Assignments of day 3 in week #3

Computer Forensics (preview)

1. Check your network interface promiscuous mode
   1. Record down your current eth0 network interface input packet number
      You may use

      ifconfig eth0

      or

      snmpwalk [your_host] [your_community] interfaces.ifTable.ifEntry.ifInUcastPkts.2 

      to query this value.

   2. Perform a ttcp throughput measurement between your partner host and your neighbor host. See http://info.hkntec.net/workshop/2001/wk1/day4.html if you forget how to perform a ttcp throughput measurement. Your neighbor hosts have the same last two digit code number as yours. For example, if your host is ntec1-20, then the follow hosts are your neighbor:
      ntec2-20,ntec3-30,ntec4-20,ntec5-20, ... etc.

   3. Query your network interface input packet number again.

      Now set your network interface into promiscuous mode by

      ifconfig eth0 promisc 

      Type "ifconfig eth0" to confirm your promiscuous mode setting.

   4. Repeat the ttcp traffic throughput measurement in step 2 again.

   5. Query your network interface input packet number again.

   6. Disable promiscuous mode in your network interface

       ifconfig eth0 -promisc 

   What this difference of the input packet increase between the before and after promiscuous mode? Why the later has large increase? Put your finding on your web pages.

2. netstat
   1. Repeat the back-door establishment by inetd. If you forget this back-door establishment, see http://info.hkntec.net/workshop/2001/wk3/day2.html

   2. Type "netstat" to identify the back-door connection. Post your netstat query on your web pages

      kill the inetd and restart the normal inetd

      killall inetd
      /etc/rc.d/init.d/inet start
      

3. du

   type "du -sk /var/*" to check the disk usage of each directory in /var. Which directory use most disk space? Post your finding on your web pages

4. top

   type "top" to query which three processes are using the CPU time most? Post your finding on your web pages

5. ps

   type "ps -aux" to view the total processes running on your host. List the owners of these processes on your web pages

6. last

   type "last" to view the last 10 login accesses to your host.

7. find and ls
   1. list out all the files in /var/log that have been modified less than a day

      find /var/log -mtime -1 -type f -print | xargs ls -l 

      Try the -ctime and -atime options too.

   2. list the more recent assess file and directory in /var/log

      ls -lut /var/log|more

   3. Post all your findings on your web pages

References:

• Read the man page of the above commands
• A series of Computer Security Seminar:Computer Forensics Analysis

• Computer Forensics in IEG 7006: System Administration and Network Security