1 cscd 496 computer forensics lecture 10 more unix for forensics winter 2010
Post on 21-Dec-2015
221 views
TRANSCRIPT
1
CSCD 496Computer Forensics
Lecture 10More Unix for Forensics
Winter 2010
2
Introduction
• Last time looked at file systems in Unix/Linux systems– Files, file systems, partitions
• Today– Native Unix commands useful for forensics
investigations– Examine places for evidence – Unix/Linux
3
Where to look for files
• Where would you look for user information in Linux/Unix?
4
Where to look for files
• Where would you find user files Linux/Unix?/etc/passwd
• User Id, encrypted password or *, • User Number, Group number, User's Name, Login
Shell• If password = * ?
/etc/shadow
Shadow password file, has actual encrypted passwords
/home/[user id] • User directory, similar to Windows
5
More Linux Files
• /etc/hosts– DNS entries
• /etc/syslog.conf – Shows location of log files
• Other Places– /tmp – temporary files – cleaned out at boot– /var – spool files, log files, other transient files
6
More Linux Files• Temporary Internet Files - Mozilla
/usr/[user id]/.mozilla/4y0d767z.default/Cache
• Temporary Internet Files/Mail – Opera/usr/[user_id]/.opera/cache4
/usr/[user_id]/.opera/mail
• Linux has a Trash folder– Where is it?
/usr/[user id]/.local/share/.Trash
• Book has table– Nice table Table 8-4, Chapter 8, shows system
file differences Unix/Linux
7
Unix Internals• Bash shell
– Allows users to keep history of commands used– Users can edit commands and re-run them
• History command• File is in: /home/[user id]/.bash_history
• Special environment variables– Set by default from config files in /etc or from
user’s home directory.bashrc and .bash_profile
• User’s environment provides clues to activities– Type: env and see all environment variables
8
Unix ShellsUser: ctaylor $ env
HISTFILESIZE = 1000TERM=ansiPATH=/usr/local/bin:/bin:/usrX11R6;/home/ctaylor/binSHELL=/bin/bashPS1 = \$BASH_ENV = /home/ctaylor/.bashrc . . .
History size – number of commands saved in history filePS1 – default prompt
9
Unix Shells
• History of commands – Only saved when shell is exited– Otherwise, stays in memory until maximum is
reached– Written to .bash_history
• If system is powered down without being shut down properly – history of running process is lost
– Useful for seeing last commands done on computer
10
Unix Partitions
• Hard drive often has more than 1 file system, each in its own partition
• All OS’s have something like fdisk that lets you look at partitions and file systems
$ /sbin/fdisk /dev/hda
Device Boot Start End Blocks Id System
/dev/hda1 * 1 9 18112+ 83 Linux
/dev/hda2 10 789 1572480 5 Extended
/dev/hda5 10 756 1505920+ 83 Linux
/dev/hda6 757 789 66496+ 82 Linux swap
11
Sfdisk command Linux$sudo sfdisk -l /dev/sda
Disk /dev/sda: 9729 cylinders, 255 heads, 63 sectors/trackUnits = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0
Device Boot Start End #cyls #blocks Id System/dev/sda1 * 0+ 9352 9353- 75127941 83 Linux/dev/sda2 9353 9728 376 3020220 f W95 Ext'd (LBA)/dev/sda3 0 - 0 0 0 Empty/dev/sda4 0 - 0 0 0 Empty/dev/sda5 9353+ 9728 376- 3020188+ 82 Linux swap / Solaris
start: (c,h,s) expected (1023,254,63) found (0,1,1)end: (c,h,s) expected (1023,254,63) found (375,254,63)
12
Mounted File System
• Mount – Concept in Unix or mounting a file system– What does mount command do?
• Loads inode list into the kernel• Can even mount DOS and NT file systems• Mounting non-Unix file systems
– Not complete functionality of normal Unix file system
– Can still examine them using Unix tools– Can mount Windows filesystem read only– Example of this later in lecture ...
13
Mounted File Systems
• Run command mount
$mount/dev/hda5 on / type ext2 (rw)
None on /proc type proc (rw)
/dev/hda1 on /boot type ext2 (rw)
None on /dev/pts type devpts (rw, gid=5, mode=620)
/dev/hdc on /mnt/cdrom type iso9660 (ro,nosuid, nodev)
14
Mounted File System
• /etc/fstab command• fstab stands for file systems table file is
commonly found on Unix and Unix-like systems and is part of the system configuration
• fstab file typically lists all used disks and disk partitions
– Shows how they are to be used or otherwise integrated into the overall system's file system
15
fstab
Not all of them are mountedAlso to see if a network file system is normally mounted
$cat /etc/fstab
name mount point type mounted at boot dump fsck run?/dev/hda5 / ext2 defaults 1 1/dev/hda1 /boot ext2 defaults 1 2/dev/cdrom /mnt/cdrom iso9660 noauto, owner, ro 0 0/dev/fd0 /mnt/floppy ext2 noauto, owner 0 0none /proc proc defaults 0 0none /dev/pts devpts gid=5, mode=620 0 0matrix:/mnt/tmp /mnt/matrix/tmp nfs defaults 0 0
16
Other Unix Commands
• Script command– Use it for keeping a record of analysis steps– Can record date and system name
$script filename$date$uname -a
Do your analysis $date When you are at end of analysis ^D to end the script
17
Other Unix Commands
• File command– Tries to figure out what kind of file– Tries 3 ways
• 1. file system test– Runs the stat command to see if file is special
device or other identified file type• 2. Looks at static file types, executables magic
numbers– Looks at /usr/share/file/magic (Linux)
• 3. Looks at language definitions, ASCII, Unicode
18
Other Commands• Helpful in Forensics work
– Help you ID foreign object code– If doing analysis on different platform than one that
created file system, file command can help ID binaries as native or not to suspect file systems
• File Command– Example:
$file /bin/bash
/bin/bash: ELF 32 bit LSB executable Intel 80386, version 1, dynamically linked (uses shared libs), stripped
19
Other Commands
• Lots more text manipulation tools– Sort, head, tail, uniq, pr, cat –v , cut, paste
• Can go to any system and type: man command– to access information about that command
$ Cat –v » Will display non-printable characters» Useful to see file names with embedded
control characters$ ls –l | cat –v
» Displays file names with non-printable characters
20
Unix Programming Environment
• Stat File – Prints inode info$stat myfile.c
• File timestamps– Important for logging activities on a system ...
• Most things in Unix written in C• Most projects use make utility
– Make is based on time of last file access
• Touch command– Updates time - can force programs to be compiled
$touch myfile.c
Changes access and modify time to now
21
Unix Programming Environment• Touch
• Can also use touch to change time file was last modified (doesn’t alter the change time)
$touch –t 199912250001.15 myutility.c$stat myutility.c…..Access: Sat Dec 25 00:01:15 1999Modify: Sat Dec 25 00:01:15 1999Change: Fri Apr 28 01:40:42 2000
Sets access and modify to Dec. 25, 1999 at 1:15Casually looking at file, assume it was modified last in 1999The change date can actually be different so it is not conclusive
that the file was backdatedWhat is the change time of a file?
22
Ctime• This is often referred to as a file's change time• Its the inode change time
– Time when file's meta-information last changed– One common example of this is when the permissions of a file
change– Changing permissions doesn't access file, so atime doesn't
change– Nor does it modify the file, so the mtime doesn't change– Yet, something about the file itself has changed, and this must
be noted somewhere– Another operation that modifies a file's ctime without affecting
the others is renaming– In any case, it is not possible, in normal operations, for a user to
change the ctime field to a user-specified valueNice reference for file MAC time changeshttp://www.securityfocus.com/infocus/1738
23
dd copy tool
• dd is the most commonly recommended copy tool– Normally used to copy entire file systems or
drive– Can copy large amounts of data between
devices– Example:
$dd if = /dev/fd0 > floppy.image
$dd if = floppy.image of = /dev/fd0
24
dd copy tool
• Notes– Can use cat command and cp also– But, advantage of dd
• Can copy data using a specified block size• dd reports how many blocks it copied• Can use it to first wipe your analysis drive to insure
no previous data still resides that could corrupt your evidence
$ dd if=/dev/zero of=/dev/fd0 2>/home/smith/test/wipedrive• Look at it with disk editor to confirm a string of zeros was
written
25
More Tools and Techniques
• File System Analysis – Loopback– Image files of both Unix or other file
systems can be mounted like real file systems
–First create a directory mount point–Next, mount it read-only using loopback
device–Loopback device different than network
loopback concept
26
More Tools and Techniques
File System Analysis Continued ...$mkdir /mnt/suspecthost$mount –t ext2 -o ro,loop=/dev/loop0 suspect.image.hda1 /mnt/suspecthost
etc2 file system, ro = readonly,
Or image from a DOS filesystem
$mount –t dos -o ro,loop=/dev/loop0 suspect.image.dos /mnt/suspecthost– Can treat it like any other file system– cd into it, copy from it, use find within it and other
commands– Example next time using this concept ...
27
Summary
• Need to know about Unix and Linux file systems and system utilities– Not just for current systems or systems you
use• Past systems, unfamiliar systems are also
important to know about
– Unix is heavily used in the Server world– Chances are one will be compromised– Good to know basic tools that exist on the
machine
28
Resources
File system references
http://heather.cs.ucdavis.edu/~matloff/unix.html
Linux knowledge base and tutorial
http://www.linux-tutorial.info/
Law Enforcement and Forensic Examiner’s Guide to Linux
ftp://ftp.hq.nasa.gov/pub/ig/ccd/linuxintro/
29
Finish
– New Assignment !!!– No Lab this week– Take-home Midterm Wed – Lab part of test
• Go through a case study using Unix tools – dd and others
• Text – Chapter 8