UP | HOME
../../ | NoSlides

Linux Forensics [WIP]

  1. No networking related forensics is covered.

1 Live Response

1.1 Talk to the Humans

  1. What do they think happened
  2. Details on victim system(s)

1.2 Mount Response Kit with Known Good Tools

  1. cdrom preferred as it was not likely part of compromise
  2. USB MS can be used if no CDROM
  3. Using netcat to minimize contamination

1.3 Collecting Volatile Data

  1. date and time
  2. network interfaces
  3. funny networks
  4. promiscuous mode?
  5. network connections
  6. open ports
  7. programs associated with ports
  8. running processes
  9. open files
  10. routing tables
  11. mounted filesystems
  12. loaded kernel modules

1.4 Dead Analysis Justified?

  1. kernel version
  2. uptime
  3. filesystem datetime stamps
  4. hash values for system files
  5. current user logins
  6. login history
  7. system logs
  8. user accounts
  9. user history files
  10. hidden files and directories
  11. sending off suspicious files for further study

1.5 Dumping RAM

  1. Making the decision to dump RAM
  2. Using fmem https://github.com/NateBrune/fmem Linux Kernel Module designed to help analyze volatile memory in the linux kernel
  3. Using LiME https://github.com/504ensicsLabs/LiME A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
  4. Using /proc/kcore

2 Acquiring Filesystem Images

  1. Using dd
  2. Using dcfldd https://www.forensicswiki.org/wiki/Dcfldd

2.1 Write Blocking Options

  1. Forensic Linux distros
  2. Udev rules based blocker

3 Analyzing Filesystem Images

3.1 Mounting images

  1. Files with basic system info
  2. Files with suspicious user info
  3. Examining logs
  4. Process-related files
  5. Authentication-related files
  6. Using standard Linux tools to find information
  7. Strange files
    1. Regular files in /dev
    2. User history files
    3. Hidden files
    4. SUID/SGID files
    5. Detecting backdated files
  8. Recovering deleted files
    1. Finding deleted files
    2. Attempting recovery

3.2 Leveraging The Sleuth Kit (TSK) and Autopsy

  1. https://www.sleuthkit.org/autopsy/
  2. mmls
  3. fsstat
  4. dstat
  5. istat
  6. fls & mactime

4 Timeline Analysis

  1. When was system installed, upgraded, booted, etc.
  2. Newly created files (malware)
  3. Changed files (trojans)
  4. Files in the wrong place (exfiltration)

5 Digging Deeper into Linux Filesystems

  1. Disk editors
    1. Active@ Disk Editor
    2. Autopsy

5.1 Ext4/3/2/1

  1. Basics
  2. Superblocks
  3. Directory entries
  4. Inodes
  5. Data blocks
  6. Compatible, incompatible, and read-only compatible features
  7. Experimental features may be installed
  8. Boot code
  9. Using sigfind to find important blocks
  10. Understanding indirect block levels
  11. istat, ils, ifind, icat
  12. Links and mounts
  13. Hash trees
  14. Journaling
  15. jls
  16. jcat
  17. Finding data with blkstat, blkls, blkfind, blkid, and blkcalc
  18. Relating data found with grep to a file/application
  19. Finding block size, etc.
  20. Using grep with a keyword file
  21. Seeing data in context
  22. Associating a file with the data
  23. Undeleting files
  24. Searching unallocated space

6 Network Forensics

  1. Using snort on packet captures
  2. Using tcpstat
  3. Seperating conversations with tcpflow
  4. Tracing backdoors with tcpflow

7 File Forensics

  1. Using file signatures
  2. Searching through swap space
  3. Web browsing reconstruction
  4. Cookies
  5. Search history
  6. Browser caches
  7. Unknown files
  8. Comparing hashes to know values
  9. File command
  10. Strings command
  11. Viewing symbols with nm
  12. Reading ELF files
  13. objdump
  14. Bringing out big guns - gdb

8 Memory Forensics

  1. Volatility Profiles
  2. Retrieving process information
  3. Recovering command line arguments
  4. Rebuilding environment variables
  5. Listing open files
  6. Retrieving bash information
  7. Reconstructing network artifacts
  8. Kernel information
  9. Volatile file system information
  10. Detecting user mode rootkits
  11. Detecting kernel rootkits

9 Reversing Linux Malware

  1. What is "reversing"?
  2. https://github.com/michalmalik/linux-re-101 2018 {pm: Pretty good.}
  3. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files.
  4. https://unix.stackexchange.com/questions/418354/ understanding- what-a- linux- binary- is-doing
  5. Tools: IDA and Radare

9.1 Digging deeper into ELF

  1. Headers
  2. Sections
  3. Strings
  4. Symbol tables
  5. Program headers
  6. Program loading
  7. Dynamic linking

9.2 Command line analysis tools

  1. strings
  2. strace
  3. ltrace

9.3 Running malware (carefully)

  1. Virtual machine setup
  2. Capturing network traffic
  3. Leveraging gdb

10 Writing the Reports

  1. Autopsy https://www.sleuthkit.org/autopsy/ Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
  2. https://tools.kali.org/reporting-tools/dradis Dradis is an open source framework to enable effective information sharing, specially during security assessments. Dradis is a self-contained web application that provides a centralized repository of information to keep track of what has been done so far, and what is still ahead.

11 References

  1. Prabhaker Mateti, Notes on Building Provenance into Linux and Android, 2018.
  2. https://www.forensicswiki.org/
  3. https://opensource.com/article/18/4/linux-filesystem-forensics 2018 Breach detection with Linux Filesystem Forensics
  4. http://www.deer-run.com/~hal/LinuxForensicsForNon-LinuxFolks.pdf
  5. https://www.pentesteracademy.com/course?id=20 Linux Forensics. Ack: Topic list shown above is from here.
  6. https://rada.re/r/ Radare is a portable reversing framework.
  7. https://www.hex-rays.com/products/ida/ "IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive."

12 End

Copyright © 2018 www.wright.edu/~pmateti • 2018-11-01