Fundamentals of Linux Platform Security

Similar documents
Digital Forensics Lecture 01- Disk Forensics

Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics

Introduction to Computer Forensics

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Windows Forensics Advanced

Computer Forensics US-CERT

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

Ed Ferrara, MSIA, CISSP

10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?

The Big Chill. Freezing Data for Analysis

ANALYSIS AND VALIDATION

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

Incident Handling. Road Map. Week 4: Incidents, Evidence and the Law. Types of Evidence. Digital Evidence. Characteristics of Evidence

The Sleuth Kit v2.01 and Autopsy Forensic Browser Demonstration. Anthony Dowling

Chapter 7 Forensic Duplication

Digital Forensics Lecture 02- Disk Forensics

Chapter 7 Forensic Duplication

Incident Handling. Week 4: Incidents, Evidence and the Law

From TCT to the Adaptability of Computer Forensic Tools

MFP: The Mobile Forensic Platform

Computer forensics Aiman Al-Refaei

Forensic Analysis. The Treachery of Images. Alexandre Dulaunoy. February 5, Forensic Analysis Bibliography Use case Q and A

Digital Forensics at a University. Calvin Weeks Director, Oklahoma Digital Forensics Lab University of Oklahoma

When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

Chapter 5 Live Data Collection Windows Systems

Security Incident Investigation

Introduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:

Index. A agent notes worksheets, 168 aio file analysis dynamic analysis GNU debugger, , 362, 364. of recovered uncompressed aio binary,

Certified Digital Forensics Examiner

NIST SP Notes Guide to Integrating Forensic Techniques into Incident Response

under attack Listing Deleted Files A SECURITY BREACH CAN INSPIRE

Computer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice

COWLEY COLLEGE & Area Vocational Technical School

Design and Implementation of Windows Based Computer Forensics Management System

1/10/11. The Spirit of Forensic Discovery. Introduction to Digital Forensics. Myths & Misconceptions. Why are we bothering?

Digital Forensics. Outline. What is Digital Forensics? Outline cont. Jason Trent Laura Woodard

Live Response for Windows Systems

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

This version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems

COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs

New Model for Cyber Crime Investigation Procedure

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

Cyber Chain of Custody. Acquisition. Cyber Chain of Custody. Evidence Dynamics and the Introduction of Error. Must Be Proven!

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

C HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR

Certified Digital Forensics Examiner

Digital Forensics UiO

Digital Forensics UiO. Digital Forensics in Incident Management. About Me. Outline. Incident Management. Finding Evidence.

Matt Danner Flashback Data

Source:

A Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018

VISUAL CORRELATION IN THE CONTEXT OF POST-MORTEM ANALYSIS

The UNIX file system! A gentle introduction"

Acknowledgments About the Authors

Analysis Villanova University Department of Computing Sciences D. Justin Price Spring 2014

Forensic Analysis - 2nd Lab Session

Analysis Villanova University Department of Computing Sciences D. Justin Price Fall 2014

Guide to Computer Forensics. Third Edition. Chapter 11 Chapter 11 Network Forensics

COMPUTER HACKING Forensic Investigator

MOBILE DEVICE FORENSICS

COMP116 Final Project. Shuyan Guo Advisor: Ming Chow

Digital Forensics Lecture 5. DF Analysis Techniques

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Digital Forensics UiO

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

Operating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher

Digital Forensics UiO

Digital Forensics Validation, Performance Verification And Quality Control Checks. Crime Scene/Digital and Multimedia Division

Digital Forensics. Also known as. General definition: Computer forensics or network forensics

Guide to Computer Forensics. Third Edition. Chapter 12 Chapter 12 Investigations

15-Minute Linux DFIR Triage. Dr. Phil Polstra Bloomsburg University of Pennsylvania

A Road Map for Digital Forensic Research

Exam Number/Code: Exam Name: Computer Hacking. Version: Demo. Forensic Investigator.

DIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING

DESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX

Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 5 Windows Forensics II

Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003

Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

10 th National Investigations Symposium

COMPUTER FORENSICS (CFRS)

KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer

Is Your Firewall Enough? Tools to Improve the Security of Your Site

Incident Response Toolkit :

and the Forensic Science CC Spring 2007 Prof. Nehru

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Android Forensics: Simplifying Cell Phone Examinations

Request for Comments: Category: Best Current Practice February Guidelines for Evidence Collection and Archiving. Status of this Memo

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Capturing RAM. Alex Applegate. Mississippi State University Digital Forensics 1

CIS Project 1 February 13, 2017 Jerad Godsave

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

User Panel: Forensics & Incident Response It s important to have options! Lance Mueller CISSP, GCIH, GREM, EnCE, CCE, CFCE

Forensic Image Capture. Digital Forensics NETS1032 Winter 2018

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

Trends in Mobile Forensics from Cellebrite

Forensics for Managers

A Function Oriented Methodology to Validate and Verify Forensic Copy Function of Digital Forensic Tools

Transcription:

Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

Fundamentals of Linux Platform Security Module 11 Introduction to Forensics

Overview Forensic science & digital evidence Applying forensic science to computers Digital evidence on computer networks Forensic tools 3

Forensic Science & Digital Evidence

Forensic science Defined as the application of scientific principles to identifying, recovering, reconstructing, or analyzing evidence 5

Examples of forensic science as applied to digital evidence Recovering damaged or deleted documents from a hard drive Collecting network data while preserving its integrity and authenticity Using a cryptographic hash to verify that digital evidence has not been modified Signing digital evidence to affirm authenticity and to preserve the chain of evidence Determining the unique characteristics of a piece of digital evidence 6

Digital Evidence Defined as digital data that can Establish that a crime has been committed Provide a link between a crime and a victim Provide a link between a crime and its perpetrator 7

Examples of digital evidence Email Images Chat rooms File contents System logs IM logs SMS logs Network packets anything stored on a computer anything sent over the network 8

Characteristics of digital evidence A type of physical evidence Less tangible Electrons, photons, and fields Therefore more susceptible to tampering Acceptable as evidence but demands specialized handling 9

Criminal activity and digital evidence Computers and networks facilitate crime Child pornography Espionage Solicitation of minors Sabotage Stalking Theft Harassment Privacy violations Fraud Defamation Identity theft 10

Criminal activity and digital evidence Criminals take advantage of new technology Encryption Anonymous remailers (e.g. Mixmaster) Obscure sender identity Onion routing (e.g. Tor) anonymous outgoing connections anonymous hidden services State and national boundaries 11

Who collects digital evidence Not only the trained and authorized experts Victim Local staff ISP staff Law enforcement (often untrained) Trained experts 12

But Carrier-transport/ECPA Student information/ferpa Health information/hipaa Privacy/First Amendment Human subject guidelines Ownership/copyright Right to know/foia Discovery/evidence Search and seizure, Patriot Act/Fourth amendment Civil liability 13

Applying forensic science to computers

Types of evidence Direct Hearsay Generally inadmissible Because the truth of the out-of-court statement can't be tested by cross-examination But records of regularly conducted activity are not inadmissible Because they portray events accurately and are easier to verify than other forms of hearsay Admits log files Might even be admissible as direct evidence! Both types must be proved authentic and unmodified 15

Recognition Key aspects to processing evidence Preservation, collection, documentation Classification, comparison, individualization Reconstruction 16

Recognition Recognize the hardware Usual suspects: computers, laptops, networks But also: thumb drives, cell phones, PDAs, RFID, ether Recognize the evidence Cyberstalkers use email Crackers leave log files Child pornographers leave images 17

Collecting and preserving evidence Must be authentic and unaltered Copies only admissible until challenged Collect but don t alter Requires special bit-copy tools Cryptographic hashes Write-protection hardware 18

Collecting and preserving digital evidence Collect entire contents of computer Collect evidence from RAM Shut down Pull the plug on clients Shut down servers Engage write blocker Boot using a known bypass OS Create copies of the hard drives as digital evidence Cryptographic hashes provide integrity and authenticity 19

Collecting and preserving digital evidence Don't trust the rooted OS Boot bypass Linux for access to raw disks Make sure you re booting from the right device! Transfer disk(s) to another computer Generalizes to specially configured investigative systems Encryption is a problem But other evidence can help 20

Basic Linux tools Before shutting down dd ps lsof For making a bit copy of memory For seeing what s running For listing open files and devices by process 21

Basic Linux tools How to dump memory on dump host 10.0.0.2: nc -vv -n -l -p 1234 >victim.mem on victim host 10.0.0.1: ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/mem bs=100k nc -vv -n -w 1 10.0.0.1 1234 kdump Kernel panic sends dump of physical memory to a local filesystem an NFS-mounted device via ssh to a remote system 22

Basic Linux tools How to dump a filesystem on dump host 10.0.0.2: nc -vv -n -l -p 1234 >victim.sdx on victim host 10.0.0.1: dd if=/dev/sdax bs=100k nc -vv -n -w 1 10.0.0.2 1234 best done on quiescent filesystem best done on secure network, or use an ssh tunnel: ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/sdax bs=100k nc -vv -n -w 1 10.0.0.1 1234 ssh compression can reduce transfer time 23

Basic Linux tools After booting bypass OS dd For making bit copies of filesystems grep Finds specified strings in text files strings Finds strings in non-text files file Determines type of file based on contents stat Determines file metadata sha1sum openssl sha1 For computing message digests 24

Documenting evidence Chain of custody Must show continuity of possession Record When evidence collected From where By whom Document carefully Serial numbers, copy method, date, time, who, 25

Reconstruction Reconstruct deleted objects DOS just marks files deleted UNIX deleted file blocks can survive in the block cache Linux processes can survive in the swap partition Windows processes can survive in the page file 26

Reconstruction Copies of deleted objects often exist Copies of objects on backup media Copies on an offline mirror Copies on a system crash dump Copies on a packet vault 27

Reconstruction Data can be recovered from physically erased media More difficult Mixed success, but works significantly often Two techniques Overlay track skew Look at edges of previous track Overlay track changes surface properties Look through surface to underlying media state 28

Digital evidence on computer networks

Application layer Applications create digital evidence Browser cache, history, cookies Application log files Windows registry Linux /proc, /tmp Paging (swap) area Host memory Virtual hosting files 30

Transport/network layer Packet headers: IP addresses, ports Switch flow logs DHCP, DNS Log files (/var/log) State tables (netstat) 31

Data link/physical layer MAC addresses ARP caches ARP cache accessible with arp n Sniffers Packet vault 32

Forensic Tools

Forensic Tools EnCase The Coroner s Toolkit Helix CAINE 34

EnCase Windows-based forensic tool Significant support for secure evidence gathering Tools for Image acquisition MD5 hash value computation Keyword search Scripting RAID configurations Logging 35

The Coroner s Toolkit Venema and Farmer (1999,2004) Extended by Carrier (Sleuth Kit, 2004) Collection of UNIX-based forensic tools grave-robber collects information, live or image respects order of volatility stored in body file mactime sorted list of files by modify/access/change time unrm collects all unallocated but accessible disk space lazarus shows disk layout with block types» executable, password file, email, C code, 36

The Coroner s Toolkit Low-level tools ils, icat - access files by inode number ffind - find directory entries containing inode pcat - dump memory of running process memdump - dump system memory across network Good for copying and analyzing memory-related structures Run tct before you reboot victim http://www.porcupine.org/forensics/tct.html See Help! documents 37

Commercial forensics tool Was public-domain Two operating modes Forensically sound bootable Linux environment based on Ubuntu Live Linux Dead system analysis Microsoft Windows executable Live system analysis http://www.e-fense.com/helix/ Helix 38

CAINE Computer Aided Investigative Environment Public domain forensics tool Two operating modes Forensically sound Linux Live CD environment based on Ubuntu 10.04 Dead system analysis Microsoft Windows executable Live system analysis http://www.caine-live.net/ 39

Dead CAINE Forensically sound CD-based Linux distribution Mounts victim s hard drives in read-only mode a collection of forensic tools http://www.caine-live.net/page11/page11.html 40

Live CAINE Runs live on victim as a Windows application Collects volatile data So will perturb the victim Useful for collecting data from systems that cannot be turned off Portable forensic environment Options Run WinTaylor GUI Tools include the NIRSoft suite, MDD, Win32dd, Winen, fport, TCPView, Advanced LAN Scanner, FTK Imager, Windows Forensic Toolchest, Nigilant 32, and the Sysinternals Suite. Run tools off the CD in Windows Explorer 41

National Hash Registry NIST National Software Reference Library Collects hashes of known, traceable software applications Files that are "safe" and can be ignored Files that are "unsafe" and should be investigated Reduces the hay in the haystack Freely available Over Internet, or quarterly CDs via subscription Tools for converting hashes into other formats http://www.nsrl.nist.gov/ 42

References Eoghan Casey, Digital Evidence and Computer Crime, Academic Press, 2000. Dan Farmer and Wietse Venema, Forensic Discovery, Pearson Education, 2005. Brian Carrier, File System Forensic Analysis, Pearson Education, 2005. Harlan Carvey, "Windows Forensic Analysis," Elsevier, 2007. http://www.sleuthkit.org/ http://www.forensics.nl/toolkits http://www.e-fense.com/helix/docs/helix0307.pdf http://www.forensicfocus.com/alternatives-to-helix3 http://www.caine-live.net/ 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback