SlideShare a Scribd company logo

INVESTIGATING UNIX SYSTEMS.pptx

Download as PPTX, PDF
A
AmAngel1

Unix systems investigation and details

Technology
1 of 23
INVESTIGATING UNIX SYSTEMS
AN OVERVIEW OF THE STEPS IN A UNIX INVESTIGATION • Before you can investigate a Unix system, you’ll need to set upyour forensic workstation and/or boot the image. • Once you are ready to begin investigating the Unix system, the following actions provide the most likely way to identify relevant evidence: ▼ Review all pertinent logs ■ Perform keyword searches ■ Review relevant files ■ Identify unauthorized user accounts or groups ■ Identify rogue processes ■ Check for unauthorized access points ■ Analyze trust relationships ▲ Check for kernel module rootkits
REVIEWING PERTINENT LOGS • Unix operating systems have a variety of log files that can yield important clues during incident response. • Not only are system activities such as logons, startups, and shutdowns logged, but also events associated with Unix network services. • Most log files are located in a common directory, usually /var/log. • Some logs are placed in nonintuitive locations, such as /etc. Network Logging • The single most useful logging capability in Unix is the syslog (system log) file. • The activities of syslog are controlled through the syslog configuration file, usually /etc/syslog.conf. • A syslog daemon, syslogd, runs on the system to log messages. • Syslog also offers the ability to log messages remotely, across a network. • The syslog configuration file controls which types of messages are sent to which logs. • Each line in the configuration file contains three fields:  The facility field denotes the subsystem that produced the log file.  The priority field indicates the severity of the log  The action field specifies how the log will be recorded.
Remote Syslog Server Logs • The log files generated locally by the syslog daemon are text files that are usually world-readable but writable only by root. • This means that any attacker who has gained administrator-level access can easily modify the syslog log files— removing selected entries, modifying selected entries, or adding misleading entries. • These modifications are nearly impossible to detect. • If you suspect that an attacker has gained root-level access on the system where the logs are stored, do not trust the logs. • The only way to tell for certain if an attacker modified the log files is to perform redundant logging to a secure, remote syslog server. • In the event that a system is hacked and the log files are manipulated, or if the attacker deleted the entire log file, a pristine copy should exist on the remote syslog server. • The remote syslog server should be a hardened (secure) host with minimal access, preferably only console or secure shell (ssh), which also takes advantage of system logging. • The server’s accounts and passwords should be unique, to prevent access based on the compromise of passwords from other systems.
TCP Wrapper Logging • In addition to all of the applications that take advantage of the system logging capability, another extremely valuable program that uses syslog is TCP Wrappers. • TCP Wrappers is a host-based access control for TCP and UDP services. • Any connection attempts to “wrapped” services are logged via syslog. • The log entry provides a lot of valuable information: the time and date of the attempted logon, the hostname (victim), the service (sshd), the account (root), and the IP address of the system that attempted to log on. • Example that shows how a successful connection to a service is recorded: Apr 26 20:36:59 victim in.tftpd[524]: connect from 10.10.10.10 • This entry shows that the host 10.10.10.10 connected to victim’s TFTP server . • The correlation of connections and file-access times can be one of the investigator’s most powerful techniques.
Other Network Logs • In addition to syslog, Unix systems can maintain other network activity logs. • These logs are primarily service-specific, such as the log files for web servers. • This log entry provides the following information: ▼ The time and date that the transfer occurred ■ The number of seconds that the transfer took ■ The remote host ■ The number of bytes transferred ■ The name of the transferred file ■ The type of file transfer (b for binary) ■ A special action flag (_ indicates no special action) ■ The direction of transfer (o represents outgoing; i is incoming) ■ The access mode (r is for real, as opposed to anonymous or guest) ■ The username (chris) ■ The service name (ftp) ■ The authentication method (0 for none) ■ The user ID (* indicates none available) ▲ The status of the transfer (c for complete)
Host Logging • Unix provides a variety of log files that track host operations. • Some of the more useful logs record su command execution, logged-on users, logon attempts, and cron job (scheduled program) execution. su Command Logs • The su command allows a user to switch to another user ID during a session. • Attackers sometimes use this command to attempt to gain root access to a system. • Unix records every attempt to execute the su command on the system. • The log shows the time and date of the su attempt, whether the attempt was successful, the terminal device from which the user attempted to execute su, and the user ID before and after the su attempt. • On some flavors of Unix, a separate su log file is stored in one of the log directories; on other flavors, su attempts are recorded in the messages or syslog file.
Logged-on User Logs • The utmpor wtmpfile is used to store information about users currently logged on to the system. • The log file is named differently and stores slightly different information, depending on the flavor of Unix. • The basic information stored is the name of the user, the terminal used to log on, and the time of the logon. • The file is stored in a binary data format, rather than as a text file. • Binary logs often contain more information than what is displayed with the default commands. Logon Attempt Logs • Logon attempts, both failed and successful, are recorded by default on most Unix systems. • Along with the logon attempts for network services such as FTP or ssh, console logons are also saved in one of the log files, such as the messages file on Linux systems. Cron Logs • Cron is a feature in Unix that allows users to schedule programs for future execution, and it is often used for attacks. • All executed cron jobs are logged, usually in /var/cron/log or in the default logging directory, in a file called cron.
User Activity Logging • Along with logons, other types of user activities are recorded in Unix logs. • Process accounting logs and shell history files record the commands executed by users. Process Accounting Logs • process accounting is a feature of Unix whereby every command run by every user is logged. • This type of logging is not enabled by default. • If the acct or pacct log file does not exist on the system, you will not be able to use this feature. • If either of these files exists, you can use the lastcomm or acctcom command to review the contents of the file. Shell Histories • Users with interactive access to Unix systems have an associated command shell, such as the Bourne (sh), Korn (ksh), or Bourne-Again (bash) shell. • These shells provide the capability to log all commands, along with their command-line options. • Typically, the history file is stored as a hidden file in the user’s home directory.
What Can Happen • An attacker just gained root access to your system. One of the first steps the attacker takes is to delete the .bash_history file. • Then he links the file to /dev/null, rendering it incapable of logging commands. Where to Look for Evidence • Whenever you investigate a Unix system suspected of being compromised, check for shell history files. • If the history feature is enabled and the history file does not exist, there is a good chance that the hacker deleted the history file. • If the history file exists as a link to /dev/null,, that is another strong indication that the system has been compromised.
PERFORMING KEYWORD SEARCHES String Searches with grep • The powerful, flexible grep command is a primary tool for string searches. • To perform a string search within a file, use the grep command as follows: [root@lucky]# grep root /etc/passwd root:x:0:0:root:/root:/bin/bash • Notice that the line in the passwd file with the string root inside appears as output. • The passwd file is a text file. • Now, let’s try grep on a binary file: [root@lucky]# grep PROMISC /sbin/ifconfig Binary file /sbin/ifconfig matches • This time, the string does not appear. Instead, you see a notification that a file of type binary has a matching entry. • Different versions of grep have different functionality. The GNU versions of grep included with Linux are much more full-featured than those found on many other, older flavors of Unix. • In order to achieve the same results on a Solaris system, you need to use other utilities, such as strings, to first pull the ASCII strings out of the binary file.
File Searches with find • Another useful command for string searches is find. • You can use the find command to find any filename that matches a regular expression. • Example of searching the entire file system for a file or directory named “…”: [root@aplinux /]# find / -name "..." –print /home/mugge/MDAc/temp/.../root/... • The first forward slash (/) indicates that the find operation will search the entire file system. • The -name option specifies that the attribute to be searched on is the name of the file. • The backslash () preceding each dot (.) is necessary to escape the special meaning of the dot, because, by default, this character is a wildcard for regular expressions. • The find command is helpful for many searches. It can search a file system for files that match a wide variety of characteristics, including modification or access time, owner of file, string inside a file, string in the name of the file, and so on.
REVIEWING RELEVANT FILES Incident Time and Time/Date Stamps • In order to search for files and directories that were accessed, modified, or created around • the time of a suspected incident, you must first know the time of the suspected incident. • The timeframe may be very specific, such as when a network IDS discovered and logged the attack as it happened. • The Unix file system saves three different timestamps for each file or directory: ▼ The atime, or access time, is the last time that a file or directory was accessed. This includes even read access (such as cat filename). ■ The mtime, or modification time, records the last time a file was modified. ▲ The ctime, is similar to the mtime, but it records the last time the inode value was changed. This value can change with events such as changing permissions or ownership.
Special Files • Certain types of files and directories seem to regularly turn up in incidents. • These files and directories include SUID and SGID files, unusual and hidden files and directories, configuration files, and the /tmpdirectory SUID and SGID Files • Unix contains features known as set userid (SUID) and set groupid (SGID), which are designed to allow programs to operate with higher privileges than those of the user running the program. • SUID and SGID root programs are the source of most privilege-escalation attacks on Unix systems, and they are also a favorite backdoor for attackers. • A SUID root copy of /bin/ksh (the Korn shell) on most Unix systems will provide root privileges to any user • who executes it. • This is also known by attackers as a rootshell. • To an investigator, a suspicious SUID root program is cause for alarm. To find all of the SUID or SGID programs on a system, execute the following find commands: [root@victim]# find / -perm -004000 -type f –print [root@victim]# find / -perm -006000 -type f –print
Unusual and Hidden Files and Directories • Attackers often hide files and directories from the casual observer. • Within Unix, any file or directory that starts with a dot (.) is hidden from casual view; it will not appear in an ls command listing unless the -a option is used. • Furthermore, attackers often name files and directories with seemingly innocuous names, such as rpc.auditd for a sniffer or /tmp/.X11-R5 for a directory. • Especially common for directories is a name of just three dots (…). All of these names are similar to the names of existing files and directories, and their appearance in a directory listing or a process table listing would not immediately raise the suspicion of an administrator. • The first stepto discovering this type of obfuscation is knowing when to take a closer look, such as in the case of directories with multiple dots.
Configuration Files • Configuration files are a key location of evidence during many incidents. With all of the built-in functionality of the Unix operating system, a knowledgeable attacker can easily modify applications to perform evil tasks. • Frequent targets include files that control access to the victim system, such as the TCP Wrapper configuration files /etc/hosts.allow and /etc/hosts.deny. • Attackers may modify or delete these files to allow certain computers to connect to the victim system at will. • The Internet daemon configuration file inetd.conf (located in the /etc directory) controls many of the Unix system’s network services. • Services such as telnet, FTP, and TFTP (and many more services) are started via this file. • An attacker may add entries to this file so that the victim system listens on many ports, or an attacker may enable a previously disabled service such TFTP.
Where to Look for Evidence • The inetd.conf file uses a partner file named /etc/services to define which ports are associated with which service. In this case, you search the /etc/services file for the port 5500 entry: [root@lucky /root]# grep 55000 /etc/services telnet2 55000/tcp • You identify a service named telnet2, which is associated with TCP port 55000. You search inetd.conf for this service: [root@lucky /root]# grep telnet2 /etc/inetd.conf telnet2 stream tcp nowait root /usr/sbin/tcpd in.telnetd
Startup Files • The Unix operating system has several locations that are used to start services and applications. • Examples include cron, rc startup files, and user startup files. • The cron facility is used to schedule the future execution of programs. • The directory /var/spool/cron or /usr/spool/cron stores cron jobs for various users. • Files in this directory are named after user accounts, and any jobs stored in those files are executed with the privileges of that user. • For example, jobs in the /var/spool/cron/root file are executed with root privileges. • Another location of startupfiles is the rc directory. • Usually named /etc/rc.d or something similar, this directory contains a listing of programs that start when a Unix system boots. • Programs like sendmail and portmapper traditionally are controlled by these configuration files Tmp Directory • By default, the /tmpdirectory is the only world-writable file system on a Unix system. • This makes it a popular hangout for attackers and a favorite storage site for nefarious tools. • Also, many publicly available exploits use the /tmp directory to store temporary files during privilege-escalation attacks, and sometimes they leave trace evidence.
IDENTIFYING UNAUTHORIZED USER ACCOUNTS OR GROUPS User Account Investigation • User information is stored in the /etc/passwd file. This is a text file that you can easily review through a variety of mechanisms. • Every user on a Unix system has an entry in the /etc/passwd file. A typical entry looks like this: lester:x:512:516:Lester Pace:/home/lester:/bin/bash • The entry consists of seven colon-delimited fields: the username (lester), the password (shadowed in this case), the user ID (512), groupID (516), GECOS field (for comments; Lester Pace in this case), home directory, and default login shell. Group Account Investigation • Groupaccounts use the groupID shown in the /etc/passwd file as well as the /etc/groups file. A typical /etc/group file looks like this: $ cat /etc/group root::0:root,ashunn bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp
IDENTIFYING ROGUE PROCESSES • Identifying rogue processes is much easier when examining a live system. • During the initial investigation, you should have recorded all listening ports and running processes. What Can Happen • During your initial investigation, you dutifully record listening ports and running processes. Upon further examination, you notice an anomaly with FTP: [root@victim]# netstat –anp tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 519/inetd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 519/ftpd • Both telnet and FTP should be run from inetd, yet a separate FTP daemon appears to be running. Where to Look for Evidence • You examine /etc/inetd.conf and find that the FTP service has been disabled (by placing the # as the first character): [root@victim]# grep ftpd /etc/inetd.conf #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l –a
CHECKING FOR UNAUTHORIZED ACCESS POINTS • Unix is a fully functional, robust operating system. Over the course of its long history, Unix has continually added functionality, and network services are no exception. • A default installation of Unix offers a dazzling array of network services, including the Network File System (NFS), telnet, finger, rlogin, and many others. • Some of the most common access points that we have seen intruders take advantage of include X Servers, FTP, telnet, TFTP, DNS, sendmail, finger, SNMP, IMAP, POP, HTTP, and HTTPS. • Network services could be vulnerable, allowing intruders access to your system, or network services could already be trojaned by a successful intruder. ANALYZING TRUST RELATIONSHIPS • Trust relationships within Unix systems were once a primary mechanism of attack. • Trust can be established between Unix systems with a variety of services, the most popular of which include rlogin, rsh, the Network Information Service (NIS and NIS+), NFS, and ssh. • Trust relationships can be convenient time-savers for system administrators and users. • If machine A trusts machine B, then the user on machine B can access machine A with no additional credentials. • If you are a system administrator with dozens of systems to maintain, using this feature can be very enticing. • Trust relationships are usually configured through files such as /etc/hosts.equiv or any .rhosts file in a user’s home directory. Trust relationships can be established with ssh through shared keys and through NFS shares.
DETECTING TROJAN LOADABLE KERNEL MODULES • Loadable kernel modules (LKMs), or kernel extensions, are found on the various flavors of Linux, BSD, and Solaris. • They extend the capabilities of the base operating system kernel, typically to provide additional support within the operating system for device and file system drivers. • LKMs can be dynamically loaded by a user with root-level access and they run at the kernel level instead of at a normal user-process level. LKMs on Live Systems • Detecting trojan LKMs on a live system can be complicated because these tools actually intercept system calls (such as ps or directory listing) to provide false information. • They are specifically designed to prevent detection with traditional response methods. • An example would be an external port scan compared to a port scan performed directly on the local suspect system. • Malicious LKMs are specifically designed to intercept system calls and provide false information. • This is a key difference between rootkits and LKMs. • When a traditional rootkit is installed, commands such as ps and netstat are modified or replaced.
LKM Elements • In some cases, the intruder uploads and compiles the source, and successfully installs the LKM; however, she forgets to delete the actual LKM source files! • When this happens, you may not only discover the presence of the LKM, you may also find additional configuration information. Here is an excerpt from a discovered Adore make file: CFLAGS+=DELITE_CMD=102993 CFLAGS+=DELITE_UID=30 CFLAGS+=DCURRNT_ADORE=42 CFLAGS+=DADORE_KEY=”batman” • The make file not only contains the Elite command, Elite UID, and Adore version number (4.2), but it also has the Adore key. The DADORE_KEY value contains batman, the intruder’s password! • If the intruder didn’t rename or hide the files, the following command would find the startadore script, one of several associated files, if it existed on the root file system. [root@curtis ]# find / -name startadore –print /tmp/…/startadore

Recommended

Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensicDINESH KAMBLE
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
CHA & LBA Addressing
CHA & LBA Addressing CHA & LBA Addressing
CHA & LBA Addressing DINESH KAMBLE
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 

Recommended

Preserving and recovering digital evidence
Preserving and recovering digital evidencePreserving and recovering digital evidence
Preserving and recovering digital evidenceOnline
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensicDINESH KAMBLE
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
CHA & LBA Addressing
CHA & LBA Addressing CHA & LBA Addressing
CHA & LBA Addressing DINESH KAMBLE
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxApplied Forensic Research Sciences
 
Digital Forensic
Digital ForensicDigital Forensic
Digital ForensicCleverence Kombe
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
A Brief History of Secret Writing
A Brief History of Secret WritingA Brief History of Secret Writing
A Brief History of Secret WritingElliot Ward
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeApplied Forensic Research Sciences
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics pptNikhil Mashruwala
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"EPAM Systems
 
Unix/Linux
Unix/Linux Unix/Linux
Unix/Linux Saurabh Upadhyay
 

More Related Content

What's hot

06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics OverviewYansi Keim
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
A Brief History of Secret Writing
A Brief History of Secret WritingA Brief History of Secret Writing
A Brief History of Secret WritingElliot Ward
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolsN.Jagadish Kumar
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - NotesKranthi
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 

What's hot (20)

06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic tools
 
Cyber Forensics Overview
Cyber Forensics OverviewCyber Forensics Overview
Cyber Forensics Overview
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
A Brief History of Secret Writing
A Brief History of Secret WritingA Brief History of Secret Writing
A Brief History of Secret Writing
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber Crime
 
computer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software toolscomputer forensic tools-Hardware & Software tools
computer forensic tools-Hardware & Software tools
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 
04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes04 Evidence Collection and Data Seizure - Notes
04 Evidence Collection and Data Seizure - Notes
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic ppt
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu Khimani
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidence
 

Similar to INVESTIGATING UNIX SYSTEMS.pptx

Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"EPAM Systems
 
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System CallsVandana Salve
 
Linuxtraining 130710022121-phpapp01
Linuxtraining 130710022121-phpapp01Linuxtraining 130710022121-phpapp01
Linuxtraining 130710022121-phpapp01Chander Pandey
 
12-introductiontolinuxos-190907073928
12-introductiontolinuxos-19090707392812-introductiontolinuxos-190907073928
12-introductiontolinuxos-190907073928SahilNegi60
 
12 introduction to Linux OS
12 introduction to Linux OS12 introduction to Linux OS
12 introduction to Linux OSHameda Hurmat
 
Services and system calls
Services and system callsServices and system calls
Services and system callssangrampatil81
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNGene Kartavtsev
 
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & ApplicationsMaulen Bale
 
operating system calls input and output by (rohit malav)
operating system calls input and output by (rohit malav)operating system calls input and output by (rohit malav)
operating system calls input and output by (rohit malav)Rohit malav
 
Operating Systems: Linux in Detail
Operating Systems: Linux in DetailOperating Systems: Linux in Detail
Operating Systems: Linux in DetailDamian T. Gordon
 
Linux week 2
Linux week 2Linux week 2
Linux week 2Vinoth Sn
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1Pavan Illa
 
unixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdfunixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdfIxtiyorTeshaboyev
 
Course 102: Lecture 16: Process Management (Part 2)
Course 102: Lecture 16: Process Management (Part 2) Course 102: Lecture 16: Process Management (Part 2)
Course 102: Lecture 16: Process Management (Part 2) Ahmed El-Arabawy
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O YourHelper1
 
Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Gaurav Aggarwal
 

Similar to INVESTIGATING UNIX SYSTEMS.pptx (20)

Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
Вячеслав Кабак "Microsoft Sysinternals-Useful Utilities"
 
Unix/Linux
Unix/Linux Unix/Linux
Unix/Linux
 
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System Calls
 
Daemons
DaemonsDaemons
Daemons
 
Linuxtraining 130710022121-phpapp01
Linuxtraining 130710022121-phpapp01Linuxtraining 130710022121-phpapp01
Linuxtraining 130710022121-phpapp01
 
12-introductiontolinuxos-190907073928
12-introductiontolinuxos-19090707392812-introductiontolinuxos-190907073928
12-introductiontolinuxos-190907073928
 
12 introduction to Linux OS
12 introduction to Linux OS12 introduction to Linux OS
12 introduction to Linux OS
 
Syslog.ppt
Syslog.pptSyslog.ppt
Syslog.ppt
 
Services and system calls
Services and system callsServices and system calls
Services and system calls
 
How to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MNHow to Audit Linux - Gene Kartavtsev, ISACA MN
How to Audit Linux - Gene Kartavtsev, ISACA MN
 
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & Applications
 
operating system calls input and output by (rohit malav)
operating system calls input and output by (rohit malav)operating system calls input and output by (rohit malav)
operating system calls input and output by (rohit malav)
 
Operating Systems: Linux in Detail
Operating Systems: Linux in DetailOperating Systems: Linux in Detail
Operating Systems: Linux in Detail
 
Linux week 2
Linux week 2Linux week 2
Linux week 2
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
 
unixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdfunixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdf
 
Course 102: Lecture 16: Process Management (Part 2)
Course 102: Lecture 16: Process Management (Part 2) Course 102: Lecture 16: Process Management (Part 2)
Course 102: Lecture 16: Process Management (Part 2)
 
Linux System Programming - File I/O
Linux System Programming - File I/O Linux System Programming - File I/O
Linux System Programming - File I/O
 
CSA-lecture 6.pptx
CSA-lecture 6.pptxCSA-lecture 6.pptx
CSA-lecture 6.pptx
 
Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)Operating systems (For CBSE School Students)
Operating systems (For CBSE School Students)
 

Recently uploaded

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

INVESTIGATING UNIX SYSTEMS.pptx

  • 2. AN OVERVIEW OF THE STEPS IN A UNIX INVESTIGATION • Before you can investigate a Unix system, you’ll need to set upyour forensic workstation and/or boot the image. • Once you are ready to begin investigating the Unix system, the following actions provide the most likely way to identify relevant evidence: ▼ Review all pertinent logs ■ Perform keyword searches ■ Review relevant files ■ Identify unauthorized user accounts or groups ■ Identify rogue processes ■ Check for unauthorized access points ■ Analyze trust relationships ▲ Check for kernel module rootkits
  • 3. REVIEWING PERTINENT LOGS • Unix operating systems have a variety of log files that can yield important clues during incident response. • Not only are system activities such as logons, startups, and shutdowns logged, but also events associated with Unix network services. • Most log files are located in a common directory, usually /var/log. • Some logs are placed in nonintuitive locations, such as /etc. Network Logging • The single most useful logging capability in Unix is the syslog (system log) file. • The activities of syslog are controlled through the syslog configuration file, usually /etc/syslog.conf. • A syslog daemon, syslogd, runs on the system to log messages. • Syslog also offers the ability to log messages remotely, across a network. • The syslog configuration file controls which types of messages are sent to which logs. • Each line in the configuration file contains three fields:  The facility field denotes the subsystem that produced the log file.  The priority field indicates the severity of the log  The action field specifies how the log will be recorded.
  • 4. Remote Syslog Server Logs • The log files generated locally by the syslog daemon are text files that are usually world-readable but writable only by root. • This means that any attacker who has gained administrator-level access can easily modify the syslog log files— removing selected entries, modifying selected entries, or adding misleading entries. • These modifications are nearly impossible to detect. • If you suspect that an attacker has gained root-level access on the system where the logs are stored, do not trust the logs. • The only way to tell for certain if an attacker modified the log files is to perform redundant logging to a secure, remote syslog server. • In the event that a system is hacked and the log files are manipulated, or if the attacker deleted the entire log file, a pristine copy should exist on the remote syslog server. • The remote syslog server should be a hardened (secure) host with minimal access, preferably only console or secure shell (ssh), which also takes advantage of system logging. • The server’s accounts and passwords should be unique, to prevent access based on the compromise of passwords from other systems.
  • 5. TCP Wrapper Logging • In addition to all of the applications that take advantage of the system logging capability, another extremely valuable program that uses syslog is TCP Wrappers. • TCP Wrappers is a host-based access control for TCP and UDP services. • Any connection attempts to “wrapped” services are logged via syslog. • The log entry provides a lot of valuable information: the time and date of the attempted logon, the hostname (victim), the service (sshd), the account (root), and the IP address of the system that attempted to log on. • Example that shows how a successful connection to a service is recorded: Apr 26 20:36:59 victim in.tftpd[524]: connect from 10.10.10.10 • This entry shows that the host 10.10.10.10 connected to victim’s TFTP server . • The correlation of connections and file-access times can be one of the investigator’s most powerful techniques.
  • 6. Other Network Logs • In addition to syslog, Unix systems can maintain other network activity logs. • These logs are primarily service-specific, such as the log files for web servers. • This log entry provides the following information: ▼ The time and date that the transfer occurred ■ The number of seconds that the transfer took ■ The remote host ■ The number of bytes transferred ■ The name of the transferred file ■ The type of file transfer (b for binary) ■ A special action flag (_ indicates no special action) ■ The direction of transfer (o represents outgoing; i is incoming) ■ The access mode (r is for real, as opposed to anonymous or guest) ■ The username (chris) ■ The service name (ftp) ■ The authentication method (0 for none) ■ The user ID (* indicates none available) ▲ The status of the transfer (c for complete)
  • 7. Host Logging • Unix provides a variety of log files that track host operations. • Some of the more useful logs record su command execution, logged-on users, logon attempts, and cron job (scheduled program) execution. su Command Logs • The su command allows a user to switch to another user ID during a session. • Attackers sometimes use this command to attempt to gain root access to a system. • Unix records every attempt to execute the su command on the system. • The log shows the time and date of the su attempt, whether the attempt was successful, the terminal device from which the user attempted to execute su, and the user ID before and after the su attempt. • On some flavors of Unix, a separate su log file is stored in one of the log directories; on other flavors, su attempts are recorded in the messages or syslog file.
  • 8. Logged-on User Logs • The utmpor wtmpfile is used to store information about users currently logged on to the system. • The log file is named differently and stores slightly different information, depending on the flavor of Unix. • The basic information stored is the name of the user, the terminal used to log on, and the time of the logon. • The file is stored in a binary data format, rather than as a text file. • Binary logs often contain more information than what is displayed with the default commands. Logon Attempt Logs • Logon attempts, both failed and successful, are recorded by default on most Unix systems. • Along with the logon attempts for network services such as FTP or ssh, console logons are also saved in one of the log files, such as the messages file on Linux systems. Cron Logs • Cron is a feature in Unix that allows users to schedule programs for future execution, and it is often used for attacks. • All executed cron jobs are logged, usually in /var/cron/log or in the default logging directory, in a file called cron.
  • 9. User Activity Logging • Along with logons, other types of user activities are recorded in Unix logs. • Process accounting logs and shell history files record the commands executed by users. Process Accounting Logs • process accounting is a feature of Unix whereby every command run by every user is logged. • This type of logging is not enabled by default. • If the acct or pacct log file does not exist on the system, you will not be able to use this feature. • If either of these files exists, you can use the lastcomm or acctcom command to review the contents of the file. Shell Histories • Users with interactive access to Unix systems have an associated command shell, such as the Bourne (sh), Korn (ksh), or Bourne-Again (bash) shell. • These shells provide the capability to log all commands, along with their command-line options. • Typically, the history file is stored as a hidden file in the user’s home directory.
  • 10. What Can Happen • An attacker just gained root access to your system. One of the first steps the attacker takes is to delete the .bash_history file. • Then he links the file to /dev/null, rendering it incapable of logging commands. Where to Look for Evidence • Whenever you investigate a Unix system suspected of being compromised, check for shell history files. • If the history feature is enabled and the history file does not exist, there is a good chance that the hacker deleted the history file. • If the history file exists as a link to /dev/null,, that is another strong indication that the system has been compromised.
  • 11. PERFORMING KEYWORD SEARCHES String Searches with grep • The powerful, flexible grep command is a primary tool for string searches. • To perform a string search within a file, use the grep command as follows: [root@lucky]# grep root /etc/passwd root:x:0:0:root:/root:/bin/bash • Notice that the line in the passwd file with the string root inside appears as output. • The passwd file is a text file. • Now, let’s try grep on a binary file: [root@lucky]# grep PROMISC /sbin/ifconfig Binary file /sbin/ifconfig matches • This time, the string does not appear. Instead, you see a notification that a file of type binary has a matching entry. • Different versions of grep have different functionality. The GNU versions of grep included with Linux are much more full-featured than those found on many other, older flavors of Unix. • In order to achieve the same results on a Solaris system, you need to use other utilities, such as strings, to first pull the ASCII strings out of the binary file.
  • 12. File Searches with find • Another useful command for string searches is find. • You can use the find command to find any filename that matches a regular expression. • Example of searching the entire file system for a file or directory named “…”: [root@aplinux /]# find / -name "..." –print /home/mugge/MDAc/temp/.../root/... • The first forward slash (/) indicates that the find operation will search the entire file system. • The -name option specifies that the attribute to be searched on is the name of the file. • The backslash () preceding each dot (.) is necessary to escape the special meaning of the dot, because, by default, this character is a wildcard for regular expressions. • The find command is helpful for many searches. It can search a file system for files that match a wide variety of characteristics, including modification or access time, owner of file, string inside a file, string in the name of the file, and so on.
  • 13. REVIEWING RELEVANT FILES Incident Time and Time/Date Stamps • In order to search for files and directories that were accessed, modified, or created around • the time of a suspected incident, you must first know the time of the suspected incident. • The timeframe may be very specific, such as when a network IDS discovered and logged the attack as it happened. • The Unix file system saves three different timestamps for each file or directory: ▼ The atime, or access time, is the last time that a file or directory was accessed. This includes even read access (such as cat filename). ■ The mtime, or modification time, records the last time a file was modified. ▲ The ctime, is similar to the mtime, but it records the last time the inode value was changed. This value can change with events such as changing permissions or ownership.
  • 14. Special Files • Certain types of files and directories seem to regularly turn up in incidents. • These files and directories include SUID and SGID files, unusual and hidden files and directories, configuration files, and the /tmpdirectory SUID and SGID Files • Unix contains features known as set userid (SUID) and set groupid (SGID), which are designed to allow programs to operate with higher privileges than those of the user running the program. • SUID and SGID root programs are the source of most privilege-escalation attacks on Unix systems, and they are also a favorite backdoor for attackers. • A SUID root copy of /bin/ksh (the Korn shell) on most Unix systems will provide root privileges to any user • who executes it. • This is also known by attackers as a rootshell. • To an investigator, a suspicious SUID root program is cause for alarm. To find all of the SUID or SGID programs on a system, execute the following find commands: [root@victim]# find / -perm -004000 -type f –print [root@victim]# find / -perm -006000 -type f –print
  • 15. Unusual and Hidden Files and Directories • Attackers often hide files and directories from the casual observer. • Within Unix, any file or directory that starts with a dot (.) is hidden from casual view; it will not appear in an ls command listing unless the -a option is used. • Furthermore, attackers often name files and directories with seemingly innocuous names, such as rpc.auditd for a sniffer or /tmp/.X11-R5 for a directory. • Especially common for directories is a name of just three dots (…). All of these names are similar to the names of existing files and directories, and their appearance in a directory listing or a process table listing would not immediately raise the suspicion of an administrator. • The first stepto discovering this type of obfuscation is knowing when to take a closer look, such as in the case of directories with multiple dots.
  • 16. Configuration Files • Configuration files are a key location of evidence during many incidents. With all of the built-in functionality of the Unix operating system, a knowledgeable attacker can easily modify applications to perform evil tasks. • Frequent targets include files that control access to the victim system, such as the TCP Wrapper configuration files /etc/hosts.allow and /etc/hosts.deny. • Attackers may modify or delete these files to allow certain computers to connect to the victim system at will. • The Internet daemon configuration file inetd.conf (located in the /etc directory) controls many of the Unix system’s network services. • Services such as telnet, FTP, and TFTP (and many more services) are started via this file. • An attacker may add entries to this file so that the victim system listens on many ports, or an attacker may enable a previously disabled service such TFTP.
  • 17. Where to Look for Evidence • The inetd.conf file uses a partner file named /etc/services to define which ports are associated with which service. In this case, you search the /etc/services file for the port 5500 entry: [root@lucky /root]# grep 55000 /etc/services telnet2 55000/tcp • You identify a service named telnet2, which is associated with TCP port 55000. You search inetd.conf for this service: [root@lucky /root]# grep telnet2 /etc/inetd.conf telnet2 stream tcp nowait root /usr/sbin/tcpd in.telnetd
  • 18. Startup Files • The Unix operating system has several locations that are used to start services and applications. • Examples include cron, rc startup files, and user startup files. • The cron facility is used to schedule the future execution of programs. • The directory /var/spool/cron or /usr/spool/cron stores cron jobs for various users. • Files in this directory are named after user accounts, and any jobs stored in those files are executed with the privileges of that user. • For example, jobs in the /var/spool/cron/root file are executed with root privileges. • Another location of startupfiles is the rc directory. • Usually named /etc/rc.d or something similar, this directory contains a listing of programs that start when a Unix system boots. • Programs like sendmail and portmapper traditionally are controlled by these configuration files Tmp Directory • By default, the /tmpdirectory is the only world-writable file system on a Unix system. • This makes it a popular hangout for attackers and a favorite storage site for nefarious tools. • Also, many publicly available exploits use the /tmp directory to store temporary files during privilege-escalation attacks, and sometimes they leave trace evidence.
  • 19. IDENTIFYING UNAUTHORIZED USER ACCOUNTS OR GROUPS User Account Investigation • User information is stored in the /etc/passwd file. This is a text file that you can easily review through a variety of mechanisms. • Every user on a Unix system has an entry in the /etc/passwd file. A typical entry looks like this: lester:x:512:516:Lester Pace:/home/lester:/bin/bash • The entry consists of seven colon-delimited fields: the username (lester), the password (shadowed in this case), the user ID (512), groupID (516), GECOS field (for comments; Lester Pace in this case), home directory, and default login shell. Group Account Investigation • Groupaccounts use the groupID shown in the /etc/passwd file as well as the /etc/groups file. A typical /etc/group file looks like this: $ cat /etc/group root::0:root,ashunn bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp
  • 20. IDENTIFYING ROGUE PROCESSES • Identifying rogue processes is much easier when examining a live system. • During the initial investigation, you should have recorded all listening ports and running processes. What Can Happen • During your initial investigation, you dutifully record listening ports and running processes. Upon further examination, you notice an anomaly with FTP: [root@victim]# netstat –anp tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 519/inetd tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 519/ftpd • Both telnet and FTP should be run from inetd, yet a separate FTP daemon appears to be running. Where to Look for Evidence • You examine /etc/inetd.conf and find that the FTP service has been disabled (by placing the # as the first character): [root@victim]# grep ftpd /etc/inetd.conf #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l –a
  • 21. CHECKING FOR UNAUTHORIZED ACCESS POINTS • Unix is a fully functional, robust operating system. Over the course of its long history, Unix has continually added functionality, and network services are no exception. • A default installation of Unix offers a dazzling array of network services, including the Network File System (NFS), telnet, finger, rlogin, and many others. • Some of the most common access points that we have seen intruders take advantage of include X Servers, FTP, telnet, TFTP, DNS, sendmail, finger, SNMP, IMAP, POP, HTTP, and HTTPS. • Network services could be vulnerable, allowing intruders access to your system, or network services could already be trojaned by a successful intruder. ANALYZING TRUST RELATIONSHIPS • Trust relationships within Unix systems were once a primary mechanism of attack. • Trust can be established between Unix systems with a variety of services, the most popular of which include rlogin, rsh, the Network Information Service (NIS and NIS+), NFS, and ssh. • Trust relationships can be convenient time-savers for system administrators and users. • If machine A trusts machine B, then the user on machine B can access machine A with no additional credentials. • If you are a system administrator with dozens of systems to maintain, using this feature can be very enticing. • Trust relationships are usually configured through files such as /etc/hosts.equiv or any .rhosts file in a user’s home directory. Trust relationships can be established with ssh through shared keys and through NFS shares.
  • 22. DETECTING TROJAN LOADABLE KERNEL MODULES • Loadable kernel modules (LKMs), or kernel extensions, are found on the various flavors of Linux, BSD, and Solaris. • They extend the capabilities of the base operating system kernel, typically to provide additional support within the operating system for device and file system drivers. • LKMs can be dynamically loaded by a user with root-level access and they run at the kernel level instead of at a normal user-process level. LKMs on Live Systems • Detecting trojan LKMs on a live system can be complicated because these tools actually intercept system calls (such as ps or directory listing) to provide false information. • They are specifically designed to prevent detection with traditional response methods. • An example would be an external port scan compared to a port scan performed directly on the local suspect system. • Malicious LKMs are specifically designed to intercept system calls and provide false information. • This is a key difference between rootkits and LKMs. • When a traditional rootkit is installed, commands such as ps and netstat are modified or replaced.
  • 23. LKM Elements • In some cases, the intruder uploads and compiles the source, and successfully installs the LKM; however, she forgets to delete the actual LKM source files! • When this happens, you may not only discover the presence of the LKM, you may also find additional configuration information. Here is an excerpt from a discovered Adore make file: CFLAGS+=DELITE_CMD=102993 CFLAGS+=DELITE_UID=30 CFLAGS+=DCURRNT_ADORE=42 CFLAGS+=DADORE_KEY=”batman” • The make file not only contains the Elite command, Elite UID, and Adore version number (4.2), but it also has the Adore key. The DADORE_KEY value contains batman, the intruder’s password! • If the intruder didn’t rename or hide the files, the following command would find the startadore script, one of several associated files, if it existed on the root file system. [root@curtis ]# find / -name startadore –print /tmp/…/startadore