Unix Systems Forensics

and Incident Response

Presented by Kristy Westphal
kmwestphal@cox.net

1
Why is IH/IR important?
The keys to Incidence Response
Plan for an incident
Identify that an incident has occurred
Containment of an incident
Eradicate the issue
Recovery
Follow up

2
Incident Severity
How bad does it need to be to do all of this?
Severity depends on Risk Assessment
Performed by Security Dept., in conjunction
with “assessment team”
Lower severity will be logged
Higher severity will warrant more investigation

3
General Incident Handling
Guidelines
Keep a log
Inform the right people
Release of information
Follow-up analysis
Training

4
IH Specifics
Identify the problem
Analyze the system
Collect the data
Clean up the system
Return system to operational state
Follow up with appropriate personnel action

5
Chain of Custody
Who obtained the evidence
What the evidence is
Where and when the evidence was obtained
Who secured the evidence
Who had control or possession
Applicability to us

6
Forensic Methodology
Synopsis of Case
System Description
Evidence Collection
Media Analysis
Timeline
Data Recovery
Reporting

7
Forensics Basics
Minimize data loss
Record everything
Analyze data on copies if possible
Report your findings

8
Tools required
Incident response computer
Laptop or easily movable PC
2 drives- one windows, one Linux (or
substitute)
CD-RW
Tape
SCSI or IDE removable drives
SCSI external drives (with much room)

9
More tools
Network Equipment
small hub and CAT5 cable
crossover cable
Incident response floppy or cdrom
Use static binaries
Unix- netstat, dd, find, nc, ls, ps, lsof, strings, last,
ifconfig, uptime, rootkit checker
Windows- cmd.exe, Resource Kit, cygwin tools,
imaging tool of choice
Anti-virus scanner (only- no clean function)

10
Making bit images
Physical vs. logical
Over the network
Nc
Net shares
Include memory
Verify integrity

11
Where to start
Live vs. dead system
Which one is best?
Depends upon the situation
Live provides more information
Shutting down the system changes volatile
evidence (memory, processes, network
connections)

12
More considerations…
Record the state of the computer itself
Take a picture of the screen
What is actually running?
Pros and cons of a port scan
Gather as much info “outside” the system
before starting anything!
Correlate

13
Where else to look
IDS
Firewall
Router
Exchange Server
File Server
Dial-In Server

14
Where else to look (2)
Memory
Swap space or pagefile
Network status and connections
Processes running
Hard drive (the whole thing)
Any removable media

15
Where else to look (3)
Home directories
History files
Common areas
/tmp
Log files

16
Where can data hide?
Not your usual places:
Hidden directories
File slack space
Deleted Files
Cryptography
Steganography
Covert Channels

17
Filesystem Basics
Superblock
Directories
Files
Contiguous disk space
Inodes
File deletion

18
Ext2 filesystem

19
What files to look at first?
Must haves!
/etc/issue (OS and version)
/tmp/install.log? (OS Install Date)
/etc/timezone
/var/log/boot.log (Boot Date)
/etc/fstab
/etc/passwd
SUID/SGID files
Recently created files and binaries

20
What else we can run into
Large capacity drives
Critical machine
Unable to power down ever
No backup mechanism in place
People
Policy and legal issues

21
What are we looking for?
Use information that you have gathered
Search the evidence
Look for anomalous behavior
Verify what you find
DOCUMENT ALL!!!

22
What evidence to collect
Clean the media you will make images with
Use hash algorithm to verify no changes
were made to the media
Obtain a forensic image
Don’t forget the volatile information
Look for backdoors, sniffer programs,
system registry or /proc, startup files and
processes

23
Legal Implications
Sniffers
Banners
Chain of Custody

24
Making bit images
Verify integrity of analysis system
Install and sterilize image media
Connect evidence disk to analysis system
Get a partition listing
Create/check cryptographic hashing
Create a bit image for each partition
Check hash value of each to validate
Remove evidence disk, document, and store

25
Let’s look at some tools
Ethereal
TCT
mac_daddy
TASK
Autopsy

26
Tools within TASK
fsstat
dcat
dls
dcalc
dstat
ils
istat
icat
ifind

27
Advanced techniques
Kernel Module Forensics
Binary Analysis
Process Wiretapping
Malware Dissection

28
Anti-forensics
phrack59
Tools that work to foil what we have
learned today
Burneye
The Defiler’s Toolkit

29
How can this help you?
Root cause analysis
Find possible break-ins
Find possible accidents
Help to improve processes

30
Resources
•Honeynet Project http://project.honeynet.org
•“Know your Enemy” http://project.honeynet.org/papers
•Chrootkit homepage http://www.chkrootkit.org#related_links
•Incidents.org http://www.incidents.org
•SANS/GIAC whitepapers http://www.giac.org/
•http://www.cygwin.com
•http://www.gmgsystemsinc.com/fau/
•http://www.systeminternals.com
•http://www.foundstone.com
•http://www.remote-exploit.org/backtrack_download.html

31