Book Two- Chapter Six-Linux Flashcards
Decribe the Linux file system?
Linux
is a free, UIX based open-source operating sytem originally created by Linus Torvalds. Several different versions, called distributions- including Red Hat, SUSE, Debian, and Ubuntu. There are 3 basic types of Linux distributions:
- Desktop distributions- which inlcude a graphical interface and common applications suitable for home use.
- Server or enterprise distributions- used primarily for business applications, but can also be used as a home server
- Live-CD distributions that are store on bootable storage devices. A Live CD is a bootable version of an OS that is loaded directly into RAM and functions outside and independently of the target computer’s OS
File System in Linux:
Linux treats its devices as files, stored in/dev. most Linux distributions share a basic directory structure, with files organized in the following directories:
/bin: Common commands
/boot: Files needed at boot time, including the dernel images that are pointed to by LILO or GRUB
/usr: Local software, libraries, games, and so on
/var: Logs and other variable files
/dev: Interace files that allow the kernel to interact with hardware and the file system.
/home: directories for each user on the system, containing user-specific personal and configuration files
/mnt: Mount points for external, remote, and removable file systems
/etc: Administrative configurationn files and scripts
/root: The root-user home directory
/sbin: Administrative commands and process-control daemons
/lib: Basic system libraries
/opt: Optional and 3rd party software
In order to find system information, the following commands can be used:
uname -a : returns the computer name and Linux version
Is -] : returns the list of files in the current directory
Is -ul [filename]: returns the access time of the file
netstat -s: returns protocol information
UNIX and LINUX use a tree, or hierarchial, structure for storing files in directories. In a UNIX disk structure, the topmost directory is the root directory and is denoted by a forward slash (/).
A root directory has a number of directories, and these directories have subdirectories. A subdirectory is known as child of the parent directory from which it is brached. Ex: in the directory /usr/game, /game is the child of /usr, and in turn, /usr is the parent of /game.
When a file system is created, a superblock is also created that keeps track of metadata including the type of file system, device block size, maximum file volume, nae, and other information related to the file system. After the superblock, another important structure is the inode. An inode acts as an index of the file. Each node represents a file stored on the disk. using the -] option with the ls command, a user can see the inode number of the file.
The second extended (ext2) file system is perhaps the most convenient Linux file sytem. It has improved algorithms and extra data stamps for last access last inode modification and last data modification. It can also track the state of the file system.
What are the various data collection techniques for a live Linux system?
Data Collection:
Forensic Toolkit Prep
Forensic investigators use their own forensic toolkit to find and collect any important data from a compromised system. The toolkit is a pack of tools such as nc, dd, datecate, pcat, Hunter.o, insmod, NetstatArproute, dmesg, and others.
the investigator mounts the toolkit to a removable disk. It is safest to use the toolkit from the remote system in order to avoid changing the compromised system’s metadata.
Data collection Using the Toolkit:
An investigator should follow these steps to collect data:
- Media mounting: mount the toolkit on the external media: mount -n/mnt/cdrom
Calculate the hash value of the collected file:
md5sum date_compromised > date_compromised.md5
- Current date: Collect the current data result, presented in UTC format:
nc -] -p port > date_compromised /mnt/cdrom/date -u | /mnt/cdrom/nc md5sum date_compromised > date_compromised.md5
- Cache tables: Collect the MAC address cache table;
nc -| -p > arp_compromised /mnt/cdrom/arp -an | /mnt/cdrom/nc md5sum arp_compromosed >arp_compromised.md5
Collect the kernel route cache table:
nc -] -p > route_compromised/ mnt/cdrom/route -Co | /mnt/cdrom/nc mdsum connections_compromised> route_compromised.md5
- Current, pending connections and open TCP/UP ports:
nc -] -p > connections_compromised /mnt/cdrom/netstat -an | /mnt/cdrom/nc md5sum connections_compromised > connections_compromised.md5 - Physical memory image:
Access physical memory directly by copying the /dev/mem device or by copying the kcore file, located in the pseudo-file system mounted in the /proc directory:
nc -] -p kcore_compromised /mnt/cdrom/dd < /proc/kcore | /mnt/cdrom/nc md5sum kcore_compromised >kcore_compromised.md5
- List modules loaded to kernal memory:
Check with modules are currently loaded into memory:
nc -] -p > lkms_compromised /mnt/cdrom/cat/proc/modules | /mnt/cdrom/nc nc -] -p > lkms_compromised.md5 /mnt/cdrom/md5sum / proc/modules | /mnt/cdrom/nc
Analyze the ksyms file to detect the presence of an intruder:
nc -] -p ksysms_compromised /mnt/cdrom/cat /proc/ksu,s| /mnt/cdrom/nc nc-] -p ksyms_compromised.md5/ mnt/cdrom/md5sum/proc/ksysms | /mnt/cdrom/nc
- List active processes: Collect info about all processes, open ports, and files with the use of the lsof command:
nc -] -p > lsof_compromised /mnt/cdrom/lsof -n -P -] | /mnt/cdrom/nc md5sum lsof_compromised> lsof_compromised.md5
- Collect suspicous processes:
Copy the entire meory allocated by a process:
nc-1 -p > proc_id_compromised /mnt/cdrom/pcat proc_id |/mnt/cdrom/nc md5 proc_ip_compromised > proc_ip_compromised.md5
- Collect info about the compromised system:
/mnt/cdrom/cat/proc/version OS version
/mnt/cdrom/cat /proc/sys/kernel/name HOST NAME
/mnt/cdrom/cat/proc/sys/kernel/comainame DOMAIN NAME
/mnt/cdrom/cat /proc/cpunifo INFO about hardware
/mnt/cdrom/cat/proc/swaps ALL SWAP PARTITIONS
/mnt/cdrom/cat/proc/partitions ALL LOCAL FILE SYSTEMS
/mnt/cdrom/cat/proc/self/mounts MOUNTED FILE SYSTEMS
/mnt/cdrom/cat/proc/uptime UPTIME
- Current Time:
Gather info about the current time:
nc-] -p > end_time
/mnt/cdrom/dat| /mnt/cdrom/nc
Keyword Searching: To search for signs of an intrusion, an investigator can use tools such as the following:
strings:
gathers all printable characters from image files
use the -t switch to add an offset from the beginning of the file:
strings -t d kcore> kcore_strings md5sum kcore_strings> kcore_stringsmd5
grep:
Gathers commands typed by an intruder, IP addresses, passwords, or even decrypted parts of malicious code.
What is keyword searching?
Keyword Searching: To search for signs of an intrusion, an investigator can use tools such as the following:
strings:
gathers all printable characters from image files
use the -t switch to add an offset from the beginning of the file:
strings -t d kcore> kcore_strings md5sum kcore_strings> kcore_stringsmd5
grep:
Gathers commands typed by an intruder, IP addresses, passwords, or even decrypted parts of malicious code.
Explain mounting an image file and timeline creation:
Devices like floppies, CD, and hard disk partitions must be attached to an existing directory on the system before being accessed= mounting. the directory where the device is attached = mounting point. After mounting the device, the files present on the devicce can be accessed by accessing the mount point. In order to remove the device, it must be unmounted before it is removed. During startup, the Linus operating system searches for the dirves to be mounted, the privileges to be assigned to those drives, and the locations to mount them.
the mount command takes the device to be mounted, as well as the mouting point, as arguments. The mount point must be a directory that already exists on the system.
Hard Disk Analysis
To analyze a hard disk in Linux, and invetigator should follow these steps:
- Make an image of the hard dirk using dd:
dd if= /dev/hda1 of= /var/case01.dd - Use md5sum to collect inormation about the system time and data:
date>case01.evidence.seal
md5sum case 01.dd> > case01.evidence.seal
gpg -clearsign case01.evidence.seal - Mount the copy of the evidence into the file system:
mount -o ro,loop,nodev,noexec case01.dd/mnt/evidence - Capture the drives forensic data:
grave-robber -c/mnt/evidence -m -d /var/investigations/case01 -o LINUX 2 - Extract deleted inode (modification/access/change) times:
ils case01.dd | ils2mac> case01.ilsbody - Combine evidence for timeline conversion:
cat case01.ilsbody body>case01.evidence - Generate timeline:
mactime -p/mnt/evidence/etc/passwd -g /mnt/evidence/etc/group -b case01.evidence 11/28/2003> case01.timeline
Explain evidence anlaysis techniques using Autopsy:
The Autopsy Forensic Browser is a graphical interface to TSK. Since Autopsy is HTML based, the Autopsy server can be reached form any platform using an HTML browser. Autopsy provides a File Manager-like interace and shows details about deleted data and file system structures.
Analysis modes:
*A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and TSK are run in a trusted environment, typically a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats.
- A live analysis occurs when the suspect system is being analyzed while it i running. In this case Autopsy and TSK are run from a CD in an untrusted environment. this is frequently done during an incident response, while the incident is being confirmed. After it is confirmed, the investigator can acquire the sytem and perform a dead analysis.
- Evidence search techniques:
- File listing: Analyze the files and directories, including the names of delected files and files with Unicode-based names.
- File content: The contents of files can be viewed in raw or hex format, or the ASCII strings can be extracted. When data is interpreted, Autopsy sanitizes it to presvent damage to the local analysis system. Autopsy does not use any client-side scripting languages.
- Hash databases: An investigator can look up unknown files in a hash database to quickly identify them as good or bad. Autopsy uses the NIST NSRL as well as user-created databases of known good and bad files.
- File type sorting: An investigator can sort files based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extentions changed to hide them.
- Timeline of file activity: Insome cases, having a timeline of the file activity can help identify areas of a file system that may contain evidence. Autopsy can create timelines that contain entries for th modified, accessed, and changed (MAC) times of both allocated and unallocated files.
- Keyword search: keyword searches of the file system image can be performed using ASCII strings and regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching.
- Metadata analysis: metadata structures contain etails about files and directories. Autopsy allows investigators to view the details of any metadata structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated the structure.
- Data-unit analysis: Data units are where file content is stored. Autopsy displays the contents of any data unit in a variety of formats. The file type is also given, and Autopsy will search the metadata structures to identify which has allocated the data unit.
- Image details: File system details can be viewed, including on-disk layout and times of activity. this mode provides info that is useful during data recovery.
What are some precautions to take during an investigation?
- Avoid running programs on a compromised system
- Do not run programs that will modify the metadata of files and directories
- Write the results of the investigation to a remote location
- Calculate the hash values of the data to avoid data alterations.
List some Linux forensic tools
The Sleuth Kit, Autopsy, SMART, Penguin Sleuth, TCT, FLAG, HELIX, etc
Sleuth*****
The Sleuth Kit (TSK) is a collection of UNIX based command line file and volume system forensic analysis tools. TSK supports DOC artitions, BSD partitions (disk labels), Mac partitions, SUN slices (Volume, Table of Contents) and GPT disks.
It analyzes raw (dd), Expert Witness (EnCase) and AFF file systems an disk images, supportin the NTFS, FAT, UFS, etc file systems (even when the host OS does not support those file systems or has a different endian ordering)
Tools in the Sleuth Kit:
File System Layer tool- The file system tools processes general file system data such as the layout, allocation structures, and boot blocks.
fsstat: shows file system details and stats incluing layout/design
Filename layer tools: The file system tools process the filename structures, which are typically located in the parent directory.
ffind: Finds allocated and unallocated filenames that point to a geven metadata structure
fls: lists allocated and deleted filenames in a directory
Metadata layer tools: These file system tools process the metadata structures, which stor the details about a file. Ex: irectory entries in FAT, MFT entries in NTFS, and inodes in ext X and USF
icat: Extracts the data units of a file, which are specified by its metadata address
ifind: finds the metaddata structure that has a given filename pointing to it or the metadata structure that points to a given data unit.
ils: lists the metadata structures and their content in a pip-deliited format
istat: displays the statistics and details about a given metadata structure in easy format
data-unit layer tools: these file system tools process the data units where file content is stored. Ex: clusters in FAT and NTFS, blocks and fragments in extX and UFS
dcat: extracts th content of iven data unit
dls: lists the details about data units and can extract the unallocated space of the file system
dstat: displays the statistics about a givven data unit
dcalc: calculates where data in the unallocated space image exists in the original image, used when evidence is found in unallocated space
File system journal tools: Process the journals that some file systes have. The journal records, the metadata (and content) updates that are made- helps recover deleted data.
jcat: diplay the contents of a specific journal block
jls: lists the entries in the file system journal
media management tools: Takes a disk image as input and analyzes its partition structures. Ex: DOS partitions, BSD isk lable, and Sun volume Table of Contents (VTOC).
mmls: displays the layout of a disk, including the unallocated space. Identifies the type of partition and length. ouput is sorted base on the starting sector so it is able to identify gaps in the layout.
image file tools: layer contains tool for the image file format.
img_stat: shows the details of the image format
img_cat: shows the raw contents of image file
disk tools: used to detect and remove a HPA in an ATA disk. HPA could be used to hide data so it could not be copied during an acquisition.
disk_sreset: will temporarily remove an HPA, if one exsists. After the disk is reset, the HPA will return
disk_stat: will show if HPA exists
hfind: uses a binary sort algorithm to look up hashes in the NIST reernce lirary, hashkeeper, and custom has DB, created by md5sum
mactime: takes input fromt he fls and ils tools to create a timeline for file activity
sorter: sorts files based upon their file typeand performs extension checking and hash DB lookups
sigfind: searches for a binary value at a given offset: useful in recovering lost data structures.
Autopsy**
The Autopsy Forensic Browser is a graphical interface to TSK (Sluethkit). Since Autopsy is HTML based, the Autopsy server can be reached from any platform using an HTML browser. Autopsy provides a File Manager-like interface and shows details about deleted data and file system structures.
Analysis modes:
*A dead analysis occurs when a dedicated analysis system is used to examine the data from a suspect system. In this case, Autopsy and TSK are run in a trusted enironment, tpically a lab. Autopsy and TSK support raw, Expert Witness, and AFF file formats.
- A live analysis occurs when the suspect sytem is being analyzed while it is running. In this case, Autopsy an TSK are run from a CD in an untrusted environment. Thi i frequently one during and inciddent response, while the incident is being congirmed. After it is confirmed, the investigator can acquire the systm andd perform a dead analysis.
- Evidence search techniques:
file listing: Analyze the files and directories, including the names of deleted files and files with Unicode-based names
file content: The contents of files can be viewed in raw or hex format, or the ASCII strings can be extracted. When data is interpreted, Atopsy sanitizes it to prevent damage to the local analysis system. Autopsy does not use any client-side scripting languages.
hash databases: an investigator can look up unknown files in a hash DB to quickly identify them as good or bad. Autopsy uses the NIST NSRL as well as user-created DB of known good and bad files.
File-type sorting: An investigator can sort files based on their internal signatures to identify files of a known type. Autopsy can also extract only graphic images (including thumbnails). The extension of the file will also be compared to the file type to identify files that may have had their extensions changed to hide them.
Timeline of file activity: In some cases, having a timeline of file activity can help identify areas of a file system that may contain evidence. Autopsy can create timeelines that contains entries ofor the modified, access, and changed (MAC) times of both allocated and unallocated files.
Keyword search: keyword searches of the file system image can be performed using ASCII strings and regular expressions. Searches can be performed on either the full file system image or just the unallocated space. An index file can be created for faster searches. Strings that are frequently searched for can be easily configured into Autopsy for automated searching.
Metadata analysis: Autopsy allows investigators to view the details of any metadata structure in the file system. This is useful for recovering deleted content. Autopsy will search the directories to identify the full path of the file that has allocated this structure.
Data-unit anlalysis: Autopsy displays the contents of any data unit in a variet of formats. The file type is also given, and Autopsy will search the metadata structures to identify which has allocated the data unit.
Image details: This mode provides info that is useful during data recovery.
**SMART***
A modular forensic tool. It supports plug-ins, is multithreaded, and can genrate information on hashes. Can perform real authentication and verify the work of other forensic programs. Uses a GUI
**PENGUIN SLEUTH KIT***
Bootable Linux distribution based on Knoppix
It collects several tools including the Coroners Toolkit (TCT), Autopsy, and TSK, as well as penetration-testing and virus-scanninng tools. It offers both a GUI environment and command line interface.
List the tools included in the Penguin Sleuth Kit:
TSK: Command-line forensic tools AUTOPSY: TSK GUI FOREMOST: data carving tool GLIMPSE: data indexing and searching tool WIPE: securly wipe hard drives and files ETHERAPE: visual network monitor FENRIS: multipurpose tracer HONEYD: honeypot program SNORT: network intrution tool DSNIFF: network auditing and penetration testing JOHN THE RIPPER: password cracking tool NIKTO: Web server scanner NBTSCAN: sands for open NetBios name servers XPROBE: remote OS fingerprinting tool NGREP: network grep function NEMESIS: network packet injector FRAGROUTE: network packet injector FPING: multiple-host ping utility TCPTRACEROUTE: tracing routes taken by TCP packets TCPREPLAY: replays a TCP dump NESSUS: graphical security scanner ETHEREAL: graphical network analyzer NETCAT: read and write over a network TCPDUMP: dumps network traffic HPING2: packet assemler/analyzer ETTERCAP: sniffer/interceptor/logger for Ethernet networks OPENSSH: secure remote connection utility KISMET: graphical wireless network intrustion tool GPG: encryption utility Open SSL: secure remote connection utility Lsof: list all open files Hunt: TCP/IP exploit scanner Stunnel: SSL connection package ARPWATCH: Ethernet monitor DIG: querying domain name servers CHKROOTKIT: looks for signs of rootkits
What is the Farmer’s Boot CD?
The Farmer’s Boot (FBCD) CD can safely and quickly preview systems (hard drives, thumb dries, digital mustic devices such as ipods, digital camera media) directly from Linux, it’s features include the following:
- Boot almost any x86 system
- Mount file systems in a forensically sound manner
- Preview data using a single, unified graphical user interface (GUI)
- Acquire media after it is previewed
The following are some of it’s advantages:
- Allows attaching digital cameras, previewing the contents of onboard memory, and dumping software information and graphics or video files
- Authenticates and acquires file systems or devices in simple point-and-click GUIs
- Generates a catalog of all hardware attached to the system, including serial numbers, make and model information, and settings and configuration info.
- Dumps BIOS info of the system
- Easily obtains both hard drive and file system info
- hard drive info may include make and model, serial number, capacity partitioning schema
- file system information may include size, volume name UUID, creation data, mounted date, and other metadata info
- genates a list of deleted files for FAT 12/16/32, NTGS and ext 2 file system types
- captures network trafic 9including HTTP, e-mail, and IM traffic) and analyzes it with the provided tools
- quickly previews all sessions found on multisession CDs
- identifies data residing in file slack for supported file systm types
- Analyzes the Windows registry
- previews and analyzes e-mail stores, looking for attachments, ddecoding Base64, an searching or key terms.
- obtains file metadata or supported file types
- easily identifies HPA on ATA drives and soft-resets them for a full acquisition
- can preview image file that contain file systems that start beyond 2 GB into the image file
