Fundamentals of Linux Platform Security

Security Training Course

Dr. Charles J. Antonelli The University of Michigan

2012

Fundamentals of Linux Platform Security

Module 11 Introduction to Forensics

Overview

•  Forensic science & digital evidence •  Applying forensic science to computers •  Digital evidence on computer networks •  Forensic tools

3 10/12 cja 2012

Forensic Science & Digital Evidence

Forensic science

•  Defined as the application of scientific principles to identifying, recovering, reconstructing, or analyzing evidence

5 10/12 cja 2012

Examples of forensic science as applied to digital evidence

•  Recovering damaged or deleted documents from a hard drive

•  Collecting network data while preserving its integrity and authenticity

•  Using a cryptographic hash to verify that digital evidence has not been modified

•  Signing digital evidence to affirm authenticity and to preserve the chain of evidence

•  Determining the unique characteristics of a piece of digital evidence

6 10/12 cja 2012

Digital Evidence

Defined as digital data that can •  Establish that a crime has been

committed •  Provide a link between a crime and a

victim •  Provide a link between a crime and its

perpetrator

7 10/12 cja 2012

Examples of digital evidence

•  Email •  Images •  Chat rooms •  File contents •  System logs •  IM logs •  SMS logs •  Network packets •  … anything stored on a computer •  … anything sent over the network

8 10/12 cja 2012

Characteristics of digital evidence

•  A type of physical evidence •  Less tangible

  Electrons, photons, and fields •  Therefore more susceptible to tampering •  Acceptable as evidence •  … but demands specialized handling

9 10/12 cja 2012

Criminal activity and digital evidence

Computers and networks facilitate crime  Child pornography Espionage   Solicitation of minors Sabotage   Stalking Theft  Harassment Privacy violations   Fraud Defamation   Identity theft

10 10/12 cja 2012

Criminal activity and digital evidence

•  Criminals take advantage of new technology   Encryption   Anonymous remailers (e.g. Mixmaster)  Obscure sender identity

 Onion routing (e.g. Tor)  anonymous outgoing connections  anonymous hidden services

  State and national boundaries

11 10/12 cja 2012

Who collects digital evidence

•  Not only the trained and authorized experts   Victim   Local staff   ISP staff   Law enforcement (often untrained)   Trained experts

12 10/12 cja 2012

But …

•  Carrier-transport/ECPA •  Student information/FERPA •  Health information/HIPAA •  Privacy/First Amendment •  Human subject guidelines •  Ownership/copyright •  Right to know/FOIA •  Discovery/evidence •  Search and seizure, Patriot Act/Fourth amendment •  Civil liability

13 10/12 cja 2012

Applying forensic science to computers

Types of evidence

•  Direct •  Hearsay

  Generally inadmissible  Because the truth of the out-of-court statement can't be

tested by cross-examination   But records of regularly conducted activity are not inadmissible

 Because they portray events accurately and are easier to verify than other forms of hearsay

 Admits log files  Might even be admissible as direct evidence!

•  Both types must be proved authentic and unmodified

15 10/12 cja 2012

Key aspects to processing evidence

•  Recognition •  Preservation, collection, documentation •  Classification, comparison,

individualization •  Reconstruction

16 10/12 cja 2012

Recognition

•  Recognize the hardware  Usual suspects: computers, laptops,

networks   But also: thumb drives, cell phones, PDAs,

RFID, ether •  Recognize the evidence

 Cyberstalkers use email  Crackers leave log files  Child pornographers leave images

17 10/12 cja 2012

Collecting and preserving evidence

•  Must be authentic and unaltered •  Copies only admissible until challenged •  Collect but don’t alter

 Requires special “bit-copy” tools  Cryptographic hashes

•  Write-protection hardware

18 10/12 cja 2012

Collecting and preserving digital evidence

Collect entire contents of computer •  Collect evidence from RAM •  Shut down

  Pull the plug on clients   Shut down servers

•  Engage write blocker •  Boot using a known “bypass” OS •  Create copies of the hard drives as digital evidence

  Cryptographic hashes provide integrity and authenticity

19 10/12 cja 2012

Collecting and preserving digital evidence

•  Don't trust the rooted OS   Boot bypass Linux for access to raw disks  Make sure you’re booting from the right device!

  Transfer disk(s) to another computer   Generalizes to specially configured investigative

systems •  Encryption is a problem

  But other evidence can help

20 10/12 cja 2012

Basic Linux tools

Before shutting down •  dd

  For making a bit copy of memory

•  ps   For seeing what’s running

•  lsof   For listing open files and devices by process

21 10/12 cja 2012

Basic Linux tools

•  How to dump memory   on dump host 10.0.0.2:

nc -vv -n -l -p 1234 >victim.mem   on victim host 10.0.0.1:

ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/mem bs=100k | nc -vv -n -w 1 10.0.0.1 1234

•  kdump Kernel panic sends dump of physical memory to   a local filesystem   an NFS-mounted device   via ssh to a remote system

22 10/12 cja 2012

Basic Linux tools

•  How to dump a filesystem   on dump host 10.0.0.2:

nc -vv -n -l -p 1234 >victim.sdX   on victim host 10.0.0.1:

dd if=/dev/sdaX bs=100k | nc -vv -n -w 1 10.0.0.2 1234   best done on quiescent filesystem   best done on secure network, or use an ssh tunnel:

ssh -C -l root -L 1234:10.0.0.2:1234 10.0.0.2 dd if=/dev/sdaX bs=100k | nc -vv -n -w 1 10.0.0.1 1234  ssh compression can reduce transfer time

23 10/12 cja 2012

Basic Linux tools

After booting bypass OS •  dd

  For making bit copies of filesystems •  grep

  Finds specified strings in text files •  strings

  Finds strings in non-text files •  file

  Determines type of file based on contents •  stat

  Determines file metadata •  sha1sum

openssl sha1   For computing message digests

24 10/12 cja 2012

Documenting evidence

•  Chain of custody  Must show continuity of possession

•  Record  When evidence collected   From where By whom

•  Document carefully   Serial numbers, copy method, date, time,

who, …

25 10/12 cja 2012

Reconstruction

•  Reconstruct deleted objects  DOS just marks files deleted  UNIX deleted file blocks can survive in the

block cache   Linux processes can survive in the swap

partition  Windows processes can survive in the page

file

26 10/12 cja 2012

Reconstruction

•  Copies of deleted objects often exist  Copies of objects on backup media  Copies on an offline mirror  Copies on a system crash dump  Copies on a packet vault

27 10/12 cja 2012

Reconstruction

•  Data can be recovered from physically erased media   More difficult   Mixed success, but works significantly often

•  Two techniques   Overlay track skew  Look at edges of previous track

  Overlay track changes surface properties  Look through surface to underlying media state

28 10/12 cja 2012

Digital evidence on computer networks

Application layer

•  Applications create digital evidence   Browser cache, history, cookies   Application log files  Windows registry   Linux /proc, /tmp   Paging (swap) area  Host memory   Virtual hosting files

30 10/12 cja 2012

Transport/network layer

•  Packet headers: IP addresses, ports •  Switch flow logs •  DHCP, DNS •  Log files (/var/log) •  State tables (netstat)

31 10/12 cja 2012

Data link/physical layer

•  MAC addresses •  ARP caches

  ARP cache accessible with arp –n •  Sniffers •  Packet vault

32 10/12 cja 2012

Forensic Tools

Forensic Tools

•  EnCase •  The Coroner’s Toolkit •  Helix •  CAINE

34 10/12 cja 2012

EnCase

•  Windows-based forensic tool   Significant support for secure evidence gathering

•  Tools for   Image acquisition   MD5 hash value computation   Keyword search   Scripting   RAID configurations   Logging

35 10/12 cja 2012

The Coroner’s Toolkit

•  Venema and Farmer (1999,2004)   Extended by Carrier (Sleuth Kit, 2004)

•  Collection of UNIX-based forensic tools   grave-robber

 collects information, live or image  respects order of volatility  stored in body file

  mactime  sorted list of files by modify/access/change time

  unrm  collects all unallocated but accessible disk space

  lazarus  shows disk layout with block types

»  executable, password file, email, C code, …

36 10/12 cja 2012

The Coroner’s Toolkit

•  Low-level tools   ils, icat - access files by inode number   ffind - find directory entries containing inode   pcat - dump memory of running process   memdump - dump system memory across network   …

•  Good for copying and analyzing memory-related structures   Run tct before you reboot victim

•  http://www.porcupine.org/forensics/tct.html   See “Help!” documents

37 10/12 cja 2012

Helix

•  Commercial forensics tool  Was public-domain

•  Two operating modes   Forensically sound bootable Linux

environment based on Ubuntu Live Linux  Dead system analysis

 Microsoft Windows executable  Live system analysis

•  http://www.e-fense.com/helix/ 38 10/12 cja 2012

CAINE Computer Aided Investigative Environment

•  Public domain forensics tool •  Two operating modes

  Forensically sound Linux Live CD environment based on Ubuntu 10.04  Dead system analysis

 Microsoft Windows executable  Live system analysis

•  http://www.caine-live.net/

39 10/12 cja 2012

Dead CAINE

•  Forensically sound CD-based Linux distribution

•  Mounts victim’s hard drives in read-only mode • Offers a collection of forensic tools

http://www.caine-live.net/page11/page11.html

40 10/12 cja 2012

Live CAINE

•  Runs “live” on victim as a Windows application   Collects volatile data

So will perturb the victim   Useful for collecting data from systems that cannot be turned

off   Portable forensic environment

•  Options   Run WinTaylor GUI

 Tools include the NIRSoft suite, MDD, Win32dd, Winen, fport, TCPView, Advanced LAN Scanner, FTK Imager, Windows Forensic Toolchest, Nigilant 32, and the Sysinternals Suite.

•  Run tools off the CD in Windows Explorer

41 10/12 cja 2012

National Hash Registry

•  NIST National Software Reference Library •  Collects hashes of known, traceable software

applications   Files that are "safe" and can be ignored   Files that are "unsafe" and should be investigated   Reduces the hay in the haystack

•  Freely available   Over Internet, or quarterly CDs via subscription   Tools for converting hashes into other formats

•  http://www.nsrl.nist.gov/

42 10/12 cja 2012

References

•  Eoghan Casey, “Digital Evidence and Computer Crime,” Academic Press, 2000.

•  Dan Farmer and Wietse Venema, “Forensic Discovery,” Pearson Education, 2005.

•  Brian Carrier, “File System Forensic Analysis,” Pearson Education, 2005.

•  Harlan Carvey, "Windows Forensic Analysis," Elsevier, 2007. •  http://www.sleuthkit.org/ •  http://www.forensics.nl/toolkits •  http://www.e-fense.com/helix/Docs/Helix0307.pdf •  http://www.forensicfocus.com/alternatives-to-helix3 •  http://www.caine-live.net/

43 10/12 cja 2012