Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012
Fundamentals of Linux Platform Security Module 11 Introduction to Forensics
Overview Forensic science & digital evidence Applying forensic science to computers Digital evidence on computer networks Forensic tools 3
Forensic Science & Digital Evidence
Forensic science Defined as the application of scientific principles to identifying, recovering, reconstructing, or analyzing evidence 5
Examples of forensic science as applied to digital evidence Recovering damaged or deleted documents from a hard drive Collecting network data while preserving its integrity and authenticity Using a cryptographic hash to verify that digital evidence has not been modified Signing digital evidence to affirm authenticity and to preserve the chain of evidence Determining the unique characteristics of a piece of digital evidence 6
Digital Evidence Defined as digital data that can Establish that a crime has been committed Provide a link between a crime and a victim Provide a link between a crime and its perpetrator 7
Examples of digital evidence Email Images Chat rooms File contents System logs IM logs SMS logs Network packets anything stored on a computer anything sent over the network 8
Characteristics of digital evidence A type of physical evidence Less tangible Electrons, photons, and fields Therefore more susceptible to tampering Acceptable as evidence but demands specialized handling 9
Criminal activity and digital evidence Computers and networks facilitate crime Child pornography Espionage Solicitation of minors Sabotage Stalking Theft Harassment Privacy violations Fraud Defamation Identity theft 10
Criminal activity and digital evidence Criminals take advantage of new technology Encryption Anonymous remailers (e.g. Mixmaster) Obscure sender identity Onion routing (e.g. Tor) anonymous outgoing connections anonymous hidden services State and national boundaries 11
Who collects digital evidence Not only the trained and authorized experts Victim Local staff ISP staff Law enforcement (often untrained) Trained experts 12
But Carrier-transport/ECPA Student information/ferpa Health information/hipaa Privacy/First Amendment Human subject guidelines Ownership/copyright Right to know/foia Discovery/evidence Search and seizure, Patriot Act/Fourth amendment Civil liability 13
Applying forensic science to computers
Types of evidence Direct Hearsay Generally inadmissible Because the truth of the out-of-court statement can't be tested by cross-examination But records of regularly conducted activity are not inadmissible Because they portray events accurately and are easier to verify than other forms of hearsay Admits log files Might even be admissible as direct evidence! Both types must be proved authentic and unmodified 15
Recognition Key aspects to processing evidence Preservation, collection, documentation Classification, comparison, individualization Reconstruction 16
Recognition Recognize the hardware Usual suspects: computers, laptops, networks But also: thumb drives, cell phones, PDAs, RFID, ether Recognize the evidence Cyberstalkers use email Crackers leave log files Child pornographers leave images 17
Collecting and preserving evidence Must be authentic and unaltered Copies only admissible until challenged Collect but don t alter Requires special bit-copy tools Cryptographic hashes Write-protection hardware 18
Collecting and preserving digital evidence Collect entire contents of computer Collect evidence from RAM Shut down Pull the plug on clients Shut down servers Engage write blocker Boot using a known bypass OS Create copies of the hard drives as digital evidence Cryptographic hashes provide integrity and authenticity 19
Collecting and preserving digital evidence Don't trust the rooted OS Boot bypass Linux for access to raw disks Make sure you re booting from the right device! Transfer disk(s) to another computer Generalizes to specially configured investigative systems Encryption is a problem But other evidence can help 20
Basic Linux tools Before shutting down dd ps lsof For making a bit copy of memory For seeing what s running For listing open files and devices by process 21
Basic Linux tools How to dump memory on dump host 10.0.0.2: nc -vv -n -l -p 1234 >victim.mem on victim host 10.0.0.1: ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/mem bs=100k nc -vv -n -w 1 10.0.0.1 1234 kdump Kernel panic sends dump of physical memory to a local filesystem an NFS-mounted device via ssh to a remote system 22
Basic Linux tools How to dump a filesystem on dump host 10.0.0.2: nc -vv -n -l -p 1234 >victim.sdx on victim host 10.0.0.1: dd if=/dev/sdax bs=100k nc -vv -n -w 1 10.0.0.2 1234 best done on quiescent filesystem best done on secure network, or use an ssh tunnel: ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/sdax bs=100k nc -vv -n -w 1 10.0.0.1 1234 ssh compression can reduce transfer time 23
Basic Linux tools After booting bypass OS dd For making bit copies of filesystems grep Finds specified strings in text files strings Finds strings in non-text files file Determines type of file based on contents stat Determines file metadata sha1sum openssl sha1 For computing message digests 24
Documenting evidence Chain of custody Must show continuity of possession Record When evidence collected From where By whom Document carefully Serial numbers, copy method, date, time, who, 25
Reconstruction Reconstruct deleted objects DOS just marks files deleted UNIX deleted file blocks can survive in the block cache Linux processes can survive in the swap partition Windows processes can survive in the page file 26
Reconstruction Copies of deleted objects often exist Copies of objects on backup media Copies on an offline mirror Copies on a system crash dump Copies on a packet vault 27
Reconstruction Data can be recovered from physically erased media More difficult Mixed success, but works significantly often Two techniques Overlay track skew Look at edges of previous track Overlay track changes surface properties Look through surface to underlying media state 28
Digital evidence on computer networks
Application layer Applications create digital evidence Browser cache, history, cookies Application log files Windows registry Linux /proc, /tmp Paging (swap) area Host memory Virtual hosting files 30
Transport/network layer Packet headers: IP addresses, ports Switch flow logs DHCP, DNS Log files (/var/log) State tables (netstat) 31
Data link/physical layer MAC addresses ARP caches ARP cache accessible with arp n Sniffers Packet vault 32
Forensic Tools
Forensic Tools EnCase The Coroner s Toolkit Helix CAINE 34
EnCase Windows-based forensic tool Significant support for secure evidence gathering Tools for Image acquisition MD5 hash value computation Keyword search Scripting RAID configurations Logging 35
The Coroner s Toolkit Venema and Farmer (1999,2004) Extended by Carrier (Sleuth Kit, 2004) Collection of UNIX-based forensic tools grave-robber collects information, live or image respects order of volatility stored in body file mactime sorted list of files by modify/access/change time unrm collects all unallocated but accessible disk space lazarus shows disk layout with block types» executable, password file, email, C code, 36
The Coroner s Toolkit Low-level tools ils, icat - access files by inode number ffind - find directory entries containing inode pcat - dump memory of running process memdump - dump system memory across network Good for copying and analyzing memory-related structures Run tct before you reboot victim http://www.porcupine.org/forensics/tct.html See Help! documents 37
Commercial forensics tool Was public-domain Two operating modes Forensically sound bootable Linux environment based on Ubuntu Live Linux Dead system analysis Microsoft Windows executable Live system analysis http://www.e-fense.com/helix/ Helix 38
CAINE Computer Aided Investigative Environment Public domain forensics tool Two operating modes Forensically sound Linux Live CD environment based on Ubuntu 10.04 Dead system analysis Microsoft Windows executable Live system analysis http://www.caine-live.net/ 39
Dead CAINE Forensically sound CD-based Linux distribution Mounts victim s hard drives in read-only mode a collection of forensic tools http://www.caine-live.net/page11/page11.html 40
Live CAINE Runs live on victim as a Windows application Collects volatile data So will perturb the victim Useful for collecting data from systems that cannot be turned off Portable forensic environment Options Run WinTaylor GUI Tools include the NIRSoft suite, MDD, Win32dd, Winen, fport, TCPView, Advanced LAN Scanner, FTK Imager, Windows Forensic Toolchest, Nigilant 32, and the Sysinternals Suite. Run tools off the CD in Windows Explorer 41
National Hash Registry NIST National Software Reference Library Collects hashes of known, traceable software applications Files that are "safe" and can be ignored Files that are "unsafe" and should be investigated Reduces the hay in the haystack Freely available Over Internet, or quarterly CDs via subscription Tools for converting hashes into other formats http://www.nsrl.nist.gov/ 42
References Eoghan Casey, Digital Evidence and Computer Crime, Academic Press, 2000. Dan Farmer and Wietse Venema, Forensic Discovery, Pearson Education, 2005. Brian Carrier, File System Forensic Analysis, Pearson Education, 2005. Harlan Carvey, "Windows Forensic Analysis," Elsevier, 2007. http://www.sleuthkit.org/ http://www.forensics.nl/toolkits http://www.e-fense.com/helix/docs/helix0307.pdf http://www.forensicfocus.com/alternatives-to-helix3 http://www.caine-live.net/ 43