fundamentals of linux platform securitycja/lps12b/lectures/lps-11.pdf · fundamentals of linux...
TRANSCRIPT
Fundamentals of Linux Platform Security
Security Training Course
Dr. Charles J. Antonelli The University of Michigan
2012
Fundamentals of Linux Platform Security
Module 11 Introduction to Forensics
Overview
• Forensic science & digital evidence • Applying forensic science to computers • Digital evidence on computer networks • Forensic tools
3 10/12 cja 2012
Forensic Science & Digital Evidence
Forensic science
• Defined as the application of scientific principles to identifying, recovering, reconstructing, or analyzing evidence
5 10/12 cja 2012
Examples of forensic science as applied to digital evidence
• Recovering damaged or deleted documents from a hard drive
• Collecting network data while preserving its integrity and authenticity
• Using a cryptographic hash to verify that digital evidence has not been modified
• Signing digital evidence to affirm authenticity and to preserve the chain of evidence
• Determining the unique characteristics of a piece of digital evidence
6 10/12 cja 2012
Digital Evidence
Defined as digital data that can • Establish that a crime has been
committed • Provide a link between a crime and a
victim • Provide a link between a crime and its
perpetrator
7 10/12 cja 2012
Examples of digital evidence
• Email • Images • Chat rooms • File contents • System logs • IM logs • SMS logs • Network packets • … anything stored on a computer • … anything sent over the network
8 10/12 cja 2012
Characteristics of digital evidence
• A type of physical evidence • Less tangible
Electrons, photons, and fields • Therefore more susceptible to tampering • Acceptable as evidence • … but demands specialized handling
9 10/12 cja 2012
Criminal activity and digital evidence
Computers and networks facilitate crime Child pornography Espionage Solicitation of minors Sabotage Stalking Theft Harassment Privacy violations Fraud Defamation Identity theft
10 10/12 cja 2012
Criminal activity and digital evidence
• Criminals take advantage of new technology Encryption Anonymous remailers (e.g. Mixmaster) Obscure sender identity
Onion routing (e.g. Tor) anonymous outgoing connections anonymous hidden services
State and national boundaries
11 10/12 cja 2012
Who collects digital evidence
• Not only the trained and authorized experts Victim Local staff ISP staff Law enforcement (often untrained) Trained experts
12 10/12 cja 2012
But …
• Carrier-transport/ECPA • Student information/FERPA • Health information/HIPAA • Privacy/First Amendment • Human subject guidelines • Ownership/copyright • Right to know/FOIA • Discovery/evidence • Search and seizure, Patriot Act/Fourth amendment • Civil liability
13 10/12 cja 2012
Applying forensic science to computers
Types of evidence
• Direct • Hearsay
Generally inadmissible Because the truth of the out-of-court statement can't be
tested by cross-examination But records of regularly conducted activity are not inadmissible
Because they portray events accurately and are easier to verify than other forms of hearsay
Admits log files Might even be admissible as direct evidence!
• Both types must be proved authentic and unmodified
15 10/12 cja 2012
Key aspects to processing evidence
• Recognition • Preservation, collection, documentation • Classification, comparison,
individualization • Reconstruction
16 10/12 cja 2012
Recognition
• Recognize the hardware Usual suspects: computers, laptops,
networks But also: thumb drives, cell phones, PDAs,
RFID, ether • Recognize the evidence
Cyberstalkers use email Crackers leave log files Child pornographers leave images
17 10/12 cja 2012
Collecting and preserving evidence
• Must be authentic and unaltered • Copies only admissible until challenged • Collect but don’t alter
Requires special “bit-copy” tools Cryptographic hashes
• Write-protection hardware
18 10/12 cja 2012
Collecting and preserving digital evidence
Collect entire contents of computer • Collect evidence from RAM • Shut down
Pull the plug on clients Shut down servers
• Engage write blocker • Boot using a known “bypass” OS • Create copies of the hard drives as digital evidence
Cryptographic hashes provide integrity and authenticity
19 10/12 cja 2012
Collecting and preserving digital evidence
• Don't trust the rooted OS Boot bypass Linux for access to raw disks Make sure you’re booting from the right device!
Transfer disk(s) to another computer Generalizes to specially configured investigative
systems • Encryption is a problem
But other evidence can help
20 10/12 cja 2012
Basic Linux tools
Before shutting down • dd
For making a bit copy of memory
• ps For seeing what’s running
• lsof For listing open files and devices by process
21 10/12 cja 2012
Basic Linux tools
• How to dump memory on dump host 10.0.0.2:
nc -vv -n -l -p 1234 >victim.mem on victim host 10.0.0.1:
ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/mem bs=100k | nc -vv -n -w 1 10.0.0.1 1234
• kdump Kernel panic sends dump of physical memory to a local filesystem an NFS-mounted device via ssh to a remote system
22 10/12 cja 2012
Basic Linux tools
• How to dump a filesystem on dump host 10.0.0.2:
nc -vv -n -l -p 1234 >victim.sdX on victim host 10.0.0.1:
dd if=/dev/sdaX bs=100k | nc -vv -n -w 1 10.0.0.2 1234 best done on quiescent filesystem best done on secure network, or use an ssh tunnel:
ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/sdaX bs=100k | nc -vv -n -w 1 10.0.0.1 1234 ssh compression can reduce transfer time
23 10/12 cja 2012
Basic Linux tools
After booting bypass OS • dd
For making bit copies of filesystems • grep
Finds specified strings in text files • strings
Finds strings in non-text files • file
Determines type of file based on contents • stat
Determines file metadata • sha1sum
openssl sha1 For computing message digests
24 10/12 cja 2012
Documenting evidence
• Chain of custody Must show continuity of possession
• Record When evidence collected From where By whom
• Document carefully Serial numbers, copy method, date, time,
who, …
25 10/12 cja 2012
Reconstruction
• Reconstruct deleted objects DOS just marks files deleted UNIX deleted file blocks can survive in the
block cache Linux processes can survive in the swap
partition Windows processes can survive in the page
file
26 10/12 cja 2012
Reconstruction
• Copies of deleted objects often exist Copies of objects on backup media Copies on an offline mirror Copies on a system crash dump Copies on a packet vault
27 10/12 cja 2012
Reconstruction
• Data can be recovered from physically erased media More difficult Mixed success, but works significantly often
• Two techniques Overlay track skew Look at edges of previous track
Overlay track changes surface properties Look through surface to underlying media state
28 10/12 cja 2012
Digital evidence on computer networks
Application layer
• Applications create digital evidence Browser cache, history, cookies Application log files Windows registry Linux /proc, /tmp Paging (swap) area Host memory Virtual hosting files
30 10/12 cja 2012
Transport/network layer
• Packet headers: IP addresses, ports • Switch flow logs • DHCP, DNS • Log files (/var/log) • State tables (netstat)
31 10/12 cja 2012
Data link/physical layer
• MAC addresses • ARP caches
ARP cache accessible with arp –n • Sniffers • Packet vault
32 10/12 cja 2012
Forensic Tools
Forensic Tools
• EnCase • The Coroner’s Toolkit • Helix • CAINE
34 10/12 cja 2012
EnCase
• Windows-based forensic tool Significant support for secure evidence gathering
• Tools for Image acquisition MD5 hash value computation Keyword search Scripting RAID configurations Logging
35 10/12 cja 2012
The Coroner’s Toolkit
• Venema and Farmer (1999,2004) Extended by Carrier (Sleuth Kit, 2004)
• Collection of UNIX-based forensic tools grave-robber
collects information, live or image respects order of volatility stored in body file
mactime sorted list of files by modify/access/change time
unrm collects all unallocated but accessible disk space
lazarus shows disk layout with block types
» executable, password file, email, C code, …
36 10/12 cja 2012
The Coroner’s Toolkit
• Low-level tools ils, icat - access files by inode number ffind - find directory entries containing inode pcat - dump memory of running process memdump - dump system memory across network …
• Good for copying and analyzing memory-related structures Run tct before you reboot victim
• http://www.porcupine.org/forensics/tct.html See “Help!” documents
37 10/12 cja 2012
Helix
• Commercial forensics tool Was public-domain
• Two operating modes Forensically sound bootable Linux
environment based on Ubuntu Live Linux Dead system analysis
Microsoft Windows executable Live system analysis
• http://www.e-fense.com/helix/ 38 10/12 cja 2012
CAINE Computer Aided Investigative Environment
• Public domain forensics tool • Two operating modes
Forensically sound Linux Live CD environment based on Ubuntu 10.04 Dead system analysis
Microsoft Windows executable Live system analysis
• http://www.caine-live.net/
39 10/12 cja 2012
Dead CAINE
• Forensically sound CD-based Linux distribution
• Mounts victim’s hard drives in read-only mode • Offers a collection of forensic tools
http://www.caine-live.net/page11/page11.html
40 10/12 cja 2012
Live CAINE
• Runs “live” on victim as a Windows application Collects volatile data
So will perturb the victim Useful for collecting data from systems that cannot be turned
off Portable forensic environment
• Options Run WinTaylor GUI
Tools include the NIRSoft suite, MDD, Win32dd, Winen, fport, TCPView, Advanced LAN Scanner, FTK Imager, Windows Forensic Toolchest, Nigilant 32, and the Sysinternals Suite.
• Run tools off the CD in Windows Explorer
41 10/12 cja 2012
National Hash Registry
• NIST National Software Reference Library • Collects hashes of known, traceable software
applications Files that are "safe" and can be ignored Files that are "unsafe" and should be investigated Reduces the hay in the haystack
• Freely available Over Internet, or quarterly CDs via subscription Tools for converting hashes into other formats
• http://www.nsrl.nist.gov/
42 10/12 cja 2012
References
• Eoghan Casey, “Digital Evidence and Computer Crime,” Academic Press, 2000.
• Dan Farmer and Wietse Venema, “Forensic Discovery,” Pearson Education, 2005.
• Brian Carrier, “File System Forensic Analysis,” Pearson Education, 2005.
• Harlan Carvey, "Windows Forensic Analysis," Elsevier, 2007. • http://www.sleuthkit.org/ • http://www.forensics.nl/toolkits • http://www.e-fense.com/helix/Docs/Helix0307.pdf • http://www.forensicfocus.com/alternatives-to-helix3 • http://www.caine-live.net/
43 10/12 cja 2012