unix linux forensics simple linux commands
play

Unix/Linux Forensics Simple Linux Commands date display the date - PDF document

Jan 20, 2024 •422 likes •996 views

1 Unix/Linux Forensics Simple Linux Commands date display the date ls list the files in the current directory more display files one screen at a time cat display the contents of a file wc displays

  1. 1 Unix/Linux Forensics

  2. Simple Linux Commands • date – display the date • ls – list the files in the current directory • more – display files one screen at a time • cat – display the contents of a file • wc – displays lines, words, and characters • cp, mv, rm, pwd, mkdir, cd, rmdir, chmod, • head – show the first few lines of a file • file – determine a file type • tail – show the last few lines of a file • cal – display calendar • kill – terminate a running command • lpr – send a job to the printer • grep – searches a file for a specific pattern • chmod – change file permissions • fdisk • mount, cat /etc/fstab • last • …. 2

  3. Basic Concepts • shell • shell scripts • background and foreground – & – Ctrl-Z, bg, fg, jobs • Environment variables – env • passwd 3

  4. The Linux Filesystem Layout • The basic layout of the filesystem starts with the root directory. –root directory : this is the base of the file system's tree structure. –/bin : binary files for the OS –/dev : the device files –/etc : system configuration files –/sbin: system administrative binaries –/home : conventional location for users’ home directories. –lost+found : storage for recovered files 4

  5. Commonly used command/concepts • mount/umount • ls: different options • ln • df • tree • chmod, chown, chgrp • find • tar • gzip • dd • stat 5

  6. Commonly used command/concepts • cksum – checksum and count the bytes in a file • sum – checksum and count the blocks in a file • diff – Provide a list of each line that differs • strings 6

  7. Commonly used command/concepts • Every file is managed by a data structure called an inode – File location and size – Owner, permission, – Time of creation, time of last access, time of last modification – stat • SUID root – Set user ID 7

  8. 8 http://www.tldp.org/LDP/tlk/fs/filesystem.html Ext2 Inode

  9. 9 Network Information System /etc/nsswitch.conf yppasswd

  10. 10 Shared System Files

  11. 11 Four basic steps • Present (report) • Preserve • Analyze • Collect

  12. Investigating A Unix Host • Filesystem integrity-checking program – Tripwire: http://sourceforge.net/projects/tripwire/ • TCT – Examining hacked Unix systems – http://www.porcupine.org/forensics/tct.html • netcat 12

  13. Order of Volatility • The more volatile the data is, the more difficult it is to capture, and the less time you have to do it. • The descending order: – CPU storage – System storage – Kernel Tables – Fixed media – Removable media – Paper printouts • Table 11-4 13

  14. TCT (1) • TCT – The Coroner’s Toolkit – http://www.porcupine.org/forensics/ • Mostly perl but some C as well • A STATIC tool! – e.g. changes to filesystem during analysis will NOT be noticed by TCT – You MUST isolate the system under investigation 14

  15. TCT (2) • Four major parts: – grave-robber: captures forensics data – The C-tools (ils, icat, pcat, file, etc) • pcat – low-level memory utilities: copy process memory – pcat PID • file: determine file type • icat: copies files by inode number • ils: list inode info (usually removed files) – lazarus • Lazarus: create structure from unstructured data – mactime • Report on times of files 15

  16. The C-tools (ils, icat, pcat, file, etc) • pcat – gathers process memory from live system • ils – gathers inode information – ./ils /dev/sda6 • icat – copy files using inode information to standard out – ./icat /dev/sda6 1405802 (you can use stat to obtain the inode number) • file – determine file system type 16

  17. lazarus • Lazarus – classify raw information for analyzing (brings back info from the dead) – Unallocated datablocks with no referent inode 17

  18. mactime • Three times on ext f/sys: – Modification time – Access time – Change time • collects information on all three times for specific files – ./mactime -d /root/download/tct-1.16/bin -y 9/29/2006 18

  19. Be nice to your MAC times • MAC times are sensitive (to changes within the system) • Running a single command may change last Access time of a file • Should grab MACtime info before running any further commands on system. • You’ll use this info to create a timeline of activity. 19

  20. Sleuth kit • Expands TCT data • Provides low- and high-level access to Xnix and Windows f/systems. 20

  21. The Sleuth Kit File system tools • File System Category • Content Category – dls –f ext –e –l sda6.img » a: the data unit is allocated » f: the data unit is unallocated – dcat –f ext sda6.img 23456 » View the contents of any data unit • Metadata category » Include data that describe a file: for example, temporal information, the addresses of the data units, the size of the file. » istat –f ext sda6.img 163199 - to get the specific metadata entry » ils –f ext –e sda6.img - list the details of several metadata structures » icat –f ext sda6.ima 31 - View the contents of the file based on metadata address instead of its file name 21

  22. The Sleuth Kit • File Name Category » Includes the data that associates a name with a metadata entry » fls: list file names in a given directory » ffind: list which file name corresponds to a given metadata address • Application Category » A file system journal records updates to the file system so that the file system can be recovered more quickly after a crash » jls – list the contents of the journal and show which file system blocks are saved in the journal blocks • Multiple category » mactime: takes temporal data from fls and ils to produce a timeline of file activity 22

  23. The Sleuth Kit – Searching tools • sigfind – find binary signature in a file – Disk tools • disk_stat – Volume system tools 23

  24. Autopsy • Developed to automate the investigation process when TSK is being used • http://www.sleuthkit.org/autopsy/ 24

  25. Capture Filesystem • Imaging utilities – Wipe out analysis drive • dd if=/dev/zero of=/dev/fd0 – One more example • nc –l –p 10001 > syspect.hdb5.image.1of3& • nc –l –p 10002 > syspect.hdb5.image.2of3& • nc –l –p 10003 > syspect.hdb5.image.3of3& • dd if =/dev/hdb5 count 2000000 bs=1024 | nc 192.168.0.4 10001 –w 3 • dd if =/dev/hdb5 skip 2000000 count 2000000 bs=1024 | nc 192.168.0.4 10002 –w 3 • dd if =/dev/hdb5 skip 4000000 count 2000000 bs=1024 | nc 192.168.0.4 10003 –w 3 • cat suspect.image1.10f3 >> suspect.hdb5.image • cat suspect.image2.2of3 >> suspect.hdb5.image 25 • cat suspect.image3.3of3 >> suspect.hdb5.image

  26. md5 • Create the hash value of collected data and record it – md5 from tct: md5 /dev/sda6 – Verify the image file on the collection host 26

  27. Accessing Captured Filesystems for Examination • Copy the image into a partition that is the same size as the image (partition cleaned using dd) • Another approach – mkdir /mnt/suspecthost – mount –t ext2 –o ro, loop=/dev/loop0 suspect.hdb5.image /mnt/suspecthost – Treat it like any other filesystem 27

  28. 28 logs • /etc/syslog.conf

  29. 29 logs

  30. logs • /var/log/secure – authpriv.* • HTTP – /var/log/httpd/*: grep passwd /var/log/httpd/* 30

  31. 31 Examine Account Information

  32. 32 Trust Relationship Configuration Files

  33. Invisible Files and Directories • Find invisible files and directories – find . –type d –name “.*” –print0 | cat –a • Search SUID root executables – find / -user root –perm -4000 –print0 | xargs -0 ls -l • Search SGID programs – find / -perm -2000 –print0 | xargs -0 ls -l 33

  34. 34 Signs of Intrusion in /tmp

  35. 35 Verifying crontab and at jobs

  36. Signs that an Executable File Deserves 36 a Closer Look

  37. Shell and Application History • sh – .sh_history • csh – .history • ksh – .sh_history • bash – .bash_history • tcsh – .history 37

  38. 38 Signs of Hostile Processes

  39. 39 Levels of System Compromise

  40. RootKit • http://www.securityfocus.com/infocus/1811 • Increase privileges • Hide activities – To manipulate the environment and hide evidence • Gather information – To extend attacks • One example – Loadable kernel modules (LKM) – http://www.s0ftpj.org/docs/lkm.htm 40

  41. 41 RootKit Content

  42. 42 RootKit Content

  43. 43 RootKit Content

  44. 44 RootKit Content

  45. 45 RootKit Content

  46. 46 RootKit Content

  47. 47 RootKit Content

  48. 48 •Kstat –s: display the system call table KSTAT Utility

  49. Detecting Trojan LKMs on Live System • Detecting trojan LKMs on a live system – Complicated – These tools intercept system calls. • Port 2222 is open – default Adore LKM port 49

  50. Miscellaneous • To determine listing applications associated with open ports – netstat –anp • To determine whether a sniffer is running on a system (promiscuous mode) – ifconfig eth0 • /proc – fd subdirectory: all the files a process has opened – cmdfile : the command-line argument 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to

Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to

Introduction to Linux Justin W. Flory CC-BY-SA 4.0 UNIX 101 To understand Linux, you need to understand what UNIX is, 30 years ago 1969 : Team of Bell Labs developers begin working on solution to address software problems with

500 views • 17 slides
NETWORKING NETWORKING PART 2: LINUX UX commands PART 2: LINUX commands Agenda Agenda Network

NETWORKING NETWORKING PART 2: LINUX UX commands PART 2: LINUX commands Agenda Agenda Network

Moreno Baricevic CNR-INFM DEMOCRITOS Trieste, ITALY INTRO TO INTRO TO NETWORKING NETWORKING PART 2: LINUX UX commands PART 2: LINUX commands Agenda Agenda Network Interfaces Network Interfaces LINUX command line utilities LINUX

598 views • 38 slides
Introduction to Linux Command Line Interface Family of Unix-like Operating Systems Source:

Introduction to Linux Command Line Interface Family of Unix-like Operating Systems Source:

Introduction to Linux Command Line Interface Family of Unix-like Operating Systems Source: http://en.wikipedia.org/w/index.php?title=File:Unix_history-simple.svg&page=1; Creative Commons GNU/Linux and Distributions Linux kernel: the core

476 views • 5 slides
STATS 701 Data Analysis using Python Lecture 18: the UNIX/Linux Command Line UNIX/Linux: a

STATS 701 Data Analysis using Python Lecture 18: the UNIX/Linux Command Line UNIX/Linux: a

STATS 701 Data Analysis using Python Lecture 18: the UNIX/Linux Command Line UNIX/Linux: a (very) brief history 1960s: Multics (Bell Labs, MIT, GE), a time-sharing operating system 1970s: UNIX developed at Bell Labs 1980s: the UNIX wars

481 views • 29 slides
NETWORKING NETWORKING PART RT 2: 2: LI LINUX UX commands PART 2: LINUX commands Agenda

NETWORKING NETWORKING PART RT 2: 2: LI LINUX UX commands PART 2: LINUX commands Agenda

Moreno Baricevic CNR-IOM DEMOCRITOS Trieste, ITALY INTRO TO INTRO TO NETWORKING NETWORKING PART RT 2: 2: LI LINUX UX commands PART 2: LINUX commands Agenda Agenda Network Interfaces Network Interfaces LINUX command line utilities

612 views • 46 slides
Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands Filesystem / Shell Package Management Services run on Linux mail dns web central authentication router

1.55k views • 23 slides
Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix:

1/19/2010 Where can UNIX be used? Real Unix computers Introduction to Unix: Introduction to Unix: tak, the Whitehead Scientific Linux server t k th Whit h d S i tifi Li most important/useful commands & Apply

259 views • 8 slides
Linux Survival Guide 3. Essential Linux Commands 2018 Fall Computer Concept & Practice Prof.

Linux Survival Guide 3. Essential Linux Commands 2018 Fall Computer Concept & Practice Prof.

Dept. of Computer Science & Engineering @ Seoul National University Linux Survival Guide 3. Essential Linux Commands 2018 Fall Computer Concept & Practice Prof. Sang Lyul Min TA: Minwook Kim (ace@snu.ac.kr) Linux Commands CLI

207 views • 6 slides
Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux

Introduction to Linux Fundamentals of Computer Science Outline Operating Systems Linux History Linux Architecture Logging in to Linux Command Format Linux Filesystem Directory and File Commands Wildcard Characters

686 views • 19 slides
STAT 605 Data Science Computing Introduction to the UNIX/Linux command line Why UNIX/Linux? As a

STAT 605 Data Science Computing Introduction to the UNIX/Linux command line Why UNIX/Linux? As a

STAT 605 Data Science Computing Introduction to the UNIX/Linux command line Why UNIX/Linux? As a data scientist, you will spend most of your time dealing with data Data sets never arrive ready to analyze Cleaning data, fixing formatting,

709 views • 33 slides
Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 1 Welcome to Linux Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State University, Shreveport, LA 71115 Introducing Shells History of UNIX and GNU-Linux Heritage of Linux: UNIX What Is So Good About Linux? Overview

336 views • 15 slides
Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the

Linux Kung Fu Stephen James UBNetDef, Spring 2017 Introduction What is Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system

607 views • 48 slides
Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as

1 Unit 10 Linux Operating System 2 Linux Based on the Unix operating system Developed as an open-source ("free") alternative by Linux Torvalds and several others starting in 1991 Originally only for Intel based processors

785 views • 16 slides
$ linux 101 Presented by: Shanelle Ileto $ what are we learning today? An introduction to

$ linux 101 Presented by: Shanelle Ileto $ what are we learning today? An introduction to

$ linux 101 Presented by: Shanelle Ileto $ what are we learning today? An introduction to Linux Linux filesystem The terminal Basic Linux commands Some tips and tricks User and group management File and owner

1.26k views • 72 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk

753 views • 17 slides
Identity in the Browser 2011 Michael Hanson, Dan Mills, Ben Adida A quick history - current and

Identity in the Browser 2011 Michael Hanson, Dan Mills, Ben Adida A quick history - current and

Identity in the Browser 2011 Michael Hanson, Dan Mills, Ben Adida A quick history - current and proposed browser identity features Password store & sync Account Manager authentication and session metaprotocol Contacts API

483 views • 10 slides
+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An

+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An

+ Cyber Security CS301 Fundamentals of Computer Science United States Military Academy + An Exercise in Cyber Security n Your identity is a valuable thing that is worth stealing. n Previous courses: how to protect yourself n This

324 views • 15 slides
ECE 7970 Advanced Cryptography Applications in Emerging Wireless Networks Chapter 0:

ECE 7970 Advanced Cryptography Applications in Emerging Wireless Networks Chapter 0:

ECE 7970 Advanced Cryptography Applications in Emerging Wireless Networks Chapter 0: Important information Dr. Mohamed Mahmoud http://iweb.tntech.edu/mmahmoud/ mmahmoud@tntech.edu 1 - Course I nform ation I nstructor : Dr. Mohamed M. E.

426 views • 13 slides
Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Daniele

Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Daniele

PhD Thesis Defense 2019 @ SUTD Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems Daniele Antonioli Singapore University of Technology and Design (SUTD) Daniele Antonioli Design, Implementation, and Evaluation

1.12k views • 77 slides
Administrators Todd Klindt & Shane Young SharePoint911 Who is this Todd guy? WSS MVP

Administrators Todd Klindt & Shane Young SharePoint911 Who is this Todd guy? WSS MVP

402: Taming SQL Server for Administrators Todd Klindt & Shane Young SharePoint911 Who is this Todd guy? WSS MVP since 2006 Speaker, writer, consultant, Aquarius, Ray Romanos stunt double Personal Blog www.toddklindt.com/blog

676 views • 22 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
What Happened to the Dinosaurs? Dinosaurs were the dominant vertebrate animals of terres- trial

What Happened to the Dinosaurs? Dinosaurs were the dominant vertebrate animals of terres- trial

What Happened to the Dinosaurs? Dinosaurs were the dominant vertebrate animals of terres- trial ecosystems for over 160 million years from about 230 million years ago to 65 million years ago. Recent research indicates that theropod dinosaurs are

574 views • 40 slides

More recommend