Computing forensics: a live analysis - Linux Australia · Computing forensics: a live analysis...

OutlineBasics

Live AnalysisDead Analysis (brief)

Computing forensics: a live analysis

Craig Pearce

April 18th, 2005

Craig Pearce Computing forensics: a live analysis

OutlineBasics


Outline

1 Basics

2 Live Analysis

3 Dead Analysis (brief)


OutlineBasics


Objectives

Evidence acquisition

Recovery and examination of suspect digital evidence (thinkWarrick Brown on CSI)

Hardware: servers, workstations, laptops, PDAs, mobiles,cameras pagers

Software: databases, e-mail, Internet cookies, bookmarks,deleted files, unallocated space

Considerations

Integrity: must be able to prove data has not been changed tobe admissible in court

Chain of command:

Legal and social responsibilities: Privacy Act (2001), useragreements


OutlineBasics


Things that can get in the way

Encryption: partitions, files, email, instant-messagingcommunication

Anonymity: overlay networks, such as Tor

Volatility: memory-resident contents are lost when machine isrebooted

Unsupported filesystems: many tools yet to support ReiserFS


OutlineBasics


Live analysis: Scenario

An attack has taken place. You, theinvestigator have just arrived on thescene. It is expected that theattacker uses encrypted disk volumesIn any case, the machine containsmemory-resident information thatwill be lost after a power cycle.

Reasoning:

Integrity: changes to the suspect host MAY contaminateevidence and WILL not be admissible

Volatility: critical data will be lost (or inaccessible)

May not afford disruption to service

May not litigate but gather info for defence


OutlineBasics


Forensics 101: Secure the scene

1 Photograph computer screen

2 Record current system time and note this against an accuratetime source

3 Begin data acquisition in order of volatility (OOV)1 Physical memory, open files, open network connections, swap

space2 Encrypted file systems where you do not have key to unlock3 Temporary file systems (/tmp, /proc)

4 Record current system time (why twice?)

5 Message digests of gathered evidence

Now lets look at doing this with Helix!


OutlineBasics


Helix: Open-Source Forensic Toolkit

Knoppix-based bootable CD-ROMFeatures:

NX server for fast remote session management

Can be loaded entirely into RAM (resource permitting)for improved seek times

UnionFS (or Klik) for customisations

Live dumps of Linux/Windows suspected hosts

Tools:

Sleuthkit, Autopsy

PyFLAG, macrobber

md5deep, Ethereal and MUCH moreURL: http://www.e-fense.com/helix


OutlineBasics


Set up the scene for data acquisition

Suspect host (Linux or Windows):

1 Load Helix CD-ROM into drive

2 Ensure that your tools do NOTmodify the disk!

3 Use IP addresses instead of hostnames(why?)

4 Used trusted CD-ROM binaries only

5 Send acquired data over encryptednetwork

Investigator:1 Boot machine with Helix, loading it into RAM-Disk for faster

seek times2 Start electronic (Unix ’script’) and paper-based

documentationCraig Pearce Computing forensics: a live analysis

OutlineBasics


Live analysis (1)

Initialise Client:

export safe="/mnt/cdrom"

export nc="/mnt/cdrom/ -w 3 192.168.1.253 65534"

$safe/bash # trusted shell

export PATH=$safe # clear path

Initialise Server (for each command):

nc -l -p 65534 >> forensics.data.txt

Files and Network Connections1 $safe/lsof -nDr | $nc # open files

2 $safe/netstat -nap | $nc # network connections

3 $safe/netstat -nr | $nc # routes

4 $safe/ils -o /dev/hdaN |$nc #deleted & open files


OutlineBasics


Live analysis (2)

Processes1 $safe/ps -leaf | $nc # solaris: suspect processes

2 $safe/ps -auxl | $nc # linux: suspect processes

3 $safe/pcat <PID> | $nc # save PID memory space

Users1 $safe/who -iHl | $nc # active users

2 $safe/tar cf - /proc | $nc # system info


OutlineBasics


Live analysis (3)

Swap space (already have /proc/kcore)1 $safe/dd if=/dev/SWAPdev bs=2k | $nc # swap space

Encrypted volumes1 $safe/dd if=/dev/hdaN bs=2k | $nc # exact copy

Temporary partition1 $safe/dd if=/dev/TMPdev bs=2k | $nc # temp partition

File access times1 $safe/ls -alRu / | $nc # access times

2 $safe/ls -alRc / | $nc # modification times

3 $safe/ls -alR / | $nc # creation times

4 Why not message digest checksums too?


OutlineBasics


Automated Live Analysis

Helix provides a script (linux-ir.sh) that:

pretty much runs the above commands

tools output to STDOUT, allowing easy pipe to netcat server

customisable to specific requirements by script editing

Usage:1 Insert Helix into CD-ROM of live system

2 /bin/mount /mnt/cdrom

3 /mnt/cdrom/Static-Binaries/linux-ir.sh | $nc

A few of Helix’s static built binaries are seg-faulting, so a videodemonstration of this will have to wait for another day ...


OutlineBasics


Improvements

Rename trusted commands:

eg rename /mnt/cdrom/pcat to /mnt/cdrom/t-pcat

prevents running suspected host binary that may be trojanedpreserves MAC times on suspected host files

Use Cryptcat in place of Netcat, or pipe through ’des’

des -e -c -k pword | nc # suspect hostnc | des -d -c -k pword | dd of=out.txt # serverGPG gives stronger symmetric key ciphers at a cost of speedand space


OutlineBasics


Other issues

Requires suspected host to have a working NIC

Server must start NC receiver for each client NC send request

Large volumes slow to copy bit-for-bit over encrypted network

More time spent in Live Analysis increases increases risk tomodification to physical storage!

Attackers using LKM rootkits

Privacy: depends on the user’s ‘expectation of privacy’

Privacy: to comply with some legal jurisdictions or personalliberties within multi-user systems:

$safe/w <UID> instead of $safe/w$safe/ps -aux <UID> instead of $safe/ps -aux


OutlineBasics


Secure the evidence

1 Document and label evidence

2 Transport the evidence3 Shut down the computers

Unix: (if root):

sync; sync; halt

(else) pull out power cableWindows: pull out power cable

4 Begin data analysis of volatile data (already acquired)

5 Begin data aquisition and analyis of non-volatile data(physical disk etc)


OutlineBasics


Chain of Custody


OutlineBasics


Dead Analysis

Now it is time for in-depth ”after-the-fact” analysis within alaboratory. Don’t forget to document chain of command forpotential evidence!


OutlineBasics


Helix setup

Server-side

1 Boot up Helix, load contents into RAM (faster seek times)

2 Change passwords for root, helix (default password is blank!)3 Start FreeNX-server:

nxsetup-knoppix

4 Optionally load additional software with UnionFS or

wget klik.atekon.de/client/install -O - | sh

Client-side

Start NX-client (Unix, Mac, Windows clients available)

Set desktop session type to

/usr/bin/startxfce4

to preserve server resources

Begin dead-analysis via your remote desktop


OutlineBasics


Acquisition: What is wrong here?

Image cloning:1 Master boot record

dd if=/dev/hdN of=partition.hdN.mbr count=1 bs=512

2 Partitial table

sfdisk -d /dev/hdN > partition.hdN.pt

3 Partition x of Disk N

partimage -d -b -z1 -o -V700 save /dev/hdNx vol.hdNx.gz

Restoration:1 dd if=partition.hdN.mbr of=/dev/hdN

2 sfdisk /dev/hdN < partition.hdN.pt

3 partimage -e restore /dev/hdNx vol.hdNx.gz.000


OutlineBasics


Dead analysis

Some popular tools

Autopsy: graphical front-end to sleuthkit

Sleuthkit: update to The Coroner’s Toolkit (TCT)

PyFLAG: log file analysis for forensics investigations

plenty more...

Techniques

Recover deleted files from unallocated space, slack space, ...

Search for hidden data (steganalysis)

plenty more...


OutlineBasics


Conclusion

Briefly discussed:

what Helix is, how it can be used

how to perform a live analysis while maintaining integrity ofdata

KEY POINT: Ensure forensics tools DO NOT write tosuspected host hard disk

Further information

Know Your Enemy (2nd Ed). The Honeynet Project, 2004

Incident Response and Computer Forensics. McGraw-Hill.2003. (Chapter 6)

Questions?


Computing forensics: a live analysis - Linux Australia · Computing forensics: a live analysis...

Documents

Transcript of Computing forensics: a live analysis - Linux Australia · Computing forensics: a live analysis...