Linux Forensics -- need help

[laker8133]

Hi guys I'm currently working on a Linux VM image and we as a class are suppose to analize this thing and do a dead and a live investigation.

Now with this. I'm looking for live cds or any other type of linux distros that will help us analze a image with using kff ( know file filtering).

What I have done is

dd if = /dev/sda2 | nc 192.168..... 2222 ( set up a nc on the other computer)

and that's how I got the image of the vmware session.

We are suppose to be using autopsy, in this course. If any of you guys can help me load a .img file into it that would be great . Thanks.

[cooper]

http://www.sleuthkit.org/autopsy/man/autopsy.html

You can mount the image using the loopback filesystem (might require a modprobe. The module is called loop.ko), then use autopsy's -i parameter.

If this stuff needs to be explained to you, either you or your teacher deserves a questionable grade.

[laker8133]

I've mounted it with the mount -0 loop disk.img /mnt/disk.

I have run a ./chkrootkit , on the system while mounted and it turned up nothing. While there is a person in class that says Autopsy should pick it up.

That step I have done. What the teacher loves to do is get you to use your tools based on a linux 2.6 system and then for a major test he will switch it up for a 2.4 system.

As for the last comment I'm a bit confused.

And he has taught us how to use some tools, 1 way and then your expected to know how to learn to use them the other way. Plus having this stuff in a VM image instead of a actual live computer throws me off totally.

Do you have any suggestions on getting FTK to work with the .img file. Or do you think I need to save it as a .iso to get it to work.

Thanks

Paul

[cooper]

I've mounted it with the mount -0 loop disk.img /mnt/disk.

Nitpicking, but shouldn't that be '-o loop' (lowercase 'o')?

I have run a ./chkrootkit , on the system while mounted and it turned up nothing. While there is a person in class that says Autopsy should pick it up.

Tools like that are looking for specific traces of rootkits. Rootkit builders get smarter too eventually, and simply get better at hiding their stuff. Sometimes they get a leg-up on your favourite tool, which is why you shouldn't depend on your tool that much. Tools can be wrong too.

Rootkits tend to replace programs on the system. There is a command for rpm-based distros that will compare files on the actual system against what the rpm says it should encounter.

See http://www.rpm.org/max-rpm/ch-rpm-verify.html

When any of the existing files has been replaced by a rootkit, this should tell you which file(s) were changed. Keep in mind that you're dealing with what used to be a production system. There's the possibility that the installed replacement is a valid binary that a tired admin installed manually at 4 am, hands shaking from the caffeine overdose, in a last-ditch effort to get some piece of shit program going. Investigate the binaries that differ (the 'strings' command can be useful here) to see if something's up.

Oh, and don't forget that once a system has been rooted, replacing or outright removing the rpm database is trivial. Still worth a shot though.

If the machine was using a debian-based distro, you could put together a script that unpacks the .deb file and compares the unpacked binaries with the binaries located on the system.

That step I have done. What the teacher loves to do is get you to use your tools based on a linux 2.6 system and then for a major test he will switch it up for a 2.4 system.

The thing you should really focus on is that you should *NOT* in any case learn the tool. Instead, understand what the tool is doing below the surface. Tools make it easy to do stuff, but you should be able to do them manually aswell when the tool in question isn't available, or a different tool must be used that you're not particularly familiar with.

Replacing a 2.6 system with a 2.4 one shouldn't matter much at all if you ask me.

As for the last comment I'm a bit confused.

I gave you the autopsy manpage and instructions on using a loopback mount. If finding out about these two things at this stage is proving troublesome, you're not doing too well. Clearly you're not in _that_ bad a shape though.

And he has taught us how to use some tools, 1 way and then your expected to know how to learn to use them the other way.

Yes, because you're supposed to learn the problem and the solution, not the tool. People who focus too much on the tool are the people that won't use Firefox & friends because they know IE and are only comfortable with that.

Plus having this stuff in a VM image instead of a actual live computer throws me off totally.

Why? You just took an image out of the machine. From that point on everything should be equal.

Do you have any suggestions on getting FTK to work with the .img file. Or do you think I need to save it as a .iso to get it to work.

My suggestion is to really investigate the system:

Start with 'find . -type d | less' and look for odd and out of place directories. Any directory whose name starts with a dot is suspect. Directories named '...' doubly so.

Take a close look at the logs. Be weary. A rooted box is compromised. Any evidence found can be fabricated to lead you on a wild goose chase.

See if multiple root accounts exist in /etc/passwd and /etc/shadow and if so, take a close look at which files that user owns (find -uid is your friend).

Find all the suid and guid binaries on the system (see the -perm parameter to the 'find' command) and make sure they're all legit.

Check the init scripts for modifications. There shouldn't be a lot of files there so even doing this manually is feasible.

Check /etc/inetd.conf or /etc/xinetd.conf (whichever is being used) for unexpected services that are being allowed.

Check /etc/hosts.allow for unexpected machines being explicitly given access to services.

Take a close look at the firewall rules the machine starts out with.

Sounds like a lot of work, doesn't it? That's why they make tools. That doesn't excuse you from knowing what the tool is doing though, or from having to be able to do all this without said tool when the need arises.

[laker8133]

The number 1 rule in Forensics is... Anyone know?

Ya I didn't think you did. Make a statically compiled toolkit . Then when you run your ls and check for mac times, you know right off the bat it telling the truth. Altho the rootkit may give you back false postives :S .

How does this work? it's because your not invoking commands off of the host system and just off of the cd.

I want to mount it like mount -ro /img.img /mnt/disk. Didn't give me the option.

The stuff that normally screws me up is the sytax, that was the whole reason for asking for help. And the first 2 years of this course we examinged pwdump and things like that so we know what is going on exactly with the automated suites.The reason I know there is a rootkit on the image is:

Logs have been deleted or marked for deletion,

while doing mac times noticed the ./ which means hidden directories,

also noticed the suspect installed stuff in the /usr directory and has since deleted it.

I did figure out why that image I was trying to check wasn't workin in Penguin Sleuthkit live cd. Which is what I was using.

I also called the teacher over while trying to mount it. He said try it via source. So that' what I'm goign to try next.

Encase is sweet , but it crashes must have been by the devils workshop. :S Exams are coming up...

[cooper]

I want to mount it like mount -ro /img.img /mnt/disk. Didn't give me the option.

"-o loop" should fix that, no? Requires kernel support so potentially a quick modprobe to include before that. Works for both 2.4 and 2.6 too.