CSCE 815 Network Security Lecture 22 Intrusions April 10, 2003.
Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003.
-
date post
20-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of Lecture 3: Initial Assessment 6/4/2003 CSCE 590 Summer 2003.
Collect the Most Volatile Evidence First
• Memory
• Swap space or page file
• Network status and connections
• Processes running
• Storage media
• Removable media
Preparation
• Assemble toolkits
• Clean your media– Before imaging evidence media to your media– # dd if=/dev/zero of={device}– Clean floppy:
# dd if=/dev/zero of=/dev/fd0 bs=1024 # dcfldd if=/dev/zero of=/dev/fd0 bs=1024 \> hashwindow=1024 hashlog=a:\hashlog.txt
dd and dcfldd
• Low level command• Copies bit for bit• Does not ‘know’ data structure of data• Can copy:
– Single file
– Piece of a file
– Partition
– Logical or physical disks
– From stdin and stdout
• dcfldd – dd with integrated MD5 hashing
dd and dcfldd Usage
• Typical arguments:– if=device input file or device
– of=device output file or device
– bs=# block size, amount of data transferred in one I/O operation (important on tape)
• dcfldd– hashlog=a:\hashfile.txt
– hashwindow=1024 hash every 1024 bytes
Mystery Tape Block Sizes
• # dd if=device bs=128k of=/tmp/tapetest \ > count=1– Read data, using block size of 128k until it hits
the first record gap– If 128k isn’t big enough, you get an error– Else, size of /tmp/tapetest = block size of tape
• What kind of tape? tar, cpio, dump?– # file /tmp/tapetest
Splitting an Image up
• Copy 600 One Megabyte blocks per image
• # dd if=device of=media.slice1.img bs=102400 count=600
• # dd if=device of=media.slice2.img bs=102400 count=600 skip=601
• # dd if=device of=media.slice3.img bs=102400 count=600 skip=1201
• # dd if=device of=media.slice3.img bs=102400 count=600 skip=1801
Typical UNIX Devices
• /dev/fd0 (floppy)
• /dev/st0 (tape)
• /dev/hda first IDE hard drive
• /dev/hdb second IDE hard drive
• /dev/sda first SCSI hard drive
• /dev/sdb second SCSI hard drive
Network dd• No local clean media on victim machine,
can’t reboot yet– netcat (nc) and dd (may want encryption too)– Forensic rig with cleaned media:
• # nc –l –p 31337 | dd of=(local clean media)
– Victim system:• # dd if=(local physical disk) | nc –w 3 \
> forensic.rig.net 31337
– nc host port (send to host on port)• -w 3 (wait 3 milliseconds between packets)• -l (listen mode, send mode is default)• -p port (listen on port, use with listen mode)
System Configuration Information
• Windows:– psinfo– at– ‘net’ commands:
• accounts, file, session, share, start, use, user, view
• Unix– df –k– uname –a– ifconfig –a– uptime
Network Status and Connections
• Windows– arp –a IP to physical addr– netstat –anpr open sockets– fport socket processes– nbtstat systems connected
• Unix– arp –a IP to physical addr– netstat -anpr open sockets– lsof -i socket processes– Netstat systems connected
Running Processes• Windows
– procinterrogate –list
– pslist –x check other options too
• UNIX– ps –wwwaux
– ps –ef
– lsof
– kstat –P find LKM hidden processes• LKM = dynamically Loadable Kernel Modules like device
drivers)
• kstat –s finds clues of LKM rootkits
– /proc kernel data structures for processes
Swap Space or Page File
• When there isn’t enough memory, chunks of processes will be paged out to disk
• Older systems, entire processes are swapped out to disk
• Windows:– copy c:\pagefile.sys d:– copy c:\win386.swp d: win9x
• Unix:– Can get it when imaging whole drive
Memory
• Windows:– Don’t use book’s method– Modified dd at:
• http://users.erols.com/gmgarner/forensics/– # dd if=\\.\PhysicalMemory conv=noerror \
> | nc forensic.rig.net 31337– Or use pmdump
• Unix– # dd if=/dev/mem | nc forensic.rig.net 31337– # dd if=/dev/kmem | nc forensic.rig.net 31337– # dd if=/dev/kcore | nc forensic.rig.net 31337
Storage Media
• Imaging to work on copies
• Use MD5 hashes
• Write blockers– Software– Hardware– busTRACE: http://www.bustrace.com/ for live
imaging
Removable Media
• Make to sure to flush pending writes (sync) to removable media before removing
• Can be imaged like storage media
Physical Collection Issues
• Don’t overlook fingerprints on keyboard and mouse to place person at keyboard
• Evidence exposed to hazardous material, chemical weapons, toxic waste– Have it evaluated and approved by HAZMAT experts
• Organic chemicals, biological matter, fingerprint, or other forensic tests:– Fingerprinting process (cyanoacrylate) will severely
damage electronic media– Scraping can physically damage media (floppy)
Wet Media
• Soaked or immersed electronic media:– Keep it immersed in distilled water– Drying in uncontrolled conditions can lead to
deposits– photograph any paper labels on magnetic media
before immersion in distilled water
• Tape or floppy just a little wet– seal in plastic bag, don't immerse
• Paper, cellulose based media, printouts:– freeze or freeze dry if wet
Wet Media• Flood damage
– Immerse and flush with clean water
– Salt water:• Place in container or plastic bag with enough ocean water to
keep it immersed
• Immerse and flush it in distilled water ASAP
• Immersion may cause biological evidence to deteriorate– Separate samples before immersion if they are plentiful
or it is easy
– Be aware and make judgment calls
Tape: Physical Issues
• Age, disuse, poor storage conditions– Layers can become sticky and stick together or to the
read head
– Static buildup increases read error rates
– Unrolling untreated tape can cause oxide layer to be torn from substrate
• Collect all pieces, can help with splices• Ship to lab to be processed and reconditioned