The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of Loadable Kernel Modules and Malware. The companion DVD provides a simulated or live UNIX environment where readers can test the skills they've learned in the book and use custom tools developed by the authors.
Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else. Not only are the tools provided, but the author also provides sample files so that after completing a detailed walk-through, the reader can immediately practice the new-found skills.
* The companion DVD for the book contains significant, unique materials (movies, spreadsheet, code, etc.) not available any place else.
* This book contains information about UNIX forensic analysis that is not available anywhere else. Much of the information is a result of the author's own unique research and work.
* The authors have the combined experience of Law Enforcement, Military, and Corporate forensics. This unique perspective makes this book attractive to ALL forensic investigators.
This book addresses topics in the area of forensic analysis of systems running on variants of the UNIX operating system, which is the choice of hackers for their attack platforms. According to a 2007 IDC report, UNIX servers account for the second-largest segment of spending (behind Windows) in the worldwide server market with $4.2 billion in 2Q07, representing 31.7% of corporate server spending. UNIX systems have not been analyzed to any significant depth largely due to a lack of understanding on the part of the investigator, an understanding and knowledge base that has been achieved by the attacker. The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of loadable kernel Modules and malware. Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else. This book contains information about UNIX forensic analysis that is not available anywhere else. Much of the information is a result of the author's own unique research and work. The authors have the combined experience of law enforcement, military, and corporate forensics. This unique perspective makes this book attractive to all forensic investigators.
Front Cover 1
Unix and Linux Forensic Analysis DVD Toolkit 2
Copyright Page 3
Co-Authors 4
Appendix Contributor 7
Contents 8
Chapter 1: Introduction 12
History 13
Target Audience 14
What is Covered 14
What is Not Covered 17
Chapter 2: Understanding Unix 20
Introduction 21
Unix, UNIX, Linux, and *nix 21
Linux Distributions 23
Get a Linux! 23
Booting Ubuntu Linux from the LiveCD 26
The Shell 29
All Hail the Shell 31
Essential Commands 31
Highlights of The Linux Security Model 36
The *nix File system Structure 40
Mount points: What the Heck are They? 42
File Systems 45
Ext2/Ext3 46
Summary 48
Chapter 3: Live Response: Data Collection 50
Introduction 51
Prepare the Target Media 52
Mount the Drive 52
Format the Drive 53
Format the Disk with the ext File System 53
Gather Volatile Information 54
Prepare a Case Logbook 54
Acquiring the Image 66
Preparation and Planning 66
DD 67
Bootable *nix ISOs 71
Helix 71
Knoppix 72
BackTrack 2 73
Insert 74
EnCase LinEn 74
FTK Imager 76
ProDiscover 79
Summary 81
Chapter 4: Initial Triage and Live Response: Data Analysis 82
Introduction 83
Initial Triage 83
Log Analysis 85
zgrep 87
Tail 87
More 87
Less 88
Keyword Searches 88
strings /proc/kcore –t d > /tmp/kcore_outfile
File and Directory Names 90
IP Addresses and Domain Names 91
Tool Keywords 91
Tricks of the Trade 93
User Activity 97
Shell History 97
Logged on Users 98
Network Connections 100
Running Processes 103
Open File Handlers 106
Summary 109
Chapter 5: The Hacking Top 10 110
Introduction 111
The Hacking Top Ten 115
Netcat 116
Reconnaissance Tools 117
Nmap 117
Nessus 121
Try it Out 122
Plug-ins 124
Ports 125
Target 125
Nikto 127
Wireshark 129
Canvas/Core Impact 131
The Metasploit Framework 132
Paros 145
hping2 - Active Network Smashing Tool 149
Ettercap 155
Summary 163
Chapter 6: The /Proc File System 164
Introduction 165
cmdline 166
cpuinfo 166
diskstats 167
driver/rtc 167
filesystems 167
kallsyms (ksyms) 168
kcore 168
modules 169
mounts 169
partitions 170
sys/ 170
uptime 170
version 170
Process IDs 170
cmdline 171
cwd 172
environ 172
exe 172
fd 172
loginuid 173
Putting It All Together 173
sysfs 177
modules 177
block 177
Chapter 7: File Analysis 180
The Linux Boot Process 181
init and runlevels 182
System and Security Configuration Files 184
Users, Groups, and Privileges 184
Cron Jobs 187
Log Files 187
Who 188
Where and What 188
Identifying Other Files of Interest 189
SUID and SGID Root Files 189
Recently Modified/Accessed/Created Files 190
Modified System Files 191
Out-of-Place inodes 191
Hidden Files and Hiding Places 192
Chapter 8: Malware 194
Introduction 195
Viruses 196
Storms on the Horizon 199
Do it Yourself with Panda and Clam 201
Download ClamAV 201
Install ClamAV 201
Updating Virus Database with Freshclam 202
Scanning the Target Directory 203
Download Panda Antivirus 204
Install Panda Antivirus 204
Scanning the Target Directory 204
Web References 205
Appendix A: Implementing Cybercrime Detection Techniques on Windows and *nix by Michael Cross 206
Introduction 207
Security Auditing and Log Files 208
Auditing for Windows Platforms 210
Auditing for UNIX and Linux Platforms 217
Firewall Logs, Reports, Alarms, and Alerts 219
Commercial Intrusion Detection Systems 222
Characterizing Intrusion Detection Systems 223
Commercial IDS Players 228
IP Spoofing and Other Antidetection Tactics 229
Honeypots, Honeynets, and Other “Cyberstings” 231
Summary 234
Frequently Asked Questions 237
Index 240
Chapter 1. Introduction
Solutions in this chapter:
- History
- Target Audience
- What is Covered
- What is Not Covered
History
In 2007, I completed my Master's Degree in Information Security from Capella University. As an Incident Response Analyst by trade, I figured that writing my thesis on UNIX forensic analysis would be a good topic, relevant both to my job duties and my course work. With Harlan Carvey being a colleague of mine, you would think I would just write something on Windows forensics and ask him for help. However, this was my thesis, and I wanted to do something that would challenge me, so I chose to write my paper on UNIX forensic analysis.
After about a day of research, I found that my original scope would have to be narrowed drastically. This was due both to the vastness of the sheer concept of UNIX forensics, and to the fact that there were no books on it (at least that I could find) anywhere. I did find some really good articles and white papers by Barry Grundy,[1] Mariuz Burdach,[2] and Holt Sorenson,[3] but nothing in the form of a book. I also found that there were some chapters in books like “Incident Response: Investigating Computer Crime” by Mandia and Prosise, “Hacking Exposed: Computer Forensics” by Davis, Philipp, and Cowen, and “Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet,” by Casey, but nothing wholly dedicated to UNIX.
2http://www.securityfocus.com/infocus/1769
3http://www.securityfocus.com/infocus/1679
At the time I wrote my thesis, I had no idea how many UNIX variants existed. I know that personally I have worked with, Solaris, AIX, HP-UX, BSD, Tru64, and several versions of Linux including Ubuntu, Fedora Core, Red Hat, Gentoo, SUSE, and Knoppix. Now, writing a book that would include all of these variants and all of the possible architecture and command structure differences is simply not feasible, so I picked one, and stuck with it. This book specifically covers the Linux 2.6.22-14 kernel, and all of our examples are either made using Ubuntu 7.10 Gutsy Gibbon, or Fedora Core 8. However, if you have been around UNIX in any form for any length of time, you can either use the exact command structure we use in this book, or make some slight variations.
At the completion of my thesis, I thought long and hard about the knowledge gap that existed in the world of UNIX forensics. Sure you can read white papers, or get on the CFID or HTCIA mailing lists, or the SMART forum, which are very informative, but don't have all of the information you need in one place. Also, if you are a total n00b, you might feel foolish having to ask questions like, “How do I use dd?” and “How do I see my external hard drive in UNIX?”
So I decided that a book specifically geared toward Linux forensics was needed. I started by gathering information from colleagues such as Harlan, Cory Altheide, Todd Haverkos, Sam Elder, Barry Grundy, Mariuz Burdach, Andy Rosen, and Rick Van Luvender about what this book should look like. I got some great feedback from these trusted colleagues and friends and began to write my outline. Cory and Todd liked the idea so much that they decided to jump on board and contribute, for which I am extremely grateful. Without them, I would have never completed the manuscript on time, and my book would not have been as strong.
Target Audience
Due to the vast proliferation of Windows, about 80 percent of the incidents I encounter as a full time Incident Response Analyst are strictly Windows-based. In talking to Harlan, Cory, and several other colleagues in the law enforcement community, those numbers are pretty consistent across the board. The bottom line is that only about 20 percent of the cases that come across our desks involve some variant of UNIX. These numbers are estimates only, and I have no real empirical data to back them up. Depending on where you work and what you do, these numbers may vary, but in talking to forensic investigators in both the corporate and law enforcement communities, they are generally accurate.
Given the fact that you are reading this book, it's probably safe to assume that you have come across one of the 20 percent of *nix cases. You probably also have little or no experience working with Linux as either a host operating system or as part of a forensic investigation. Don't panic, this book is for you!
I realize that you may not meet either of these criteria, in that you have not had a *nix case as of yet and are reading the book to prepare yourself for the inevitable, or you are familiar with the different flavors of UNIX, have worked several cases, and are looking for some new knowledge to make you a better investigator. If this is the case, this book has some great information for you and you may want to go directly to Chapter 5, “Hacking Top 10” and Chapter 6 “/proc.”
What is Covered
If you know anything about Linux you know that there are a lot of commands that accomplish the same task. To borrow the motto of Perl, a very popular scripting language with a long *nix history: “There's more than one way to do it.” It is possible that no two people will do the same thing the same way, yet get the same results. In our book, we have used what we feel is the quickest and easiest way to accomplish the task at hand. We understand that you may find a way that works better for you, and if that is the case, go with it, and please let us know so we can incorporate it in a later revision of this book.
In Chapter 2 of this book, you will learn about the most common file systems used with Linux, how the disk architecture is configured, and how the operating system interacts with the kernel (at a high level). This includes:
- Linux distributions
- Booting a Linux system
- The shell
- Disks and devices in Linux
- File system organization and paths
- File system formats
- Logs
- Daemons
In Chapter 3 of this book, you will learn how to acquire both the volatile and persistent data from a Linux system, using a Linux forensic system. This includes:
- Connecting to the target machine
- Locating the external hard drive to which you will transfer the image
- Mounting the external hard drive to which you will transfer the image
- Gathering volatile information
- Creating a forensic image with the “dd” command
- Verifying your information using Message Digest 5 (MD5)
- Maintaining your data in a forensically sound manner
In Chapter 4 of this book, you will learn how to analyze the data you have just acquired. This includes the analysis of:
- Who is logged onto the system
- Which processes are running
- Which ports are open, and where they are communicating to or receiving communication from
- Open file handlers
- Open Transmission Control Protocol (TCP) hooks
- Keyword searches
In Chapter 5 of this book, you will learn about the Top 10 most commonly used tools in Linux hacking, either as the launch point or the target. You will also learn what these tools look like when they are installed, how they are used, and what kind of artifacts they may leave behind. The Hacking Top 10 are:
- nmap
- nessus
- netcat
- nikto
- Kismet
- wireshark
- metasploit
- paros
- hping2
- ettercap
In Chapter 6 of this book, you will learn about the /proc filesystem and what important data you have to collect from it before powering a system down. This includes:
- Disk and partition information
- Kernel symbols
- A copy of physical memory
- All kernel modules
- A plethora of information on running processes
In Chapter 7 of this book, you will learn about the various file types that should be analyzed and how to analyze them. These files include:
- System and security configuration files
- Init and Run Control scripts
- Cron jobs
- Hidden files and hiding places
- Identifying other files of investigative interest
In Chapter 8 of this book, you will learn about malware as it exists in Linux machines,...
| Erscheint lt. Verlag | 24.7.2008 |
|---|---|
| Sprache | englisch |
| Themenwelt | Informatik ► Betriebssysteme / Server ► Unix / Linux |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Informatik ► Theorie / Studium ► Kryptologie | |
| ISBN-10 | 0-08-087912-8 / 0080879128 |
| ISBN-13 | 978-0-08-087912-3 / 9780080879123 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 5,6 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 2,3 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
