Fundamentals of Linux Platform Security

Transcription

1 Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

2 Fundamentals of Linux Platform Security Module 11 Introduction to Forensics

3 Overview Forensic science & digital evidence Applying forensic science to computers Digital evidence on computer networks Forensic tools 3

4 Forensic Science & Digital Evidence

5 Forensic science Defined as the application of scientific principles to identifying, recovering, reconstructing, or analyzing evidence 5

6 Examples of forensic science as applied to digital evidence Recovering damaged or deleted documents from a hard drive Collecting network data while preserving its integrity and authenticity Using a cryptographic hash to verify that digital evidence has not been modified Signing digital evidence to affirm authenticity and to preserve the chain of evidence Determining the unique characteristics of a piece of digital evidence 6

7 Digital Evidence Defined as digital data that can Establish that a crime has been committed Provide a link between a crime and a victim Provide a link between a crime and its perpetrator 7

8 Examples of digital evidence Images Chat rooms File contents System logs IM logs SMS logs Network packets anything stored on a computer anything sent over the network 8

9 Characteristics of digital evidence A type of physical evidence Less tangible Electrons, photons, and fields Therefore more susceptible to tampering Acceptable as evidence but demands specialized handling 9

10 Criminal activity and digital evidence Computers and networks facilitate crime Child pornography Espionage Solicitation of minors Sabotage Stalking Theft Harassment Privacy violations Fraud Defamation Identity theft 10

11 Criminal activity and digital evidence Criminals take advantage of new technology Encryption Anonymous r ers (e.g. Mixmaster) Obscure sender identity Onion routing (e.g. Tor) anonymous outgoing connections anonymous hidden services State and national boundaries 11

12 Who collects digital evidence Not only the trained and authorized experts Victim Local staff ISP staff Law enforcement (often untrained) Trained experts 12

13 But Carrier-transport/ECPA Student information/ferpa Health information/hipaa Privacy/First Amendment Human subject guidelines Ownership/copyright Right to know/foia Discovery/evidence Search and seizure, Patriot Act/Fourth amendment Civil liability 13

14 Applying forensic science to computers

15 Types of evidence Direct Hearsay Generally inadmissible Because the truth of the out-of-court statement can't be tested by cross-examination But records of regularly conducted activity are not inadmissible Because they portray events accurately and are easier to verify than other forms of hearsay Admits log files Might even be admissible as direct evidence! Both types must be proved authentic and unmodified 15

16 Recognition Key aspects to processing evidence Preservation, collection, documentation Classification, comparison, individualization Reconstruction 16

17 Recognition Recognize the hardware Usual suspects: computers, laptops, networks But also: thumb drives, cell phones, PDAs, RFID, ether Recognize the evidence Cyberstalkers use Crackers leave log files Child pornographers leave images 17

18 Collecting and preserving evidence Must be authentic and unaltered Copies only admissible until challenged Collect but don t alter Requires special bit-copy tools Cryptographic hashes Write-protection hardware 18

19 Collecting and preserving digital evidence Collect entire contents of computer Collect evidence from RAM Shut down Pull the plug on clients Shut down servers Engage write blocker Boot using a known bypass OS Create copies of the hard drives as digital evidence Cryptographic hashes provide integrity and authenticity 19

20 Collecting and preserving digital evidence Don't trust the rooted OS Boot bypass Linux for access to raw disks Make sure you re booting from the right device! Transfer disk(s) to another computer Generalizes to specially configured investigative systems Encryption is a problem But other evidence can help 20

21 Basic Linux tools Before shutting down dd ps lsof For making a bit copy of memory For seeing what s running For listing open files and devices by process 21

22 Basic Linux tools How to dump memory on dump host : nc -vv -n -l -p 1234 >victim.mem on victim host : ssh -C -l root -L 1234: : dd if=/dev/mem bs=100k nc -vv -n -w kdump Kernel panic sends dump of physical memory to a local filesystem an NFS-mounted device via ssh to a remote system 22

23 Basic Linux tools How to dump a filesystem on dump host : nc -vv -n -l -p 1234 >victim.sdx on victim host : dd if=/dev/sdax bs=100k nc -vv -n -w best done on quiescent filesystem best done on secure network, or use an ssh tunnel: ssh -C -l root -L 1234: : dd if=/dev/sdax bs=100k nc -vv -n -w ssh compression can reduce transfer time 23

24 Basic Linux tools After booting bypass OS dd For making bit copies of filesystems grep Finds specified strings in text files strings Finds strings in non-text files file Determines type of file based on contents stat Determines file metadata sha1sum openssl sha1 For computing message digests 24

25 Documenting evidence Chain of custody Must show continuity of possession Record When evidence collected From where By whom Document carefully Serial numbers, copy method, date, time, who, 25

26 Reconstruction Reconstruct deleted objects DOS just marks files deleted UNIX deleted file blocks can survive in the block cache Linux processes can survive in the swap partition Windows processes can survive in the page file 26

27 Reconstruction Copies of deleted objects often exist Copies of objects on backup media Copies on an offline mirror Copies on a system crash dump Copies on a packet vault 27

28 Reconstruction Data can be recovered from physically erased media More difficult Mixed success, but works significantly often Two techniques Overlay track skew Look at edges of previous track Overlay track changes surface properties Look through surface to underlying media state 28

29 Digital evidence on computer networks

30 Application layer Applications create digital evidence Browser cache, history, cookies Application log files Windows registry Linux /proc, /tmp Paging (swap) area Host memory Virtual hosting files 30

31 Transport/network layer Packet headers: IP addresses, ports Switch flow logs DHCP, DNS Log files (/var/log) State tables (netstat) 31

32 Data link/physical layer MAC addresses ARP caches ARP cache accessible with arp n Sniffers Packet vault 32

33 Forensic Tools

34 Forensic Tools EnCase The Coroner s Toolkit Helix CAINE 34

35 EnCase Windows-based forensic tool Significant support for secure evidence gathering Tools for Image acquisition MD5 hash value computation Keyword search Scripting RAID configurations Logging 35

36 The Coroner s Toolkit Venema and Farmer (1999,2004) Extended by Carrier (Sleuth Kit, 2004) Collection of UNIX-based forensic tools grave-robber collects information, live or image respects order of volatility stored in body file mactime sorted list of files by modify/access/change time unrm collects all unallocated but accessible disk space lazarus shows disk layout with block types» executable, password file, , C code, 36

37 The Coroner s Toolkit Low-level tools ils, icat - access files by inode number ffind - find directory entries containing inode pcat - dump memory of running process memdump - dump system memory across network Good for copying and analyzing memory-related structures Run tct before you reboot victim See Help! documents 37

38 Commercial forensics tool Was public-domain Two operating modes Forensically sound bootable Linux environment based on Ubuntu Live Linux Dead system analysis Microsoft Windows executable Live system analysis Helix 38

39 CAINE Computer Aided Investigative Environment Public domain forensics tool Two operating modes Forensically sound Linux Live CD environment based on Ubuntu Dead system analysis Microsoft Windows executable Live system analysis 39

40 Dead CAINE Forensically sound CD-based Linux distribution Mounts victim s hard drives in read-only mode a collection of forensic tools 40

41 Live CAINE Runs live on victim as a Windows application Collects volatile data So will perturb the victim Useful for collecting data from systems that cannot be turned off Portable forensic environment Options Run WinTaylor GUI Tools include the NIRSoft suite, MDD, Win32dd, Winen, fport, TCPView, Advanced LAN Scanner, FTK Imager, Windows Forensic Toolchest, Nigilant 32, and the Sysinternals Suite. Run tools off the CD in Windows Explorer 41

42 National Hash Registry NIST National Software Reference Library Collects hashes of known, traceable software applications Files that are "safe" and can be ignored Files that are "unsafe" and should be investigated Reduces the hay in the haystack Freely available Over Internet, or quarterly CDs via subscription Tools for converting hashes into other formats 42

43 References Eoghan Casey, Digital Evidence and Computer Crime, Academic Press, Dan Farmer and Wietse Venema, Forensic Discovery, Pearson Education, Brian Carrier, File System Forensic Analysis, Pearson Education, Harlan Carvey, "Windows Forensic Analysis," Elsevier,