Lecture 17: UNIX Forensics
description
Transcript of Lecture 17: UNIX Forensics
![Page 1: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/1.jpg)
Lecture 17: UNIX Forensics
6/30/2003
CSCE 590
Summer 2003
![Page 2: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/2.jpg)
Shutdown Command
• BSD-ish shutdown– shutdown –r now– shutdown –h 16:30– shutdown –r +5 “Please save your files”
• System V– shutdown –i6 –g0 –y “Please save your files”
(reboot)– shutdown –i0 –g 60 –y (halt in one minute)
• reboot• halt
![Page 3: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/3.jpg)
NFS• Network File System• Allows you to mount disk space from a remote
machine• NFS server:
– /etc/exports– exportfs
• NFS client:– /etc/fstab– mount– /etc/mtab - mounted filesystems table– /etc/rmtab – remote mounted filesystems table
![Page 4: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/4.jpg)
hosts File
• /etc/hosts• Can be used as a supplement to DNS• Mappings of IP addresses to names that
may not be in DNS• May indicate other machines that were
targeted if intruder found hosts file– 127.0.0.1 localhost.localdomain localhost– 129.252.131.42 forensicrig.cse.sc.edu forensicrig
![Page 5: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/5.jpg)
resolv.conf
• /etc/resolv.conf• List of domains to search for machines names in• Lists of DNS servers to use to resolve names
– search cse.sc.edu
– nameserver 129.252.131.9
– nameserver 129.252.21.12
– nameserver 129.252.21.13
![Page 6: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/6.jpg)
Mail aliases File• /etc/aliases• /etc/mail/aliases• Lists of email address that redirected to another
email addresspostmaster: root,wrightabuse:postmastertrouble:postmastersecurity:wright,ronni,kencodered:ronni,wright,ken,[email protected],
[email protected],[email protected], [email protected], [email protected]
![Page 7: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/7.jpg)
RC Files
• Configuration files that are run when a user logs in or a shell is started
• Can contain commands, set environment variables– .login– .profile– .bashrc– .cshrc– .tcshrc– /etc/bashrc– /etc/csh.cshrc– /etc/csh.login
![Page 8: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/8.jpg)
Cron files• Example:
10 3 * * 0,4 /etc/cron.d/logchecker58 23 * * * /usr/lib/newsyslog 0 5 * * * /usr/lib/newweblog 3 0 * * 1 /usr/lib/newsyslog.weekly# Run Statistics Collection*/5 * * * * /data/nmis/bin/nmis.pl
• fields and allowed values– minute 0-59
– hour 0-23
– day of month 1-31
– month 1-12 (or names)
– day of week 0-7 (0 or 7 is Sun, or names)
![Page 9: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/9.jpg)
Printing - LPRng• lpr, lpd, lpq, lprm, lpc• /var/spool/lpd/printer_name - spool directories
– Default name is lp
• /etc/printcap• /etc/lpd.perms• /var/spool/printer*/printer - lock file for queue
control• /var/spool/printer*/control.printer - queue control• /var/spool/printer*/active.printer - active job• /var/spool/printer*/log.printer - log file
![Page 10: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/10.jpg)
Spool Files
• dfA<Job_Number><Source>– Data file – what is to be printed
• cfA<Job_Number><Source>– Control file – control info about job
• hfA<Job_Number>– Header file – info about print job
![Page 11: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/11.jpg)
Spool Directory
![Page 12: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/12.jpg)
Print Job Control Files
![Page 13: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/13.jpg)
sysctl.conf
• Kernel sysctl configuration file• Configuration options for kernel• Example:
# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# whether core dumps append the PID to core filenamekernel.core_uses_pid = 1
![Page 14: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/14.jpg)
Pluggable Authentication Modules (PAM)
• Can individually configure how different applications will do authentication
• Standalone authentication modules for different methods of authenticating
• Modules are ‘stackable’• /etc/pam.conf or /etc/pam.d directory• Dynamically change authentication methods
![Page 15: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/15.jpg)
PAM
• Separates aspects of authentication into 4 tasks– account: account verification tasks (expired
password?)– auth: authentication tasks – is user who they
claim to be– password: password management/changing– session: maintenance tasks of authentication,
audit trails/logs, mounting user’s home directory
![Page 16: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/16.jpg)
Recovering Deleted UNIX Files with Sleuthkit
• Very similar to Windows NTFS file recovery
• fls –f linux-ext3 -r -d -m / /dev/hda2 |more• ils –f linux-ext3 -r -m /dev/hda2 |more• icat -f linux-ext3 /dev/hda2 212018 > locale.alias
• more locale.alias• Do not have to tack -128-4 onto inode/MFT
like NTFS to get data
![Page 17: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/17.jpg)
Advanced Sleuthkit Sorter
• Configuration files– /usr/local/sleuthkit/share/sorter
• default.sort freebsd.sort
• images.sort linux.sort
• openbsd.sort solaris.sort
• windows.sort
– Not specified on command line, you get default.sort and the OS for the filesystem type
• “-f ntfs” you also get windows.sort
• Add config files to default with “-c config_file.sort”
![Page 18: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/18.jpg)
Custom Sorter Configuration Files
• /usr/local/sleuthkit/share/sorter/images.sort• “-C” option means use only this config file• Combine –C with –s and –U, and it will recover
and index only file types defined in your custom configuration file. It indexes the rest of the files as unknown, but does not recover them
• IF you use these options, sorter makes a number of .sorterxxx files in the base of the output directory that need to be deleted when sorter is finished. They take a LOT of room!! Do an “ls –la” to see them.
![Page 19: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/19.jpg)
Sorter Configuration Files• Format of category line:
– category CATEGORY_NAME FILE_REG_EXP
– category is the keyword– CATEGORY_NAME is the name of the
category you want them sorted into• Anything that doesn’t match on a category gets
placed in the ‘unknown’ category• ignore – special category that ignores files
completely, not even ‘unknown’
– FILE_REG_EXP is a regular expression that will match on the output of the file command if it were run on a file of this type
![Page 20: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/20.jpg)
Sorter Configuration Files
• Format of extension line:– ext EXTENSION_LIST FILE_REG_EXP
– ext is the keyword– EXTENSION_LIST is the a comma separated
list of file extensions for that file type• Anything that doesn’t match on a category gets
flagged as an extension mismatch
• Place it under category line to make it more specific
– FILE_REG_EXP is a regular expression that will match on the output of the file command if it were run on a file of this type
![Page 21: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/21.jpg)
Sorter Configuration Files
• Example1:category images image data
ext jpg,jpeg,jpe JPEG image data
ext gif GIF image data
• Example2:category mail data
extension dbx data
![Page 22: Lecture 17: UNIX Forensics](https://reader035.fdocuments.net/reader035/viewer/2022081501/56814871550346895db57c29/html5/thumbnails/22.jpg)
References
• http://www.sleuthkit.org/informer/sleuthkit-informer-43.html
• http://www.sleuthkit.org/informer/sleuthkit-informer-4.html
• http://www.sleuthkit.org/informer/sleuthkit-informer-5.html