Linux Forensics -1-
The following topics will be covered in this series of articles:
Live Response
- Human interactions
- Creating a live response kit
- Transporting data across a network
- Collecting volatile data Determining if dead analysis is justified
- Dumping RAM
Acquiring filesystem images Using dd
- Using dcfldd
- Write blocking
- Software blockers
- Udev rules
- Forensic Linux distros
- Hardware blockers
Analyzing filesystems
- Mounting image files
- Finding the strange
- Searching tools
- Authentication related files
- Recovering deleted files
- Finding hidden information
Timeline Analysis
* When was system installed, upgraded, booted, etc.
- Newly created files (malware)
- Changed files (trojans)
- Files in the wrong place (exfiltration)
Digging deeper into Linux filesystems
• Disk editors Active@ Disk Editor
Autopsy
ExtX
• Other Linux filesystems
Searching unallocated space
— Network forensics
- Using snort on packet captures
- Using tcpstat
- Seperating conversations with tcpflow
- Tracing backdoors with tcpflow
— File forensics
- Using file signatures
- Searching through swap space
- • Web browsing reconstruction
- Cookies
- Search history
- Browser caches
— Unknown files
- Comparing hashes to know values
- File and strings commands
- Viewing symbols with nm
- Reading ELF files
- objdump
- gdb.
Memory Forensics
- Volatility Profiles
- Retrieving process information
- Recovering command line arguments
- Rebuilding environment variables
- Listing open files
- Retrieving bash information
- Reconstructing network artifacts
- Kernel information
- Volatile file system information
- Detecting user mode rootkits
- Detecting kernel rootkits
— Reversing Linux Malware
- Digging deeper into ELF
- Headers
- Sections
- Strings
- Symbol tables
- Program headers
- Program loading
- Dynamic linking
— Command line analysis tools
- Strings
- Strace
- Itrace
Running malware (carefully)
- Virtual machine setup
- Capturing network traffic
- Leveraging gdb
Be Prepared
- Have a response kit with a complete set of system binaries and forensics tools
— Both 32-bit and 64-bit versions
— Ideally CDROM and USB
- Hardware
— Write blockers
— Media
— Forensic laptop
- Notebook, etc. for documentation
Data to Collect
Date and Time
Clock may be skewed
Might be in different timezone
Network interfaces
— Funny networks
— Promiscuous mode
Network connections
- Open ports
- Programs associated with ports
- Running processes
- Open files
- Routing tables
- Mounted filesystems
- Loaded kernel modules
Use Lime(Linux Memory Extractor)
It is a module that allows volatile memory retrieval from Linux-based devices such as Linux and Android. LiME Linux allows it to produce more forensically robust memory captures than other tools designed for memory acquisition.
- Must be built for an exact kernel
- Should not be built on subject machine — For identical versions of Ubuntu can use sudo apt-get install lime-forensics-dkms
For every other situation must download from https://github.com/504ensics Labs/LIME and compile with correct kernel headers
Compile with “make” for current kernel or “make -C /lib/modules/<kemel version>/build M=$PWD” for other kernels
LIME supports 3 formats:
- Raw (every segment concatenated together)
- Padded (same as raw, but with zeroes in right bits)
- Lime (recommended format with metadata)
Mounting Images: MBR Basics
Master Boot Record
Ancient standard (from the 80s)
Allows up to four partition
• At most one partition can be active (bootable) • Some partitions may be extended partitions
Can contain multiple partitions inside them
- Partitions are stored in a linked list Being replaced with GUID partition tables
Master Boot Record Format
Mountain an Image with a MBR
Boot start=63
Extended Partitions
- Used with MBR-based drives with more than 4 partitions
- A primary extended partition stores logical partitions inside of itself
- Each logical partition is proceeded by an “MBR sector”
Offsets are relative to extended partition
Interpreted as a linked list
Normally only first two entries are used
Extended Partition MBR Format
Partition Record Format
GUID Partitions
Part of the UEFI system to replace BIOS boot Allows up to 128 partitions
Simple
The new standard
All current 64-bit systems ship with this
GUID Partition Tables
Partition Record Format
Partition Attribute
Mounting GUID Partition
fdisk /dev/sda
Filesystem Analysis
Compare files of different filesystem versions
Find added files :
git diff — no-index — diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
Find Modified content :
git diff — no-index — diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E “^\+” | grep -v “Installed-Time”
Find Deleted File
git diff — no-index — diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/
Ext2 Basics
Extended Filesystem
- Based on the Unix File System (UFS)
- Simpler than UFS
- Meant to be robust with good performance
- Most common filesystem change
- Ext2 is common for partitions that don’t much
- Ext3/4 are journaling and used most often
Ext2 Structure
Ext2 Inodes
Inodes, which are the basic parts of file systems, are structures that carry out their own tasks, whose existence is not noticed unless a problem with usage limits is encountered.
Inode, short for index node, stands for index node. Inodes are small index files that run behind the scenes on the file system.
Getting basic Ext2 Information
Then,
fsstat -o 2048 /media/phil/TOSHIBA EXT/disk-images/2015–3–9.img | more
INODES
Finding things that are out of place
ls -ali bin | sort -n
and it came,
ls -ali sbin | sort -n
ls -aliR sbin — sort=size bin | more
ls -aliR sbin — sort=size sbin | more
ls -aliR sbin — sort=time sbin | more
ls -aliR bin — sort=time bin | more