Unix Systems Forensics and Incident Response

Presented by Kristy Westphal kmwestphal@cox.net


Why is IH/IR important?
The keys to Incidence Response
Plan for an incident Identify that an incident has occurred Containment of an incident Eradicate the issue Recovery Follow up


Incident Severity
How bad does it need to be to do all of this? Severity depends on Risk Assessment
Performed by Security Dept., in conjunction with “assessment team” Lower severity will be logged Higher severity will warrant more investigation


General Incident Handling Guidelines
Keep a log Inform the right people Release of information Follow-up analysis Training


IH Specifics
Identify the problem Analyze the system Collect the data Clean up the system Return system to operational state Follow up with appropriate personnel action


Chain of Custody
Who obtained the evidence What the evidence is Where and when the evidence was obtained Who secured the evidence Who had control or possession Applicability to us


Forensic Methodology
Synopsis of Case System Description Evidence Collection Media Analysis Timeline Data Recovery Reporting

Forensics Basics
Minimize data loss Record everything Analyze data on copies if possible Report your findings


Tools required
Incident response computer
Laptop or easily movable PC 2 drives- one windows, one Linux (or substitute)

CD-RW Tape SCSI or IDE removable drives SCSI external drives (with much room)

More tools
Network Equipment
small hub and CAT5 cable crossover cable

Incident response floppy or cdrom
Use static binaries Unix- netstat, dd, find, nc, ls, ps, lsof, strings, last, ifconfig, uptime, rootkit checker Windows- cmd.exe, Resource Kit, cygwin tools, imaging tool of choice Anti-virus scanner (only- no clean function)


Making bit images
Physical vs. logical Over the network
Nc Net shares

Include memory Verify integrity


Where to start
Live vs. dead system Which one is best?
Depends upon the situation Live provides more information Shutting down the system changes volatile evidence (memory, processes, network connections)


More considerations…
Record the state of the computer itself
Take a picture of the screen What is actually running?

Pros and cons of a port scan Gather as much info “outside” the system before starting anything! Correlate


Where else to look
IDS Firewall Router Exchange Server File Server Dial-In Server


Where else to look (2)
Memory Swap space or pagefile Network status and connections Processes running Hard drive (the whole thing) Any removable media


Where else to look (3)
Home directories History files Common areas /tmp Log files


Where can data hide?
Not your usual places:
Hidden directories File slack space Deleted Files Cryptography Steganography Covert Channels


Filesystem Basics
Superblock Directories Files Contiguous disk space Inodes File deletion


Ext2 filesystem


What files to look at first?
Must haves!
/etc/issue (OS and version) /tmp/install.log? (OS Install Date) /etc/timezone /var/log/boot.log (Boot Date) /etc/fstab /etc/passwd SUID/SGID files Recently created files and binaries


What else we can run into
Large capacity drives Critical machine Unable to power down ever No backup mechanism in place People Policy and legal issues


What are we looking for?
Use information that you have gathered Search the evidence Look for anomalous behavior Verify what you find DOCUMENT ALL!!!


What evidence to collect
Clean the media you will make images with Use hash algorithm to verify no changes were made to the media Obtain a forensic image Don’t forget the volatile information Look for backdoors, sniffer programs, system registry or /proc, startup files and processes

Legal Implications
Sniffers Banners Chain of Custody


Making bit images
Verify integrity of analysis system Install and sterilize image media Connect evidence disk to analysis system Get a partition listing Create/check cryptographic hashing Create a bit image for each partition Check hash value of each to validate Remove evidence disk, document, and store

Let’s look at some tools
Ethereal TCT mac_daddy TASK Autopsy


Tools within TASK
fsstat dcat dls dcalc dstat ils istat icat ifind

Advanced techniques
Kernel Module Forensics Binary Analysis Process Wiretapping Malware Dissection


phrack59 Tools that work to foil what we have learned today Burneye The Defiler’s Toolkit


How can this help you?
Root cause analysis Find possible break-ins Find possible accidents Help to improve processes


•Honeynet Project http://project.honeynet.org •“Know your Enemy” http://project.honeynet.org/papers •Chrootkit homepage http://www.chkrootkit.org#related_links •Incidents.org http://www.incidents.org •SANS/GIAC whitepapers http://www.giac.org/ •http://www.cygwin.com •http://www.gmgsystemsinc.com/fau/ •http://www.systeminternals.com •http://www.foundstone.com •http://www.remote-exploit.org/backtrack_download.html


Sign up to vote on this title
UsefulNot useful