Investigating a computer breach is like investigating a crime
scene. Detectives collect evidence, note any strange clues, and take
inventory on loss and damage. An analysis of a computer compromise can
either be done as the attack is happening or post-mortem.
Although it is unwise to trust any system log files on an exploited
system, there are other forensic utilities to aid in the analysis. The
purpose and features of these tools vary, but they commonly create
bit-image copies of media, correlate events and processes, show low
level file system information, and recover deleted files whenever
possible.
It is also a good idea to record of all of the investigatory actions
executed on a compromised system by using the script
command, as in the following example:
Replace <file-name> with file name for
the script log. Always save the log file on media
other than the hard drive of the compromised system — a floppy
disk or CD-ROM works particularly well for this purpose.
By recording all your actions, an audit trail is created that may prove
valuable if the attacker is ever caught.
Creating a bit-image copy of media is a feasible first step. If
performing data forensic work, it is a requirement. It is recommended
to make two copies: one for analysis and investigation, and a second
to be stored along with the original for evidence in any legal
proceedings.
You can use the dd command that is part of the
coreutils package in Red Hat Enterprise Linux to create a
monolithic image of an exploited system as evidence in an
investigation or for comparison with trusted images. Suppose there is
a single hard drive from a system you want to image. Attach that
drive as a slave to the system and then use dd to
create the image file, such as the following:
dd if=/dev/hdd bs=1k conv=noerror,sync of=/home/evidence/image1 |
This command creates a single file named image1
using a 1k block size for speed. The
conv=noerror,sync options force dd
to continue reading and dumping data even if bad sectors are
encountered on the suspect drive. It is now possible to study the
resulting image file or even attempt to recover deleted files.
The topic of digital forensics and analysis itself is quite broad,
yet the tools are mostly architecture specific and cannot be applied
generically. However, incident response, analysis, and recovery are
important topics. With proper knowledge and experience, Red Hat Enterprise Linux can be
an excellent platform for performing these types of analysis, as it
includes several utilities for performing post-breach response and
restoration.
Table 10-1 details some commands for
file auditing and management. It also lists some examples that can be
used to properly identify files and file attributes (such as
permissions and access dates) to allow the collection of further
evidence or items for analysis. These tools, when combined with
intrusion detection systems, firewalls, hardened services, and other
security measures, can help reduce the amount of potential damage when
an attack occurs.
 | Note |
|---|
| | For detailed information about each tool, refer to their
respective man pages.
|
| Command | Function | Example |
|---|
| dd | Creates a bit-image copy (or
disk dump) of files and
partitions. Combined with a check of the md5sums of each image,
administrators can compare a pre-breach image of a partition or
file with a breached system to see if the sums match.
| dd if=/bin/ls of=ls.dd |md5sum ls.dd >ls-sum.txt
|
| grep | Finds useful string (text) information inside files and
directories as well as reveals permissions, script changes,
file attributes, and more. Used mostly as a piped command of
for commands like ls,
ps, or ifconfig. | ps auxw |grep /bin |
| strings | Prints the strings of printable characters within a file. It is
most useful for auditing executables for anomalies such as
mail commands to unknown addresses or logging to
a non-standard log file. | strings /bin/ps |grep 'mail' |
| file | Determines the
characteristics of files based on format, encoding,
linked-libraries (if any), and file type (binary, text, and
more). It is useful for determining whether an executable such
as /bin/ls has been modified using static
libraries, which is a sure sign that the executable has been
replaced with one installed by a malicious user. | file /bin/ls |
| find | Searches
directories for particular files. It is a useful tool for
searching the directory structure by keyword, date and time of
access, permissions, and more. It can also be useful for
administrators that perform general system audits of particular
directories or files.
| find -atime +12 -name *log* -perm
u+rw |
| stat | Displays file
status information, including time last accessed, permissions,
UID and GID bit settings, and more. It can be useful for
checking when a breached system executable was last used or
modified. | stat
/bin/netstat |
| md5sum | Calculates the
128-bit checksum using the md5 hash algorithm. Use this command
to create a text file that lists all crucial executables that
are often modified or replaced in a security
compromise. Redirect the sums to a file to create a simple
database of checksums and then copy the file onto a read-only
medium such as CD-ROM. | md5sum
/usr/bin/gdm >>md5sum.txt |
Table 10-1. File Auditing Tools
