II) Off-line inspection

Check the MAC time (modfiy, access and status changed time stamp)

csh> find . -mtime -1 -type f -print | xargs ls -l 
-rw-------   1 shlam    daemon     68215 Jun  9 10:10 ./ltrace_0.3.10.tar.gz
-rw-------   1 shlam    daemon     44933 Jun  9 16:10 ./www.hack.com.tar.gz
(find the file that modified lesser than a day)


csh> ls -lut
lrwxrwxrwx   1 shlam    daemon         2 Jun  9 17:52 m5 -> mm
drwxrwxr-x   2 shlam    root         104 Jun  9 17:50 .X11-pipe/
drwxrwxr-x   2 shlam    root         104 Jun  9 17:50 .X11-unix/
drwxrwxrwx   2 root     root         107 Jun  9 17:50 .pcmcia/
drwxrwxrwt   2 root     root         161 Jun  9 17:50 .rpc_door/
drwx--x--x   7 shlam    daemon      1052 Jun  9 17:50 autofs-3.1.5/
drwx--x--x   2 shlam    daemon       683 Jun  9 17:50 forensic/
(list the more recent asscess file and directory)

Check the log files

• messages

The messages log will contain a wide variety of information. Look for anomalies in this file. Anything out of the ordinary should be inspected. Also, look for events that occurred around the known time of the intrusion.
• xferlog

If the compromised system has a functioning ftp server, xferlog will contain log files for all of the ftp transfers. This may help you discover what intruder tools have been uploaded to your system, as well as what information has been downloaded from your system.
• utmp

This file contains binary information for every user currently logged in. This file is only useful to determine who is currently logged in. One way to access this data is the who command.
• wtmp

Every time a user successfully logs in, logs out, or your machine reboots, the wtmp file is modified. This is a binary file; thus, you need to use a tool to obtain useful information from this file. One such tool is last. The output from last will contain a table which associates user names with login times and the host name where the connection originated. Checking this file for suspicious connections (e.g., from unauthorized hosts) may be useful in determining other hosts that may have been involved and finding what accounts on your system may have been compromised.
• secure

Some versions of UNIX (RedHat Linux for example) log tcp wrapper messages to the secure log file. Every time a connection is established with one of the services running out of inetd that uses tcp wrappers, a log message is appended to this log file. When looking through this log file, look for anomalies such as services that were accessed that are not commonly used, or for connections from unfamiliar hosts.

Check the consistency among your log files too. For example, if your NDIS log file show that there were lots of www traffic to your host, but your host httpd access.log does not show that. Then some of your httpd access.log entries may be erased.

Check if any files are infected

Find any suspicious setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a late time. The UNIX find(1) program can be used to hunt for setuid and/or setgid files. For example, you can use the following commands to find setuid root files and setgid kmem files on the entire file system:

        find / -user root -perm -4000 -print -xdev
        find / -group kmem -perm -2000 -print -xdev

Exam user cron jobs

Exam user .forward jobs

Reverse engineering of suspicious program

• Check its symbol talble (nm -p program_file)

         csh> nm -p /usr/local/sbin/sshd|more
         0804a424 t gcc2_compiled.
         0804a430 t gcc2_compiled.
         08076d84 d p.2
         08078a90 ? __DTOR_LIST__
         08076d88 d completed.3
         0804a430 t __do_global_dtors_aux
         08078a84 ? __EH_FRAME_BEGIN__
         0804a478 t fini_dummy
         08078dc0 b object.8
         0804a480 t frame_dummy
         0804a4a0 t init_dummy
         .....
  
  

• Check runtime linker symbol table - calls of shared library routines (nm -Du program_file )

           csh> nm -Du /usr/local/sbin/sshd | more
           __assert_fail
           __deregister_frame_info
           __errno_location
           __gmon_start__
           __libc_start_main
           __lxstat
           __register_frame_info
           __strtol_internal
           __xstat
           abort
           accept
           alarm
           bind
           calloc
           cfgetispeed
           cfgetospeed
           cfsetispeed
           cfsetospeed
           chdir
           chmod
           chown
           clock
           ....
            
  

• Other reverse engineering tools
  • ldd binary_file
  • strings binary_file
  • ltrace binary_file
  • strace binary_file
  • objdump -x binary_file

  For examples,

  tcsh> ldd /usr/sbin/httpd libm.so.6 => /lib/libm.so.6 (0x4001c000) libcrypt.so.1 => /lib/libcrypt.so.1 (0x40039000) libdb.so.3 => /lib/libdb.so.3 (0x40067000) libdl.so.2 => /lib/libdl.so.2 (0x400a1000) libc.so.6 => /lib/libc.so.6 (0x400a6000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) tcsh> strings /usr/sbin/httpd|more /lib/ld-linux.so.2 __gmon_start__ libm.so.6 modf libcrypt.so.1 crypt libdb.so.3 libdl.so.2 .. .. standalone ServerType must be either 'inetd' or 'standalone' " is outside the appropriate range (i.e., 1..65535). The port number " EMail ServerSignature: use one of: off | on | email SendBufferSize must be >= 512 bytes, or 0 for system default. Warning: User directive in <VirtualHost> requires SUEXEC wrapper. Error: Apache has not been designed to serve pages while running as root. There are known race conditions that will allow any local user to read any file on the system. ... csh> objdump -x /usr/sbin/httpd | more /usr/sbin/httpd: no symbols /usr/sbin/httpd: file format elf32-i386 /usr/sbin/httpd architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x0804f9f0 Program Header: PHDR off 0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2 filesz 0x000000c0 memsz 0x000000c0 flags r-x INTERP off 0x000000f4 vaddr 0x080480f4 paddr 0x080480f4 align 2**0 filesz 0x00000013 memsz 0x00000013 flags r-- LOAD off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12 filesz 0x00042734 memsz 0x00042734 flags r-x LOAD off 0x00042740 vaddr 0x0808b740 paddr 0x0808b740 align 2**12 filesz 0x0000476c memsz 0x00007298 flags rw- DYNAMIC off 0x00046dec vaddr 0x0808fdec paddr 0x0808fdec align 2**2 filesz 0x000000c0 memsz 0x000000c0 flags rw- NOTE off 0x00000108 vaddr 0x08048108 paddr 0x08048108 align 2**2 filesz 0x00000020 memsz 0x00000020 flags r-- Dynamic Section: NEEDED libm.so.6
• De-assemble the object code into source code

• Run the program in a debugger (e.g. gdb ) under a control environment

III) Recovery and exam of removed files (not from back up tape)

• View the removed filename in the directory
  od -cx directory
• Calculate its inode position
• icat the file directly from the file system
• use ils toget the last status of the removed file

  od -cx directory

  ils inode

  /usr/local2/bin/icat /dev_name inode > outfile


ntec5:/tmp/tt> ls
./  ../  abcdefg  hijklmn


ntec5:/tmp/tt> cat abcdefg
Hello.
This is a testing.
Bla... Bla...  testing

testing


ntec5:/tmp/tt> rm abcdefg
rm: remove `abcdefg'? y

ntec5:/tmp/tt> ls
./  ../  hijklmn


(see the current directory inode)
ntec5:/tmp/tt> ls -i
 198049 ./   160321 ../   198054 hijklmn

(see the file system device)
ntec5:/tmp/tt> df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/hda3              2016044   1463012    450620  76% /

(view the removed file inode)
ntec5:/tmp/tt> icat /dev/hda3 198049|od -cx
0000000   ¡ 005 003  \0  \f  \0 001 002   .  \0  \0  \0   A   r 002  \0
        05a1 0003 000c 0201 002e 0000 7241 0002
0000020   0  \0 002 002   .   .  \0  \0   ¢ 005 003  \0 024  \0  \f 001
        0030 0202 2e2e 0000 05a2 0003 0014 010c
0000040   .   h   i   j   k   l   m   n   .   s   w   p   £ 005 003  \0
        682e 6a69 6c6b 6e6d 732e 7077 05a3 0003
                                      ^^^^^^^^^
                                       (198051) 
0000060 020  \0  \a 001   a   b   c   d   e   f   g   p   ¦ 005 003  \0
        0010 0107 6261 6463 6665 7067 05a6 0003
0000100   Ä 017  \a 001   h   i   j   k   l   m   n   n   .   s   w   p
        0fc4 0107 6968 6b6a 6d6c 6e6e 732e 7077


(retrive the removed by icat)
ntec5:/tmp/tt> icat /dev/hda3 198051
Hello.
This is a testing.
Bla... Bla...  testing

testing


(list the removed inode)
ntec5:/tmp/tt> ils /dev/hda3 198051
class|host|start_time
ils|ntec5|960574486
inum|allocation|uid|gid|m_time|a_time|c_time|dtime|mode|links|size|block0|block1
198051|f|0|0|960574079|960574139|960574162|960574162|100644|0|60|418630|0
                                                            ^^ (links = 0) 

ntec5:/tmp/tt> ls -i
 198049 ./   160321 ../   198054 hijklmn

ntec5:/tmp/tt> ils /dev/hda3 198054
class|host|start_time
ils|ntec5|960574631
inum|allocation|uid|gid|m_time|a_time|c_time|dtime|mode|links|size|block0|block1
198054|a|0|0|960574099|960574099|960574099|0|100644|1|25|418631|0

ntec15-36:/tmp/tt> ls -i
 113711I ./   159681 ../   113712 abcdefg

ntec15-36:/tmp/tt> icat /dev/sda1 113711 | od -cl
0000000   /   ¼ 001  \0  \f  \0 001 002   .  \0  \0  \0   Á   o 002  \0
             113711    33619980          46      159681
0000020  \f  \0 002 002   .   .  \0  \0   0   ¼ 001  \0   è 017  \a 001
           33685516       11822      113712    17240040
0000040   a   b   c   d   e   f   g  \0  \0  \0  \0  \0  \0  \0  \0  \0
         1684234849     6776421           0           0
0000060  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
                  0           0           0           0
*
0010000

ntec15-36:/tmp/tt> icat /dev/sda1 113712
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
named:x:25:25:Named:/var/named:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
piranha:x:60:60::/home/httpd/html/piranha:/dev/null
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
pvm:x:24:24::/usr/share/pvm3:/bin/bash
squid:x:23:23::/var/spool/squid:/dev/null
peter:x:500:500:peter:/home/peter:/bin/bash
admin:x:501:501::/home/admin:/bin/bash
ntec15-36:/tmp/tt> 

You can also use the "recover ext2 filesystem" tool to recover a deleted file

1. Writing a computer forensics analysis report for a break-in host
   1. Read /usr/local2/share/forensics/README file and follow the instructions in this REAME file to conduct the investigation
   2. Write your computer forensics analysis report and post it to your web page
   Computer Forensics Analysis Exercise Guidelines

2. Writing a Vulnerability Analysis report for two hosts
   1. Use the techniques that you learn from this workshop to analyze the vulnerability of host ntec81 and victim
   2. Write your Vulnerability Analysis report and post it to your web page

References

• Read the man pages of the above commands
• http://www.incident-response.org/incidentresponse.ppt
• http://www.incident-response.org/unix.html
• Computer Forensics Analysis Class Handouts at www.fish.com
• Coroner's Toolkit (TCT)
• The Study of an Attack Know Your Enemy: A Forensic Analysis
• Forensic Computer Analysis: An Introduction (from Dr. Dobb's)
• "Root Kits" and hiding file/directories/processes after a beak-in
• Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities
• CERT Intruder Detection Checklist