Unix Systems Forensics and Incident Response

Presented by Kristy Westphal kmwestphal@cox.net

1

Why is IH/IR important?
The keys to Incidence Response
Plan for an incident Identify that an incident has occurred Containment of an incident Eradicate the issue Recovery Follow up

2

Incident Severity
How bad does it need to be to do all of this? Severity depends on Risk Assessment
Performed by Security Dept., in conjunction with “assessment team” Lower severity will be logged Higher severity will warrant more investigation

3

General Incident Handling Guidelines
Keep a log Inform the right people Release of information Follow-up analysis Training

4

IH Specifics
Identify the problem Analyze the system Collect the data Clean up the system Return system to operational state Follow up with appropriate personnel action

5

Chain of Custody
Who obtained the evidence What the evidence is Where and when the evidence was obtained Who secured the evidence Who had control or possession Applicability to us

6

Forensic Methodology
Synopsis of Case System Description Evidence Collection Media Analysis Timeline Data Recovery Reporting
7

Forensics Basics
Minimize data loss Record everything Analyze data on copies if possible Report your findings

8

Tools required
Incident response computer
Laptop or easily movable PC 2 drives- one windows, one Linux (or substitute)

CD-RW Tape SCSI or IDE removable drives SCSI external drives (with much room)
9

More tools
Network Equipment
small hub and CAT5 cable crossover cable

Incident response floppy or cdrom
Use static binaries Unix- netstat, dd, find, nc, ls, ps, lsof, strings, last, ifconfig, uptime, rootkit checker Windows- cmd.exe, Resource Kit, cygwin tools, imaging tool of choice Anti-virus scanner (only- no clean function)

10

Making bit images
Physical vs. logical Over the network
Nc Net shares

Include memory Verify integrity

11

Where to start
Live vs. dead system Which one is best?
Depends upon the situation Live provides more information Shutting down the system changes volatile evidence (memory, processes, network connections)

12

More considerations…
Record the state of the computer itself
Take a picture of the screen What is actually running?

Pros and cons of a port scan Gather as much info “outside” the system before starting anything! Correlate

13

Where else to look
IDS Firewall Router Exchange Server File Server Dial-In Server

14

Where else to look (2)
Memory Swap space or pagefile Network status and connections Processes running Hard drive (the whole thing) Any removable media

15

Where else to look (3)
Home directories History files Common areas /tmp Log files

16

Where can data hide?
Not your usual places:
Hidden directories File slack space Deleted Files Cryptography Steganography Covert Channels

17

Filesystem Basics
Superblock Directories Files Contiguous disk space Inodes File deletion

18

Ext2 filesystem

19

What files to look at first?
Must haves!
/etc/issue (OS and version) /tmp/install.log? (OS Install Date) /etc/timezone /var/log/boot.log (Boot Date) /etc/fstab /etc/passwd SUID/SGID files Recently created files and binaries

20

What else we can run into
Large capacity drives Critical machine Unable to power down ever No backup mechanism in place People Policy and legal issues

21

What are we looking for?
Use information that you have gathered Search the evidence Look for anomalous behavior Verify what you find DOCUMENT ALL!!!

22

What evidence to collect
Clean the media you will make images with Use hash algorithm to verify no changes were made to the media Obtain a forensic image Don’t forget the volatile information Look for backdoors, sniffer programs, system registry or /proc, startup files and processes
23

Legal Implications
Sniffers Banners Chain of Custody

24

Making bit images
Verify integrity of analysis system Install and sterilize image media Connect evidence disk to analysis system Get a partition listing Create/check cryptographic hashing Create a bit image for each partition Check hash value of each to validate Remove evidence disk, document, and store
25

Let’s look at some tools
Ethereal TCT mac_daddy TASK Autopsy

26

Tools within TASK
fsstat dcat dls dcalc dstat ils istat icat ifind
27

Advanced techniques
Kernel Module Forensics Binary Analysis Process Wiretapping Malware Dissection

28

Anti-forensics
phrack59 Tools that work to foil what we have learned today Burneye The Defiler’s Toolkit

29

How can this help you?
Root cause analysis Find possible break-ins Find possible accidents Help to improve processes

30

Resources
•Honeynet Project http://project.honeynet.org •“Know your Enemy” http://project.honeynet.org/papers •Chrootkit homepage http://www.chkrootkit.org#related_links •Incidents.org http://www.incidents.org •SANS/GIAC whitepapers http://www.giac.org/ •http://www.cygwin.com •http://www.gmgsystemsinc.com/fau/ •http://www.systeminternals.com •http://www.foundstone.com •http://www.remote-exploit.org/backtrack_download.html

31

Sign up to vote on this title
UsefulNot useful