cit 380: securing computer systems
DESCRIPTION
CIT 380: Securing Computer Systems. Forensics. Computer Forensics. Forensic Toolkit Live Data Collection Forensic Duplication Network Data Collection Evidence Handling Disk Data Analysis UNIX Forensics Network Data Analysis. Forensic Toolkit. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/1.jpg)
CIT 380: Securing Computer Systems Slide #1
CIT 380: Securing Computer Systems
Forensics
![Page 2: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/2.jpg)
CIT 380: Securing Computer Systems Slide #2
Computer Forensics
1. Forensic Toolkit
2. Live Data Collection
3. Forensic Duplication
4. Network Data Collection
5. Evidence Handling
6. Disk Data Analysis
7. UNIX Forensics
8. Network Data Analysis
![Page 3: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/3.jpg)
CIT 380: Securing Computer Systems Slide #3
Forensic Toolkit
Forensic investigation required trusted set of tools to collect and analyze data.
Hardware/Media:– CD-ROM containing tools.
– USB drive or portable hard drive saving collected data.
– Laptop for network data collection and/or saving larger quantities of data.
– Secure data analysis workstation
• Hard drive space for analyzing drive images.
• Drive bays and controllers for analyzing multiple types of hard disks.
![Page 4: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/4.jpg)
CIT 380: Securing Computer Systems Slide #4
Forensic Toolkit Software
bash: known good copy of shell (cmd.exe for Win)dd: create bit level images of disksfind and ls: examine directory listingsifconfig: network configuration (ipconfig for Win)lsmod: list loaded kernel modules (modinfo for Sun)lsof: list open files (and network connections)md5sum: generate/validate file checksumsnetcat or cryptcat: save collected data via networknetstat: collect status of network connectionsps: collect process data (pslist for Win)script: records terminal sessionstrace: system call tracer (truss for Sun)strings: list text strings in binariesvim: edit and/or view binary/text files
![Page 5: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/5.jpg)
CIT 380: Securing Computer Systems Slide #5
Forensic Toolkit Software
Live CD toolkits– FIRE: Forensic & Incident Response Environment– Helix Forensics CD: Contains Sleuthkit.
Specialized Forensics Tools– Sleuthkit (http://www.sleuthkit.org/)
• Includes Autoposy Forensic Browser.
– The Coroner’s Toolkit• http://www.porcupine.org/forensics/tct.html
– Encase, FTK• Commercial MS Windows toolkit.
![Page 6: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/6.jpg)
CIT 380: Securing Computer Systems Slide #6
Live Data Collection
• In-memory system state is volatile and must be collected before system is shutdown.
• These types of data will be lost on shutdown:– Running processes.
– Open network connections.
– Deleted binaries whose programs are still executing.
– Deleted files in use by a running program.
• Caveat: Even using tools from CD-ROM will modify system state, both memory (perhaps including swap) and disk files.
![Page 7: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/7.jpg)
CIT 380: Securing Computer Systems Slide #7
Saving Live Data
Floppy drive– small but ubiquitous.
USB drive– larger but not on older systems.
Network storage– Use netcat listener on remote host.
• nc –l –p 2222 >output
– Pipe to netcat on machine you’re investigating:• /mnt/cdrom/bin/date | /mnt/cdrom/bin/nc –w 3 destIP 2222
– Use cryptcat or pipe through DES for security.
![Page 8: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/8.jpg)
CIT 380: Securing Computer Systems Slide #8
Live Data Procedure
1. Mount forensic toolkit media• mount –n /mnt/cdrom
2. Start trusted shell• /mnt/cdrom/bin/bash• export PATH=/mnt/cdrom/bin
3. Record current date• date
4. ARP and route cache tables• arp –an• route -Cn
![Page 9: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/9.jpg)
CIT 380: Securing Computer Systems Slide #9
Live Data Procedure
5. Logged-in users• w
6. File-modification times• atime: ls –alRu / • ctime: ls –clRu /• mtime: ls –alR
7. Open network connections/sniffers• ifconfig -a• netstat –anp
8. Physical memory image• dd if=/proc/kcore | nc remoteIP port
![Page 10: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/10.jpg)
CIT 380: Securing Computer Systems Slide #10
Live Data Procedure
9. Kernel modules and symbols• cat /proc/modules• cat /proc/ksyms• For detecting hidden kernel modules,
• insmod –f /mnt/cdrom/hunter.o• cat /proc/showmodules
10. Process list• ps aux• Memory image of suspicious processes:
• pcat PID or
• kill –STOP PID && gcore –o PID.img PID
![Page 11: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/11.jpg)
CIT 380: Securing Computer Systems Slide #11
Live Data Procedure
11. Record system logs1. utmp: current user access/accounting data
2. wtmp: historical user access/accounting data
3. lastlog: last access/login data
4. syslog files:• /etc/syslog.conf• /var/adm/messages or /var/log/messages
5. Application logs• Shell history files
• Apache access_log• FTP xferlog
![Page 12: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/12.jpg)
CIT 380: Securing Computer Systems Slide #12
Live Data Procedure
12. Save configuration filesAuthentication: /etc/passwd, /etc/shadowScope of access: /etc/groupLocal machines: /etc/hostsTrust relationships: /etc/hosts.equiv,~/.rhostsTCP wrapper rules: /etc/hosts.allow,
/etc/hosts.denySyslog configuration: /etc/syslog.confinetd/xinetd: /etc/inetd.conf,
/etc/xinetd.conf, /etc/xinetd.dStartup files: /etc/inittab, /etc/rc*Scheduled events: /var/spool/cron/*
![Page 13: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/13.jpg)
CIT 380: Securing Computer Systems Slide #13
Live Data Procedure
13. Find deleted fileslsof: list open files
Look for files named only by disk partition.Investigate /proc entries for processes
# ls –al /proc/1403dr-xr-xr-x 3 root root 0 Apr 22 04:09 .dr-xr-xr-x 78 root root 0 Apr 17 13:33 ..dr-xr-xr-x 2 root root 0 Apr 26 19:25 attr-r-------- 1 root root 0 Apr 26 19:25 auxv-r--r--r-- 1 root root 0 Apr 26 19:24 cmdlinelrwxrwxrwx 1 root root 0 Apr 26 19:25 cwd -> /-r-------- 1 root root 0 Apr 26 19:25 environlrwxrwxrwx 1 root root 0 Apr 26 19:25 exe -> /sbin/syslogddr-x------ 2 root root 0 Apr 26 19:25 fd-r-------- 1 root root 0 Apr 26 19:25 maps-rw------- 1 root root 0 Apr 26 19:25 mem-r--r--r-- 1 root root 0 Apr 26 19:25 mountslrwxrwxrwx 1 root root 0 Apr 26 19:25 root -> /-r--r--r-- 1 root root 0 Apr 26 19:24 stat-r--r--r-- 1 root root 0 Apr 26 19:25 statm-r--r--r-- 1 root root 0 Apr 26 19:24 statusdr-xr-xr-x 3 root root 0 Apr 26 19:25 task-r--r--r-- 1 root root 0 Apr 26 19:25 wchan
![Page 14: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/14.jpg)
CIT 380: Securing Computer Systems Slide #14
Live Data Procedure
13. Find deleted files (continued)exe link points to binary image file for process
Can access binary via link even if file deletedcmdline file contains command line args
cat cmdlinefd directory lists all open files by file descriptor
> ls -al fdtotal 7dr-x------ 2 root root 0 Apr 26 19:25 .dr-xr-xr-x 3 root root 0 Apr 22 04:09 ..lrwx------ 1 root root 64 Apr 26 19:25 0 -> socket:[2715]l-wx------ 1 root root 64 Apr 26 19:25 2 -> /var/log/messagesl-wx------ 1 root root 64 Apr 26 19:25 3 -> /var/log/securel-wx------ 1 root root 64 Apr 26 19:25 4 -> /var/log/maillogl-wx------ 1 root root 64 Apr 26 19:25 5 -> /var/log/cronl-wx------ 1 root root 64 Apr 26 19:25 6 -> /var/log/spoolerl-wx------ 1 root root 64 Apr 26 19:25 7 -> /var/log/boot.log
![Page 15: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/15.jpg)
CIT 380: Securing Computer Systems Slide #15
Live Data Procedure
14. Record completion date.
15. Record your actions.history will list all of your commands
script command will record all keystrokes and output of commandsscript /mnt/floppy/log.txt
16. Record secure checksums on filesmd5sum * >md5sums.txt
![Page 16: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/16.jpg)
CIT 380: Securing Computer Systems Slide #16
Forensic Duplication
Forensic Duplicate: File that contains every bit of information from source.
Qualified Forensic Duplicate: A file or set of files that contains every bit of information in source, but which may be stored in altered format.– checksums
– compression
![Page 17: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/17.jpg)
Forensic Duplication
Restored Image: The result of restoring a qualified forensic duplicate to another medium.– Problems: Different drive geometries, partition tables.
CIT 380: Securing Computer Systems Slide #17
![Page 18: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/18.jpg)
CIT 380: Securing Computer Systems Slide #18
Forensic Duplication
• Compare and record data checksum– md5sum /dev/hda == md5sum hda.img
• Duplicating a drive to local media– dd if=/dev/hda of=/mnt/disk/hda.img conv=noerror,notrunc bs=16384
• Duplicating a drive across the network– dd if=/dev/had conv=noerror,sync | des –e –c –k password | nc –w 3 targetIP 2222
– nc –l –p 2222 | des –d –c –k password | dd of=hda.img
![Page 19: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/19.jpg)
CIT 380: Securing Computer Systems Slide #19
Forensic Duplication
Duplicating a drive to multiple files#!/bin/bashblocksz=20480klet count=1while(dd if=/dev/hda of=/mnt/disk/hda.$count.img bs=$blocksz skip=($($count-1)) conv=noerror,notrunc)
do echo “Block $count output.”
count=$((count+1))done
![Page 20: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/20.jpg)
CIT 380: Securing Computer Systems Slide #20
Evidence Handling
Original Evidence: original copy of evidence provided for client/victim.
Best Evidence: duplication of evidence most closely linked to original evidence.
Authentication of Evidence: testimony of evidence collector in court that evidence is what the proponent claims.
![Page 21: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/21.jpg)
CIT 380: Securing Computer Systems Slide #21
Evidence Handling
Chain of Custody– Evidence must be stored in tamperproof
manner, where it cannot be accessed by unauthorized people.
– Requirements:• Know location of evidence at all times.• Maintain custody of keys/passwords for access.• Document all receipts and transfers of evidence.• Provide testimony to defend evidence handling.• Secure checksums of all files to validate that best
evidence matches original evidence.
![Page 22: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/22.jpg)
CIT 380: Securing Computer Systems Slide #22
Evidence Handling Procedures1. Record information about original system.
– Include photographs of system and media.2. Create evidence tag for evidence stored.3. Label all media with evidence label.
– Case number and evidence tag number.– Timestamp and description of contents.
4. Store best evidence copy in evidence safe.5. Evidence custodian records entry in log.6. All examinations performed on forensic copy of
best evidence.7. Evidence custodian responsible for backups and
audits of contents of evidence safe.
![Page 23: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/23.jpg)
CIT 380: Securing Computer Systems Slide #23
Evidence Tags
• Description of place and/or persons from whom evidence was received.
• Description of item and data contained.• Timestamp of when evidence received.• Full name and signature of individual receiving
evidence.• Case and tag number related to evidence.• Record of all people who have possessed the
evidence, including names, timestamps, and reasons why evidence was transferred.
![Page 24: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/24.jpg)
CIT 380: Securing Computer Systems Slide #24
Disk Data Analysis
Use Linux analysis system– Support for wide range of filesystems: FAT12,
FAT16, FAT32, NTFS, HFS+, FFS, UFS
Mount read-only partition image via loopback device:– mount –r –t ntfs –o loop /mnt/evi hda1.img
Examine mounted image with standard UNIX tools.
![Page 25: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/25.jpg)
CIT 380: Securing Computer Systems Slide #25
Recovering Deleted Files
Linux Tools– fatback
• FAT/VFAT filesystem undelete by name.
– foremost• Recovers files based on header/footer tags.
– Sleuthkit TASK• http://www.sleuthkit.org/
• FAT/BSD/Linux/UFS filesystems.
• Autopsy GUI forensic browser.
![Page 26: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/26.jpg)
CIT 380: Securing Computer Systems Slide #26
Recovering Unused Space
Types of Unused Space– Unallocated space
• Disk blocks not currently allocated to any files.
– Slack space• Portions of disk blocks currently used by file.
– Free space• Portion of disk unused by any current partition.
![Page 27: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/27.jpg)
CIT 380: Securing Computer Systems Slide #27
File Lists
Create list of all files – Full path– All timestamps (atime, ctime, mtime on UNIX)– Logical file size– Cryptographic checksum of file
Tool: CATALOG –p /mnt/loopa1
Compare checksums against known good checksums of OS distribution to find altered files.
![Page 28: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/28.jpg)
CIT 380: Securing Computer Systems Slide #28
Identify suspicious files
New SUID filesfind /mnt/evi \(–perm –0400 –o – perm –0200 \) –print
Files with no ownerfind /mnt/evi –nouser –o –nogroup
Core files may reveal attacker programsfind /mnt/evi –name core –print
![Page 29: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/29.jpg)
CIT 380: Securing Computer Systems Slide #29
String Searches
Preparations– Recover deleted files.– Recursively uncompress/decrypt files as needed.
![Page 30: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/30.jpg)
String Searches
Using GNU grepgrep –a –i -# –f search /dev/hda >results
-a: search binary files
-i: case insensitive
-#: lines of context before/after match
-f: search file contains list of regular expressions
CIT 380: Securing Computer Systems Slide #30
![Page 31: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/31.jpg)
CIT 380: Securing Computer Systems Slide #31
UNIX Forensics
1. Review log files2. Keyword searches of disk image3. Review configuration files4. Identify unauthorized users/groups5. Identify suspicious files6. Identify suspicious processes7. Check for backdoors8. Analyze trust relationships9. Check for kernel rootkits
![Page 32: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/32.jpg)
CIT 380: Securing Computer Systems Slide #32
Network Data Collection
Goals1. Monitor specific host/network.
2. Monitor specific protocol.
3. Monitor specific person’s actions.
4. Check for known attack signatures.
Process1. Deploy sniffing hardware on appropriate network.
2. Deploy software to collect packet or session data.
3. Use data analysis software.
![Page 33: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/33.jpg)
CIT 380: Securing Computer Systems Slide #33
Deploying a SnifferHub
– Hubs flood packets to all interfaces.– Insert a hub between source and destination.– Disadvantages: half-duplex, collisions.
SPAN Port– Switched Port ANalyzer, aka mirror port.– Supported by most enterprise class managed switches.– Configure switch to mirror traffic to one port.– Switch may drop SPAN packets when load is heavy.
![Page 34: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/34.jpg)
Deploying a SnifferTAP
– Insert between source and destination of traffic.– 4-ports: input, output, outbound mirror, inbound mirror
CIT 380: Securing Computer Systems Slide #34
![Page 35: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/35.jpg)
CIT 380: Securing Computer Systems Slide #35
Hardware Issues
Fast networks require high resources to monitor.– High quality network card (PCIe card for gigabit)– RAID striped disk for heavily used 100+Mbps network.– Modern dual-core CPU.
![Page 36: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/36.jpg)
Hardware Issues
Silent Sniffers – Use SPAN port or TAP to avoid sending traffic.– Configure interface without IP address to monitor while
not being scannable.• Turn off ARP responses (ifconfig –arp eth0 up)• Unbind NetBIOS and IPX protocols on MSWindows.
– Construct a read-only ethernet tap cable by cutting transmit wires on cable for maximum stealth.
CIT 380: Securing Computer Systems Slide #36
![Page 37: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/37.jpg)
CIT 380: Securing Computer Systems Slide #37
Wireshark
• Based on libpcap like tcpdump.• Convenient graphical interface.
– Slows down data collection, may lose packets.
– Useful for analysis.
– View filters for colorizing packet display.
– “Follow TCP Stream”• Select one packet from a TCP session.
• Display and/or save single TCP session.
• Reconstruct files transferred via TCP file transfer protocols.
• Formerly known as Ethereal.
![Page 38: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/38.jpg)
CIT 380: Securing Computer Systems Slide #38
Key Points• Don’t trust the system being investigated.• Document all of your actions.• Collect as much data as possible without
modifying system state.• Cryptographically sign all digital data so copies
can be verified to match originals.• Forensic duplication and restoration process.• Network capture and analysis tools.
– Hardware for network captures.– Full content data: tcpdump, ngrep– Session data: argus, tcpflow
![Page 39: CIT 380: Securing Computer Systems](https://reader035.vdocuments.net/reader035/viewer/2022062808/568152fa550346895dc118ab/html5/thumbnails/39.jpg)
CIT 380: Securing Computer Systems Slide #39
References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.2. Richard Bejtlich, The Tao of Network Security Monitoring, Addison-Wesley, 2005.3. N. Brownlee and E. Guttman, , “RFC 2350 - Expectations for Computer Security Incident
Response,” http://www.faqs.org/rfcs/rfc2350.html, 1998.4. Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part One,”
http://www.securityfocus.com/infocus/1769, March 2004.5. Mariusz Burdach, “Forensic Analysis of a Live Linux System, Part Two,”
http://www.securityfocus.com/infocus/1773, April 2004.6. Brian Carrier, Sleuthkit Informer #11, http://sleuthkit.sourceforge.net/informer/sleuthkit-
informer-11.html, December 2003.7. CERT, “Computer Security Incident Response Team (CSIRT) FAQ,”
http://www.cert.org/csirts/csirt_faq.html8. William Cheswick, Steven Bellovin, Steven, and Avriel Rubin, Firewalls and Internet
Security, 2nd edition, Addison-Wesley, 2003.9. Dan Farmer and Wietse Venema, Forensic Discovery, Addison-Wesley, 2004.10. Fraser (ed.), “RFC 2196 - Site Security Handbook,”
http://www.faqs.org/rfcs/rfc2196.html, 1997.11. Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet
Security, 3rd edition, O’Reilly & Associates, 2003.12. Kevin Mandia, Chris Prosise, and Matt Pepe, Incident Response & Computer Forensics,
2nd edition, McGraw-Hill, 2003.