Your SlideShare is downloading. ×
0
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
File000127
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

File000127

178

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
178
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Module XIV – Linux Forensics
  2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Linux Tool Speeds Up Computer Forensics for Cops Source: http://news.zdnet.com/2100-3513_22-190993.html
  3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Linux Forensics Environment Creation • Floppy Disk Analysis • Hard Disk Analysis • Linux Boot Sequence • Data Collection using Toolkit • Crash Commands • Step-By-Step Approach to Case • Use of Linux in Forensics • Linux Forensic Tools This module will familiarize you with:
  4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Linux Boot Sequence Data Collection using Toolkit Crash Commands Step-By-Step Approach to Case Use of Linux in Forensics Floppy Disk Analysis Linux Forensics Environment Creation Hard Disk Analysis Linux Forensic Tools
  5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Introduction to Linux
  6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux OS Linux is a free Unix-type open source operating system originally developed by Linus Torvalds with the assistance of developers around the world It comes in different packages called distributions such as Red Hat, SuSE, and Mandrake Linux distributions come in the following editions: • It is a desktop installation with graphical interface and common applications Desktop • It is used in a production environment and business Server/Enterprise • The operating system is stored on a bootable storing device Live CD
  7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Boot Sequence The first step in the boot up sequence for Linux is loading the kernel The kernel image is usually contained in the /boot directory Details of the boot loader can be gained from LILO or GRUB using more /etc/lilo.conf or more /etc/grub.conf The next step is initialization where runlevel and startup scripts are initialized and terminal process is controlled The file that controls the initialization is /etc/inittab and the file that begins the process is /sbin/init
  8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File System in Linux On most Linux distributions, the basic directory structure is organized like this:
  9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited File System Description
  10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Forensics Linux has a number of simple utilities that make imaging and basic analysis of suspect disks and drives easier. These include: Utility Description dd Command to copy data from an input file or device to an output file or device sfdisk and fdisk Command to determine the disk’s structure grep Command to search files for instances of an expression or pattern The loop device Allows you to mount an image without having to rewrite the image to a disk md5sum and sha1sum Command to create and store an MD5 or SHA hash of a file or list of files (including devices) file Command to read file header information in an attempt to ascertain its type, regardless of the name or extension Xxd Command line hexdump tool ghex and khexedit The Gnome and KDE (X Window interfaces) hex editors
  11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use of Linux as a Forensics Tool Why use Linux for Forensics? • Treats every device as a file • Does not need a separate write blocker Greater Control • Can be booted from a CD • Can recognize several file systems Flexibility • Distributions like THE FARMER'S BOOT CD and Sleuth make Linux a forensic tool in itself Power
  12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Advantages of Linux in Forensics • Software is freely available • Source code is provided • Tools can be closely scrutinized for correctness Software availability and accessibility • Allows for much automation and scripting Efficiency • Software can be modified to fit the requirements Optimizing and Customizing • It supports Ad-hoc community • It uses open and published standards • It is compatible across technologies and organizations Support
  13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Disadvantages of Linux in Forensics • It takes time and effort to learn Linux • Command line requires expertise unlike the GUI environment, which is easy to work with Requires training • Continuous changes and updates occurs • It takes time to implement changes • Changes and implementation may not be the final one Inter-operating with technologies is hard
  14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Precautions to Take During an Investigation Avoid running programs on the compromised system Do not run the programs that will modify the meta-data of files and directories Write the results of the investigation to a remote location Calculate the hash values of the digital data to avoid the digital data alteration
  15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recognizing Partitions in Linux If a standard IDE disk is being used, it will be referred to as "hdx" The "x" is replaced with an "a" if the disk is connected to the primary IDE controller as master and with a "b" if the disk is connected to the primary IDE controller as a slave device Similarly, the IDE disks connected to the secondary IDE controller as master and slave will be referred to as "hdc” and “hdd” respectively
  16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited mount Command Devices such as floppies, CDs, hard disk partitions, and other storage devices must be attached to some existing directory on your system before they can be accessed This attaching is called mounting, and the directory where the device is attached is called a mount point After the device is mounted, you can access the files on that device by accessing the directory where the device is attached Unmount the device when you want to remove or detach it from the mount point When mounting, specify the device or partition to be mounted and the mount point The mount point must be a directory that already exists on the system. An example to mount a floppy is: •$ mount /dev/fd0 /mnt/floppy For unmounting the device or partition, you must specify its name with unmount command •$ umount /dev/fd0
  17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited dd Command Options dd command is used to convert and copy a file It reads the InFile parameter, converts it in a specified format, and copies the data into OutFile parameter • dd [ bs=BlockSize ][ cbs=BlockSize ] [ conv= [ ascii | block | ebcdic | ibm | unblock ] [ lcase | ucase ] [ iblock ] [ noerror ] [ swab ] [ sync ] [ oblock ] [ notrunc ] ] [ count=InputBlocks ] [ files=InputFiles ] [ fskip=SkipEOFs ] [ ibs=InputBlockSize ] [ if=InFile ] [ obs=OutputBlockSize ][ of=OutFile ] [ seek=RecordNumber ] [ skip=SkipInputBlocks ][ span=yes|no ] Syntax:
  18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Floppy Disk Analysis • Use dd to create forensic image and compare SHA hash of the image against floppy • Use the commands: • # dd if=/dev/fd0 of=/evidence/floppy1.img bs=512 • # sha1sum /evidence/floppy1.img >/evidence/floppy1img.sha1sum • # cat /evidence/floppy1img.sha1sum • # cat /evidence/floppy1.sha1sum To create floppy disk image: In floppy disk analysis, insert floppy into floppy drive and obtain its SHA hash
  19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Floppy Disk Analysis (cont’d) Identify File System: • Use file utility to identify the file system of floppy disk image • Use the command: • # File /evidence/floppy1.img Mount the image for analysis: • Create a directory to mount the image • Use mount utility to mount the image, using loop back • Use the commands: • # mkdir /mnt/analysis • # mount -t vfat -o ro,noexec,loop /evidence/floppy1.img /mnt/analysis • # umount /mnt/analysis • # mount –o ro,noexec,loop /evidence/floppy1.img /mnt/analysis
  20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Floppy Disk Analysis (cont’d) • Obtain SHA hash of each file on the floppy disk and check files • Use the command: • # cd /mnt/analysis/mnt/analysis # find . -type f - exec sha1sum {} ; >/evidence/floppy1img.sha1filehash /mnt/analysis # cat /evidence/floppy1img.sha1filehash da39a3ee5e6b4b0d3255bfef95601890afd80709 ./.ICEauthority 9155df0f906411433388c335c902d0a7452c6a72 ./addressbook 2406038ea5da9776c1f32ba3d7f0e84d0b3d2af9 ./crackdealers.d /mnt/analysis # Obtain SHA Hash of Contents:
  21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Floppy Disk Analysis (cont’d) • Use strings utility to extract raw text from a binary file • Use the command: •# strings crackdealers.d | less View file’s contents:
  22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hard Disk Analysis • Use dd partition(s) to image(s) •dd if=/dev/hda1 of=/var/case01.dd Make an image of the hard disk • date > case01.evidence.seal md5sum case01.dd >> case01.evidence.seal gpg –clearsign case01.evidence.seal Use md5sum to collect the information about the system time and date • Use the command: •mount –o ro,loop,nodev,noexec case01.dd /mnt/evidence Mount copy of evidence into the file system
  23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hard Disk Analysis (cont’d) Capture the drive’s forensic data • grave-robber –c /mnt/evidence –m –d /var/investigations/case01 –o LINUX2 Extract deleted inode (mod/access/change) times • ils case01.dd | ils2mac > case01.ilsbody Combine evidence for timeline conversion • cat case01.ilsbody body > case01.evidence Generate Timeline • mactime –p /mnt/evidence/etc/passwd –g /mnt/evidence/etc/group -b case01.evidence 11/28/2003 > case01.timeline
  24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection
  25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Toolkit Preparation The forensic toolkit should include the tools such as: • nc • dd • datecat • pcat • Hunter.o • insmod • NetstatArproute • dmesg After building all the tools, copy all of them to the removable media
  26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit Step 1 • Media mounting Step 2 • Current date Step 3 • Cache tables Step 4 • Current, pending connections and open TCP/UDP ports Step 5 • Physical memory image
  27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) Step 6 • List of modules loaded to the kernel memory of an operating system Step 7 • The list of active processes Step 8 • Collecting of suspicious processes Step 9 • Useful information about the compromised system Step 10 • Current time
  28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) • Mount the toolkit on the external media • # mount -n /mnt/cdrom • Calculate the hash value of the collected file to maintain the integrity of the digital evidence • # md5sum date_compromised > date_compromised.md5 Media mounting
  29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) Current date: • Collect the current date result, presented in the UTC format • # nc -l -p port > date_compromised • # /mnt/cdrom/date -u | /mnt/cdrom/nc (remote) port • # md5sum date_compromised > date_compromised.md5 Cache tables: • Collect the cache table information as it is volatile and can be lost • Mac address cache table: • # nc -l -p port > arp_compromised • # /mnt/cdrom/arp -an | /mnt/cdrom/nc (remote) port • # md5sum arp_compromised > arp_compromised.md5 • Kernel route cache table: • # nc -l -p port > route_compromised • # /mnt/cdrom/route -Cn | /mnt/cdrom/nc (remote) port • #md5sum route_compromised > route_compromised.md5
  30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) • Collect information about the current connections and open TCP/UDP ports •#nc -l -p port > connections_compromised •# /mnt/cdrom/netstat -an | /mnt/cdrom/nc (remote) port •#md5sum connections_compromised > connections_compromised.md5 Current, pending connections, and open TCP/UDP ports: • Access physical memory directly by copying the /dev/mem device or by copying the kcore file • kcore file can be found in the pseudo file system, which is mounted in the /proc directory •#nc -l -p port > kcore_compromised •#/mnt/cdrom/dd < /proc/kcore | /mnt/cdrom/nc (remote) port •#md5sum kcore_compromised > kcore_compromised.md5 Physical memory image:
  31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) List of modules loaded to kernel memory of an operating system: • Check which modules are currently loaded into memory • # nc -l -p port > lkms_compromised • #/mnt/cdrom/cat /proc/modules | /mnt/cdrom/nc (remote) port • # nc -l -p port > lkms_compromised.md5 • # /mnt/cdrom/md5sum /proc/modules | /mnt/cdrom/nc (remote) port • Analyze the ksyms file to detect the presence of an intruder in the system • #nc -l -p port > ksyms_compromised • #/mnt/cdrom/cat /proc/ksyms | /mnt/cdrom/nc (remote) port • # nc -l -p port > ksyms_compromised.md5 • #/mnt/cdrom/md5sum /proc/ksyms | /mnt/cdrom/nc (remote) port
  32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) • Collect the information about all processes, open ports, and files with the use of lsof tool • #nc -l -p port > lsof_compromised • #/mnt/cdrom/lsof -n -P -l | /mnt/cdrom/nc (remote) port • #md5sum lsof_compromised > lsof_compromised.md5 The list of active processes: • Copy the entire memory allocated by a process • #nc -l -p port > proc_id_compromised • #/mnt/cdrom/pcat proc_id | /mnt/cdrom/nc (remote) port • #md5 proc_ip_compromised > proc_ip_compromised.md5 Collecting of suspicious processes:
  33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) • Use the following commands to collect the information about the suspects system: Useful information about the compromised system: Command Description /mnt/cdrom/cat /proc/version Version of the operating system /mnt/cdrom/cat /proc/sys/kernel/name Host’s name /mnt/cdrom/cat /proc/sys/kernel/domainame Domain’s name /mnt/cdrom/cat /proc/cpuinfo Information about hardware /mnt/cdrom/cat /proc/swaps All swap partitions mnt/cdrom/cat /proc/partitions All local file systems /mnt/cdrom/cat /proc/self/mounts Mounted file systems mnt/cdrom/cat /proc/uptime Uptime
  34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Collection Using the Toolkit (cont’d) • Accumulate information about the current time • #nc -l -p port > end_time • # /mnt/cdrom/date | /mnt/cdrom/nc (remote) port Current time:
  35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Keyword Searching • Strings: • Used to gather all printable characters from the image file by using the strings tool • Use the -t switch to add an offset from the beginning of the file •strings -t d kcore > kcore_strings •md5sum kcore_strings > kcore_strings.md5 • Grep: • Used to gather commands typed by an intruder, IP addresses, passwords, or even decrypted part of the malicious code To search for signs of an intrusion, use tools such as:
  36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Crash Utility Crash is a tool for interactively analyzing the state of the Linux system while it is running, or after a kernel crashes and a core dump has been created by the Red Hat netdump facility SYNAPSIS: crash [ -h [ opt ] ] [ -v ] [ -s ] [ -i file ] [ -d num ] [ -S ] [ mapfile ] [ namelist ] [ dumpfile ] Options: -h opt: Displays a help message -v Displays the versions of the original gdb and crash libraries that make up the crash executable -s Crash does not display any version, GPL, or crash initialization data during startup -i file Crash reads and executes the crash command(s) contained in file before accepting any user input. -d num Crash sets its internal debug level -S Crash uses "/boot/System.map" as the mapfile namelist: This is a pathname to an uncompressed kernel image (a vmlinux file) that has been compiled with the "-g" option, or that has an accessible, associated debuginfo file mapfile: If the live system kernel, or the kernel from which the dumpfile was derived, was not compiled with the -g switch, then the additional mapfile argument is required dumpfile: This is a pathname to a kernel memory core dump file
  37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Crash Utility: Commands crash> ps Output:
  38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Crash Utility: Commands (cont’d) crash> ps -t Output:
  39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Crash Utility: Commands (cont’d) crash> ps –a Output: crash> foreach files Output:
  40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Crash Utility: Commands (cont’d) crash> foreach net Output:
  41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Crash Commands (cont’d) Extract the information related to the state of the system using the crash commands Information Command Mounted file systems crash> mount Open files per file system crash> mount –f Kernel message buffer crash> log Swap information crash> swap Machine information crash> mach Loaded Kernel Modules crash> mod chrdevs and blkdevs arrays crash> dev PCI device data crash> dev –p I/O port/memory usage crash> dev –I Kernel memory usage crash> kmem –I Kernel vm_stat table crash> kmem -V
  42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Examples
  43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Example I Rebecca had filed a lawsuit against Good Company Inc for sexual harassment by one of its senior directors Mr. Peter Samson She submitted a floppy as evidence of Mr. Peter’s advances She also ascertained that Mr. Peter used to send her explicit material through floppy disks marked as legitimate work If a forensic investigator has been called to investigate the case by Good Company Inc How should the forensic investigator proceed with the evidence?
  44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step-by-Step Approach to Case • Begin with creating a directory where all forensic activities can be done •/mkdir evidence • It is desirable to create a special mount point for all physical subject disk analysis •mkdir /mnt/investigation Document all processes
  45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Create an image of the disk using the simple bit streaming command dd •dd if=/dev/fd0 of=image.suspectdisk • Change the read-write permissions of the image to read-only using chmod •chmod 444 image.suspectdisk Determine the disk structure: Step-by-Step Approach to Case (cont’d)
  46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step-by-Step Approach to Case (cont’d) Mount the restored imaged working copy and analyze the contents: • mount -t vfat -o ro,noexec /dev/fd0 /mnt/investigations • Another option is to mount a point within the image file using the loop interface rather than mounting the contents to another location • mount -t vfat -o ro,noexec,loop image.suspectdisk /mnt/investigations Verify the integrity of the data on the imaged file by checking the file hash: • md5sum /evidence/md5.image.suspectfile or • sha1sum -c /evidence/SHA. image.suspectfile
  47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step-by-Step Approach to Case (cont’d) Use the ls command to view the contents of the disk • ls –alR to list all files including hidden files and list the directories recursively Make a list of all files along with access times • ls –laiRtu > /evidence/suspectfiles.list Search for likely evidence using: • grep. grep -i xxx suspectfiles.list List the unknown file extensions and changed file appearances: • file changedfile • Files can be viewed using strings, cat, more, or less
  48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step-by-Step Approach to Case (cont’d) Search for certain keywords from the entire file list • cat /evidence/ suspectfiles.list | grep blackmailword • A systematic approach to search for keywords would be to create a keywords list. E.g. save it as: •/evidence/keywordlist.txt • grep the files for the keywords and save it to a file •grep –aibf keywordlist.txt image.suspectdisk > results.txt • View the results: •cat results.txt • To analyze the files at each offset, use the hexdump tool: •xxd -s (offset) image.suspectdisk | less
  49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Challenges in Disk Forensics with Linux Linux cannot identify the last sector on hard drives with odd number of sectors Most Linux tools are complicated as they are used at the command line Devices can be written to even if they are not mounted Bugs in the open source tools can be used to question the credibility of the tool for forensics’ use Forensic and Incident Response Environment (F.I.R.E) by William Salusky provides a good tool set
  50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Example II Mr. Jason Smith was accused of hoarding illegal material of questionable moral content on his company’s network systems Forensic investigator was called upon to examine the suspect’s hard disk and unearth evidence related to the illegal material How the forensic investigator should proceed in extracting and preserving the evidence?
  51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step-by-Step Approach to Case Note down the model’s information from the hard disk label /manufacturer’s web site, and the size and total number of sectors on the drive Wipe and format a image disk drive using the ext3 file system (> 3x evidence size) Fill the disk with zeros and ensure that the contents match • dcfldd if=/dev/zero of=/dev/hda bs=4096 conv=noerror, sync Partition the disk and reboot • fdisk /dev/hda Format with the ext3 file system • mkfs –t ext3 /dev/image.disk
  52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step-by-Step Approach to Case (cont’d) • Mount the read-write image disk •mount /dev/hda /mnt/image.disk • Create a directory for all documentation and analysis •mkdir /mnt/image.disk/case_no • Create a sub-directory to hold the evidence’s image •mkdir /mnt/image.disk/case_no/evidence_no • Document the details of the investigation in a text file including investigator’s details, case background details, and investigation dates • Carry out the document details of the disk media including investigator’s name and organization, case number, media evidence number, date and time of imaging; make, model, and serial number of the computer, IP and system’s hostname; make, model, and serial number of HD, source of HD, and scope of the investigation Prepare the disk for imaging
  53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step-by-Step Approach to Case (cont’d) • Connect both original evidence drive and drive to be imaged to the imaging system • Verify all jumper settings – Master/Slave • Make sure that the imaging system will boot only from CD by checking the BIOS settings • Image the disk using dd: •dd if=/dev/hdx of=image.disk conv=noerror,sync • This will allow dd to try to ignore any errors (conv=noerror) and synchronize the output (sync)with the original Image the disk:
  54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Check for accuracy by comparing md5sum Mount the disk and extract evidence Images can be carved using dd or the hex dump tool xxd Step-by-Step Approach to Case (cont’d)
  55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Linux Forensics Tools
  56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Popular Linux Forensics Tools The Sleuth Kit written by Brian Carrier and maintained at http://www.sleuthkit.org Autopsy – HTML front-end for sleuthkit SMART for Linux- by ASR Data is a commercial data forensics program that runs on Linux THE FARMER'S BOOT CD- by farmerdude, is a bootable CD that is oriented towards previewing of data quickly Penguin Sleuth - Knoppix based linux distribution with a forensic flavor Forensix
  57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Sleuth Kit The Sleuth Kit is a collection of command line digital investigation tools The tools run on Linux, OS X, FreeBSD, OpenBSD, and Solaris and can analyze FAT, NTFS, UFS, EXT2FS, and EXT3FS The Autopsy Forensic Browser is an HTML-based graphical interface for the command line tools in the Sleuth Kit which makes it much easier and faster to investigate a system mac-robber is a tool that will collect temporal data from the mounted file systems The data can be used to make a timeline of the file’s activity on the system using tools from The Sleuth Kit
  58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools in “The Sleuth kit” Tool Type Tool’s Name File System Layer tools fsstat File Name Layer tools ffind, fls Meta Data Layer tools icat, ifind, ils , istat Data Unit Layer tools dcat , dls , dstat, dcalc File System Journal tools jcat , jls Media Management tools mmls Image File tools img_stat, mg_cat Disk tools disk_sreset, disk_stat Other tools hfind, mactime, sorter, sigfind
  59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy The Autopsy Forensic Browser is a graphical interface to the command line digital investigation analysis tools in The Sleuth Kit Together, they can analyze Windows and UNIX disks and file systems (NTFS, FAT, UFS1/2, Ext2/3) The Sleuth Kit and Autopsy are both open source and run on UNIX platforms As autopsy is HTML-based, you can connect to the autopsy server from any platform using an HTML browser Autopsy provides a "File Manager“ like interface and shows details about the deleted data and the file system’s structures
  60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Evidence Analysis Techniques in Autopsy File Listing: • Analyze the files and directories, including the names of the deleted files and files with Unicode-based names File Content: • The contents of files can be viewed in raw, hex, or the ASCII strings can be extracted Hash Databases: • Look up the unknown files in a hash database to quickly identify it as good or bad File Type Sorting: • Sort the files based on their internal signatures to identify files of a known type Timeline of the File’s Activity: • Create timelines that contain entries for the Modified, Access, and Change (MAC) times of both allocated and unallocated files
  61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Evidence Analysis Techniques in Autopsy (cont’d) Keyword Search: • Keyword searches of the file system image can be performed using ASCII strings and grep regular expressions Meta Data Analysis: • It allows you to view the details of any meta data structure in the file system Data Unit Analysis: • It allows you to view the contents of any data unit in a variety of formats including ASCII, hexdump, and strings Image Details: • You can view the file system details including on-disk layout and the time of activity so that it is possible to recover data
  62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – File Listing
  63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – File Content
  64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – Hash Databases
  65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – File Type Sorting
  66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – Timeline of File Activity
  67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – Keyword Search
  68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – Meta Data Analysis
  69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – Data Unit Analysis
  70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Autopsy – Image Details
  71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMART for Linux SMART is a software utility that has been designed and optimized to support data forensic practitioners and Information Security personnel in pursuit of their respective duties and goals It is known as ‘The Next Generation Data Forensic Tool’ • "Knock-and-talk" inquiries and investigations • On-site or remote preview of a target system • Post mortem analysis of a dead system • Testing and verification of other forensic programs • Conversion of proprietary "evidence file" formats • Baselining of a system Functions of SMART:
  72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Features of SMART for Linux SMART displays the list of the connected storage devices in the main window list It uses plugins to do much of the work, and the application itself utilizes a highly modular design philosophy It is multi-threaded Its powerful, flexible acquisition options allow you to create pure bit-image copies and quasi-proprietary formats that support seekable compression It can acquire and clone a single source to any number of images and devices simultaneously It generates information about hashes It provides the ability to perform real authentication It gives you an easy interface to Linux mounts and GUI environments such as KDE and GNOME It enables complex tasks and search result rules to be applied automatically
  73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMART: Screenshots 1
  74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMART: Screenshots 2
  75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMART: Screenshots 3
  76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMART: Screenshots 4
  77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMART: Screenshots 5
  78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited SMART: Screenshots 6
  79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Penguin Sleuth The Penguin Sleuth Kit is a bootable Linux distribution based on KNOPPIX It is the collection of some useful tools, including The Coroner’s Toolkit (TCT), Autopsy, and The Sleuth Kit, as well as penetration testing and virus scanning tools It offers a GUI environment as well as the good old fashion command line environment fitting the novice user to the experienced user
  80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools Included in Penguin Sleuth Kit Tool Name Description Sleuth Kit Command Line Forensic Tools Autopsy Part of Sleuth Kit Foremost Command line data carving tool Glimpse Command line data indexing and searching tool Wipe Command line utility to securely wipe hard drives and files Etherape Visual network monitor Fenris Multipurpose tracer Honeyd Command line honeypot program Snort Command line network intrusion tool Dsniff Command Line network auditing and penetration testing tools John The Ripper Command Line Password Cracking tool Nikto Webserver scanner
  81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools Included in Penguin Sleuth Kit (cont’d) Tool Name Description Nbtscan Command-line tool that scans for open NETBIOS nameservers Xprobe Command line remote operating system fingerprinting tool Ngrep Command line Network grep Function Nemesis Command Line network packet injector Fragroute Command line network intrusion testing tool Fping Command line multiple host ping utility TCPtraceroute Command line traceroute TCP packages TCPReplay Command line utility that replays a TCP dump Nessus Graphical Security Scanner Ethereal Graphical Network analyzer Netcat Command line tool to read and write over network TCPdump Command line tool that dumps network traffic
  82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tools Included in Penguin Sleuth Kit (cont’d) Tool Name Description Hping2 Command line packet assembler / analyzer Ettercap Command line sniffer / interceptor / logger for Ethernet networks Openssh Secure remote connection utility Kismet Graphical wireless network sniffer AirSnort Graphical wireless network intrusion tool GPG Encryption utility OpenSSL Secure remote connection utility Lsof Command line utility that lists all open files Hunt Command line TCP / IP exploit scanner Stunnel SSL connection package ARPwatch Command line Ethernet monitor Dig Command line tool for querying domain name servers Chkrootkit Looks for signs of root kit
  83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited THE FARMER'S BOOT CD (The FBCD) FBCD allows you to examine storage media directly from Linux Boot any x86 system and mount file systems in a forensically sound manner (including journaled file systems) Previews data safely using a single, unified graphical user interface (GUI) Is designed and optimized for previewing, authenticating, acquiring, and analyzing media
  84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited THE FARMER'S BOOT CD (The FBCD) (cont’d) • It supports the greatest amount of hardware in the widest range of cases • It minimizes its footprint on the system, saving memory (RAM) for critical processes and tasks • Every included application is already configured for data forensics so that there is no need to change settings or wonder about configuration parameters THE FARMER'S BOOT CD is configured such that:
  85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots Delve, the proprietary preview program found on THE FARMER'S BOOT CD DEVICES tab is used to mount file systems (truly read-only). Right-click on any file system to view the available options (depends upon the mount ‘status) as shown in the right hand side
  86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots PAGEFILE tab is used to identify email and URLs in the Windows “pagefile.sys” file .URL output :
  87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots WINDOWS LOGS tab is used to identify key log files of interest on Windows systems and open a pop-up window as shown in the right hand side, allowing you to click on files of interest for viewing
  88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots WEB HISTORY tab is used to identify the web browser ‘s cache files and extract cookie and history information as shown in the two output files:
  89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots CATALOG tab is used to identify and catalog files of interest by extension or header. Found files may be copied, opened, or a file listing dumped
  90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots LINUX LOGS tab is used to identify key log files on Linux systems and open a pop-up window as shown in the right hand side, allowing you to click on files of interest for viewing
  91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots DATE CONVERTER tab is used to convert date and times from one format to many other formats
  92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots GRAPHICS VIEWER tab is used to identify graphics files and open a viewer for found files
  93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delve: Screenshots MISC menu option provides miscellaneous utilities, including dumping hard drive information, dumping the system BIOS tables, dumping an inventory of hardware, etc.
  94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensix The goal of the Forensix ("4N6") Project is to allow a system to be monitored so that, in the event of a security compromise, it is easy to track the compromise back to its source and recover from it It performs a complete kernel event audit on the target system and streams the high-definition audit trail to a backend database that has been optimized for reconstruction queries • Accurately replays any and all system compromises • Determines what specific data (such as credit card numbers) has been accessed on the system as a result of a compromise • Automatically determines what modifications have been made to a system by an illicit user • Selectively "undo"-ing illicit system modifications Functions:
  95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Maresware Linux Forensics provides tools for investigating computer records while running the LINUX operating system on Intel processors Maresware is useful to all types of investigators, including law enforcement, intelligence agency, private investigator, and corporate internal investigator This software enables discovery of evidence for using in criminal or civil legal proceedings
  96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Major Programs Present in Maresware Program Description Bates_no A unique program for adding identifying numbers to filenames in e-documents Catalog Catalogues every file on a Linux file system and identifies headers Hash Performs MD5 (CRC, or SHA) hash of every file on a drive Hashcmp Compares outputs of successive hash runs Md5 Calculates MD5 hash of a file Strsrch Searches files for text strings U_to_A Converts *ix text to DOS text
  97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Captain Nemo Widely used by law enforcement personnel, forensic investigators, as well as network administrators. Captain Nemo enables you to access any Linux drive from your Windows computer without requiring a network setup Just connect the Linux drive to your machine and Captain Nemo will let you mount your Linux partitions in Windows You can read, search, and view all your Linux files and copy them to your Windows drive It supports ext2fs and ext3fs
  98. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Captain Nemo: Screenshot
  99. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Coroner’s Toolkit (TCT) TCT is a collection of programs In TCT, grave-robber tool captures information The ils and mactime tools display access patterns of files dead or alive The unrm and lazarus tools recover the deleted files The findkey tool recovers cryptographic keys from a running process or from files
  100. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: FLAG FLAG is used for the log file analysis and forensic investigations It uses a database as a backend to assist in managing the large volumes of data Features of FLAG: • FLAG supports generic firewall logs • It collects information about the log and searches for suspicious activity Log analysis: • It uses the dissected information to construct a knowledge base of different entities on the network Network Forensics: • It uses the Sleuth Kit tool to analyze dd images Disk Forensics
  101. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FLAG: Screenshot Figure: FLAG Listening ports
  102. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FLAG: Screenshot Figure: FLAG connecting to port 80
  103. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: md5deep md5deep is a cross-platform set of programs to compute MD5, SHA- 1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files Features of md5deep: • Recursive operation: md5deep is able to recursive examine an entire directory tree • Comparison mode: It computes the MD5 for every file in a directory and for every file in every subdirectory • Time estimation: It can produce a time estimate when it is processing large files
  104. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: TestDisk TestDisk help to recover lost partitions and/or make non-booting disks bootable again • Fix partition table, recover deleted partition • Recover FAT32 boot sector from its backup • Rebuild FAT12/FAT16/FAT32 boot sector • Fix FAT tables • Rebuild NTFS boot sector • Recover NTFS boot sector from its backup • Copy files from the deleted FAT, NTFS, and ext2/ext3 partitions Functions:
  105. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Tool: Vinetto Vinetto is a forensics tool to examine Thumbs.db files It extracts the related thumbnails to a directory It gets a metadata report on all non deleted Thumbs.db files contained within a partition Syntax: • vinetto [OPTIONS] [-s] [-U] [-o DIR] file
  106. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Linux imparts greater control, flexibility, and power as a forensics tool Linux has a number of simple utilities that make imaging and basic analysis of the suspect disks and drives easier Linux cannot identify the last sector on hard drives with an odd number of sectors There are several popular Linux tool kits that provide GUI as well for convenience
  107. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  108. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×