Kernel modules and symbols
•
•
cat /proc/modules
cat /proc/ksyms
•
For detecting hidden kernel modules,
•
•
insmod –f /mnt/cdrom/hunter.o
cat /proc/showmodules
10. Process list
•
ps aux
•
Memory image of suspicious processes:
•
•
pcat PID or
kill –STOP PID && gcore –o PID.img PID
CSC 382: Computer Security
Slide #10
Live Data Procedure
11. Record system logs
1.
2.
3.
4.
utmp: current user access/accounting data
wtmp: historical user access/accounting data
lastlog: last access/login data
syslog files:
•
•
/etc/syslog.conf
/var/adm/messages or /var/log/messages
5. Application logs
•
•
•
Shell history files
Apache access_log
FTP xferlog
CSC 382: Computer Security
Slide #11
Live Data Procedure
12. Save configuration files
Authentication: /etc/passwd, /etc/shadow
Scope of access: /etc/group
Local machines: /etc/hosts
Trust relationships: /etc/hosts.equiv,~/.rhosts
TCP wrapper rules: /etc/hosts.allow,
/etc/hosts.deny
Syslog configuration: /etc/syslog.conf
inetd/xinetd: /etc/inetd.conf,
/etc/xinetd.conf, /etc/xinetd.d
Startup files: /etc/inittab, /etc/rc*
Scheduled events: /var/spool/cron/*
CSC 382: Computer Security
Slide #12
Live Data Procedure
13. Find deleted files
lsof: list open files
Look for files named only by disk partition.
Investigate /proc entries for processes
# ls –al /proc/1403
dr-xr-xr-x
dr-xr-xr-x
dr-xr-xr-x
-r--------r--r--r-lrwxrwxrwx
-r-------lrwxrwxrwx
dr-x------r--------rw-------r--r--r-lrwxrwxrwx
-r--r--r--r--r--r--r--r--r-dr-xr-xr-x
-r--r--r--
3
78
2
1
1
1
1
1
2
1
1
1
1
1
1
1
3
1
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
CSC 382: Computer Security
22
17
26
26
26
26
26
26
26
26
26
26
26
26
26
26
26
26
04:09
13:33
19:25
19:25
19:24
19:25
19:25
19:25
19:25
19:25
19:25
19:25
19:25
19:24
19:25
19:24
19:25
19:25
.
..
attr
auxv
cmdline
cwd -> /
environ
exe -> /sbin/syslogd
fd
maps
mem
mounts
root -> /
stat
statm
status
task
wchan
Slide #13
Live Data Procedure
13. Find deleted files (continued)
exe link points to binary image file for process
Can access binary via link even if file deleted
cmdline file contains command line args
cat cmdline
fd directory lists all open files by file descriptor
> ls -al fd
total 7
dr-x-----dr-xr-xr-x
lrwx-----l-wx-----l-wx-----l-wx-----l-wx-----l-wx-----l-wx------
2
3
1
1
1
1
1
1
1
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
root
0
0
64
64
64
64
64
64
64
CSC 382: Computer Security
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
Apr
26
22
26
26
26
26
26
26
26
19:25
04:09
19:25
19:25
19:25
19:25
19:25
19:25
19:25
.
..
0 ->
2 ->
3 ->
4 ->
5 ->
6 ->
7 ->
socket:[2715]
/var/log/messages
/var/log/secure
/var/log/maillog
/var/log/cron
/var/log/spooler
/var/log/boot.log
Slide #14
Live Data Procedure
14. Record completion date.
15. Record your actions.
history will list all of your commands
script command will record all keystrokes and
output of commands
script /mnt/floppy/log.txt
16. Record secure checksums on files
md5sum * >md5sums.txt
CSC 382: Computer Security
Slide #15
Forensic Duplication
Forensic Duplicate: File that contains every bit of
information from source.
Qualified Forensic Duplicate: A file or set of files
that contains every bit of information in source,
but which may be stored in altered format.
– checksums
– compression
Restored Image: The result of restoring a qualified
forensic duplicate to another medium.
– Problems: Different drive geometries, partition tables.
CSC 382: Computer Security
Slide #16
Forensic Duplication
• Compare and record data checksum
– md5sum /dev/hda == md5sum hda.img
• Duplicating a drive to local media
– dd if=/dev/hda of=/mnt/disk/hda.img
conv=noerror,notrunc bs=16384
• Duplicating a drive across the network
– dd if=/dev/had conv=noerror,sync |
des –e –c –k password | nc –w 3
targetIP 2222
– nc –l –p 2222 | des –d –c –k password
| dd of=hda.img
CSC 382: Computer Security
Slide #17
Forensic Duplication
Duplicating a drive to multiple files
#!/bin/bash
blocksz=20480k
let count=1
while(dd if=/dev/hda
of=/mnt/disk/hda.$count.img
bs=$blocksz skip=($($count-1))
conv=noerror,notrunc)
do
echo “Block $count output.”
count=$((count+1))
done
CSC 382: Computer Security
Slide #18
Network Data Collection
• Goals
–
–
–
–
Monitor specific host/network.
Monitor specific protocol.
Monitor specific person’s actions.
Check for known attack signatures.
• Where to monitor?
– Need physical access to appropriate network.
– Many switches offer SPAN (switched port
analysis), providing a network monitor port.
CSC 382: Computer Security
Slide #19
Network Data Collection Hardware
Fast networks require much CPU/RAM to monitor
all packets.
– Pentium4/512MB/striped disk for heavily used
100Mbps network.
– Special purpose network monitors for faster networks.
Silent Sniffers
– Configure interface without IP address to monitor while
not being scannable.
• Turn off ARP responses (ifconfig –arp eth0 up)
• Unbind NetBIOS and IPX protocols on MSWindows.
– Construct a read-only ethernet tap cable by cutting
transmit wires on cable for maximum stealth.
CSC 382: Computer Security
Slide #20
Network Data Collection Software
• Robust, configurable OS
• Data file formats
– libpcap: tcpdump, Ethereal, Snort
– Sun snoop
• Monitoring with tcpdump
– May filter by src/dest IP address and/or port.
– Traffic patterns
• tcpdump –n –w log.pcap
– Full-content:
• tcpdump –n –s 1514 –w log.pcap
CSC 382: Computer Security
Slide #21
Evidence Handling
Original Evidence: original copy of evidence
provided for client/victim.
Best Evidence: duplication of evidence most
closely linked to original evidence.
Authentication of Evidence: testimony of
evidence collector in court that evidence is
what the proponent claims.
CSC 382: Computer Security
Slide #22
Evidence Handling
Chain of Custody
– Evidence must be stored in tamperproof
manner, where it cannot be accessed by
unauthorized people.
– Requirements:
•
•
•
•
•
Know location of evidence at all times.
Maintain custody of keys/passwords for access.
Document all receipts and transfers of evidence.
Provide testimony to defend evidence handling.
Secure checksums of all files to validate that best
evidence matches original evidence.
CSC 382: Computer Security
Slide #23
Evidence Handling Procedures
1. Record information about original system.
–
Include photographs of system and media.
2. Create evidence tag for evidence stored.
3. Label all media with evidence label.
–
–
Case number and evidence tag number.
Timestamp and description of contents.
4. Store best evidence copy in evidence safe.
5. Evidence custodian records entry in log.
6. All examinations performed on forensic copy of
best evidence.
7. Evidence custodian responsible for backups and
audits of contents of evidence safe.
CSC 382: Computer Security
Slide #24
Evidence Tags
• Description of place and/or persons from whom
evidence was received.
• Description of item and data contained.
• Timestamp of when evidence received.
• Full name and signature of individual receiving
evidence.
• Case and tag number related to evidence.
• Record of all people who have possessed the
evidence, including names, timestamps, and
reasons why evidence was transferred.
CSC 382: Computer Security
Slide #25
Disk Data Analysis
Use Linux analysis system
– Support for wide range of filesystems: FAT12,
FAT16, FAT32, NTFS, HFS+, FFS, UFS
Mount read-only partition image via loopback
device:
– mount –r –t ntfs –o loop /mnt/evi hda1.img
Examine mounted image with standard UNIX
tools.
CSC 382: Computer Security
Slide #26
Disk Data Analysis
Mount read-only full disk image via loopback:
– Install NASA enhanced loopback patches.
– losetup /dev/loopa hda.img
– fdisk –l /dev/loopa
Disk /dev/loopa: 255 heads, 63 sectors, 592
cylinders
Units = sectors of 1 * 512 = 512 bytes
Device
Boot Start
End
Blocks Id System
/dev/loopa1
*63
7438094 3719016 7 HPFS/NTFS
/dev/loopa2
7438095 9510479 1036192+ 5 Extended
/dev/loopa5
7438158 7695134 128488+ 82 Lin swap
– mount –r –t vfat /dev/loopa1 /mnt/evi
CSC 382: Computer Security
Slide #27
Recovering Deleted Files
Linux Tools
– fatback
• FAT/VFAT filesystem undelete by name.
– foremost
• Recovers files based on header/footer tags.
– Sleuthkit TASK
• FAT/BSD/Linux/UFS filesystems.
• Autopsy GUI forensic browser.
CSC 382: Computer Security
Slide #28
Recovering Unused Space
Types of Unused Space
– Unallocated space
• Disk blocks not currently allocated to any files.
– Slack space
• Portions of disk blocks currently used by file.
– Free space
• Portion of disk unused by any current partition.
CSC 382: Computer Security
Slide #29
File Lists
Create list of all files
–
–
–
–
Full path
All timestamps (atime, ctime, mtime on UNIX)
Logical file size
Cryptographic checksum of file
Tool: CATALOG –p /mnt/loopa1
Compare checksums against known good
checksums of OS distribution to find altered
files.
CSC 382: Computer Security
Slide #30
Identify suspicious files
New SUID files
– find /mnt/evi \(–perm –0400 –o – perm
–0200 \) –print
Files with no owner
– find /mnt/evi –nouser –o –nogroup
Core files may reveal attacker programs
– find /mnt/evi –name core –print
CSC 382: Computer Security
Slide #31
String Searches
Preparations
– Recover deleted files.
– Recursively uncompress/decrypt files as needed.
Using GNU grep
– grep –a –i -# –f search /dev/hda >results
–
–
–
–
-a: search binary files
-i: case insensitive
-#: lines of context before/after match
-f: search file contains list of regular expressions
CSC 382: Computer Security
Slide #32
UNIX Forensics
1.
2.
3.
4.
5.
6.
7.
8.
9.
Review log files
Keyword searches of disk image
Review configuration files
Identify unauthorized users/groups
Identify suspicious files
Identify suspicious processes
Check for backdoors
Analyze trust relationships
Check for kernel rootkits
CSC 382: Computer Security
Slide #33
Network Data Analysis
tcptrace
– Reconstructs UDP/TCP sessions from packet
capture files.
tcpflow
– Reassembles TCP sessions correctly (deals with
out of sequence packets and retransmissions.)
snort
– Identifies known attack signatures in pcap files.
CSC 382: Computer Security
Slide #34
Network Data Analysis
Ethereal
– Reads many different packet capture formats.
– View filters for colorizing packet display.
– “Follow TCP Stream”
• Select one packet from a TCP session.
• Display and/or save single TCP session.
• Reconstruct files transferred via TCP file transfer
protocols.
CSC 382: Computer Security
Slide #35
Key Points
•
•
•
•
•
•
Don’t trust the system being investigated.
Document all of your actions.
Collect as much data as possible without
modifying system state.
Cryptographically sign all digital data so
copies can be verified to match originals.
Forensic duplication and restoration process.
Network capture and analysis tools.
CSC 382: Computer Security
Slide #36
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
N. Brownlee and E. Guttman, , “RFC 2350 - Expectations for Computer Security Incident
Response,” http://www.faqs.org/rfcs/rfc2350.html, 1998.
Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part One,”
http://www.securityfocus.com/infocus/1769, March 2004.
Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part Two,”
http://www.securityfocus.com/infocus/1773, April 2004.
Brian Carrier, Sleuthkit Informer #11, http://sleuthkit.sourceforge.net/informer/sleuthkitinformer-11.html, December 2003.
CERT, “Computer Security Incident Response Team (CSIRT) FAQ,”
http://www.cert.org/csirts/csirt_faq.html
William Cheswick, Steven Bellovin, Steven, and Avriel Rubin, Firewalls and Internet
Security, 2nd edition, Addison-Wesley, 2003.
Dan Farmer and Wietse Venema, Forensic Discovery, Addison-Wesley, 2004.
Fraser (ed.), “RFC 2196 - Site Security Handbook,”
http://www.faqs.org/rfcs/rfc2196.html, 1997.
Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet
Security, 3rd edition, O’Reilly & Associates, 2003.
Kevin Mandia, Chris Prosise, and Matt Pepe, Incident Response & Computer Forensics,
2nd edition, McGraw-Hill, 2003.
CSC 382: Computer Security
Slide #37