Lecture 17: UNIX Forensics

6/30/2003

CSCE 590

Summer 2003

Shutdown Command

• BSD-ish shutdown– shutdown –r now– shutdown –h 16:30– shutdown –r +5 “Please save your files”

• System V– shutdown –i6 –g0 –y “Please save your files”

(reboot)– shutdown –i0 –g 60 –y (halt in one minute)

• reboot• halt

NFS• Network File System• Allows you to mount disk space from a remote

machine• NFS server:

– /etc/exports– exportfs

• NFS client:– /etc/fstab– mount– /etc/mtab - mounted filesystems table– /etc/rmtab – remote mounted filesystems table

hosts File

• /etc/hosts• Can be used as a supplement to DNS• Mappings of IP addresses to names that

may not be in DNS• May indicate other machines that were

targeted if intruder found hosts file– 127.0.0.1 localhost.localdomain localhost– 129.252.131.42 forensicrig.cse.sc.edu forensicrig

resolv.conf

• /etc/resolv.conf• List of domains to search for machines names in• Lists of DNS servers to use to resolve names

– search cse.sc.edu

– nameserver 129.252.131.9

– nameserver 129.252.21.12

– nameserver 129.252.21.13

Mail aliases File• /etc/aliases• /etc/mail/aliases• Lists of email address that redirected to another

email addresspostmaster: root,wrightabuse:postmastertrouble:postmastersecurity:wright,ronni,kencodered:ronni,wright,ken,johnf@gwm.sc.edu,

mcgowanb@gwm.sc.edu,kaiser@psc.sc.edu, kirk@engr.sc.edu, gallaghd@gwm.sc.edu

RC Files

• Configuration files that are run when a user logs in or a shell is started

• Can contain commands, set environment variables– .login– .profile– .bashrc– .cshrc– .tcshrc– /etc/bashrc– /etc/csh.cshrc– /etc/csh.login

Cron files• Example:

10 3 * * 0,4 /etc/cron.d/logchecker58 23 * * * /usr/lib/newsyslog 0 5 * * * /usr/lib/newweblog 3 0 * * 1 /usr/lib/newsyslog.weekly# Run Statistics Collection*/5 * * * * /data/nmis/bin/nmis.pl

• fields and allowed values– minute 0-59

– hour 0-23

– day of month 1-31

– month 1-12 (or names)

– day of week 0-7 (0 or 7 is Sun, or names)

Printing - LPRng• lpr, lpd, lpq, lprm, lpc• /var/spool/lpd/printer_name - spool directories

– Default name is lp

• /etc/printcap• /etc/lpd.perms• /var/spool/printer*/printer - lock file for queue

control• /var/spool/printer*/control.printer - queue control• /var/spool/printer*/active.printer - active job• /var/spool/printer*/log.printer - log file

Spool Files

• dfA<Job_Number><Source>– Data file – what is to be printed

• cfA<Job_Number><Source>– Control file – control info about job

• hfA<Job_Number>– Header file – info about print job

Spool Directory

Print Job Control Files

sysctl.conf

• Kernel sysctl configuration file• Configuration options for kernel• Example:

# Controls IP packet forwardingnet.ipv4.ip_forward = 0# Controls source route verificationnet.ipv4.conf.default.rp_filter = 1# whether core dumps append the PID to core filenamekernel.core_uses_pid = 1

Pluggable Authentication Modules (PAM)

• Can individually configure how different applications will do authentication

• Standalone authentication modules for different methods of authenticating

• Modules are ‘stackable’• /etc/pam.conf or /etc/pam.d directory• Dynamically change authentication methods

PAM

• Separates aspects of authentication into 4 tasks– account: account verification tasks (expired

password?)– auth: authentication tasks – is user who they

claim to be– password: password management/changing– session: maintenance tasks of authentication,

audit trails/logs, mounting user’s home directory

Recovering Deleted UNIX Files with Sleuthkit

• Very similar to Windows NTFS file recovery

• fls –f linux-ext3 -r -d -m / /dev/hda2 |more• ils –f linux-ext3 -r -m /dev/hda2 |more• icat -f linux-ext3 /dev/hda2 212018 > locale.alias

• more locale.alias• Do not have to tack -128-4 onto inode/MFT

like NTFS to get data

Advanced Sleuthkit Sorter

• Configuration files– /usr/local/sleuthkit/share/sorter

• default.sort freebsd.sort

• images.sort linux.sort

• openbsd.sort solaris.sort

• windows.sort

– Not specified on command line, you get default.sort and the OS for the filesystem type

• “-f ntfs” you also get windows.sort

• Add config files to default with “-c config_file.sort”

Custom Sorter Configuration Files

• /usr/local/sleuthkit/share/sorter/images.sort• “-C” option means use only this config file• Combine –C with –s and –U, and it will recover

and index only file types defined in your custom configuration file. It indexes the rest of the files as unknown, but does not recover them

• IF you use these options, sorter makes a number of .sorterxxx files in the base of the output directory that need to be deleted when sorter is finished. They take a LOT of room!! Do an “ls –la” to see them.

Sorter Configuration Files• Format of category line:

– category CATEGORY_NAME FILE_REG_EXP

– category is the keyword– CATEGORY_NAME is the name of the

category you want them sorted into• Anything that doesn’t match on a category gets

placed in the ‘unknown’ category• ignore – special category that ignores files

completely, not even ‘unknown’

– FILE_REG_EXP is a regular expression that will match on the output of the file command if it were run on a file of this type

Sorter Configuration Files

• Format of extension line:– ext EXTENSION_LIST FILE_REG_EXP

– ext is the keyword– EXTENSION_LIST is the a comma separated

list of file extensions for that file type• Anything that doesn’t match on a category gets

flagged as an extension mismatch

• Place it under category line to make it more specific

– FILE_REG_EXP is a regular expression that will match on the output of the file command if it were run on a file of this type

Sorter Configuration Files

• Example1:category images image data

ext jpg,jpeg,jpe JPEG image data

ext gif GIF image data

• Example2:category mail data

extension dbx data

References

• http://www.sleuthkit.org/informer/sleuthkit-informer-43.html

• http://www.sleuthkit.org/informer/sleuthkit-informer-4.html

• http://www.sleuthkit.org/informer/sleuthkit-informer-5.html