Thursday, December 12, 2013

Live Forensic on Linux



Last month, I wrote a bit about doing live forensic on a Windows machine. Today, let's do Linux.

Let's do a bit of recall before we proceed. Since I'm lazy to repeat, here are excerpts of what I have written previously in Live Forensic on Windows:

Before we touch that, why do we need to do live forensic at the first place? For a few reasons:
a) It is a production server and the Business Owner or System Admin would not let you shut down the system/server for offline forensic
b) The server/system is at a location that you could not go there physically
c) We afraid that we may lost crucial information e.g. malware that runs in memory only if we were to shut down the system immediately

Next, what info or data should we gather? What tools to use? In IT Forensic, we normally talk about using trusted binaries. Why is it important? Because on a hacked or malware infected machines, it is not uncommon for the attacker/malware to install rootkits or replace some common commands/binaries of the system/server in order to hide or cover their tracks. Running these binaries might not give you the real output or info as they should be. Therefore, the first steps is to prepare a forensic kit (e.g. write protected USB stick, CD) with your trusted binaries/tools.


Now, what tools you can use? Unlike Windows, Linux binaries are quite sensitive to the kernel's version. Also, have you heard about dynamic library dependency hell? Basically one library depends on other library which depends on another libraries and so on... Thus, most of the time you can't just copy out the binary/program and expect it to work on another system. You can always compile your own binary statically, but that require lots of works as well. Luckily, I found a saviour - Busybox! Yes, it is the same tool you use to run commands on your rooted Android devices :)

So, go grab yourself the Linux version of Busybox now!

For memory dump acquisition:
1. Use LiME. However, it might not work if the system prevent loading of kernel module. it is also very kernel specific, thus you can't compile it on a system and expect it to work on any systems. It will only work on a system with a same kernel version. 
2.  dd if=/dev/mem of=host1/dd-dev-mem.img . However, this may not work with newer kernel or if the kernel is compiled with STRICT_DEVMEM=y option (check /boot/config-<KERNELVERSION>). 

Have fun!

No.
What to Acquire
Tools/Commands to Use (Output is saved to a file)
1.     
Hostname
·         ./busybox-i686 hostname > targethost/b-hostname.txt
·         hostname > targethost/hostname.txt
2.     
OS version
·         ./busybox-i686 uname –a > targethost/b-uname-a.txt
·         uname –a > targethost/uname-a.txt
·         cat /etc/os-release > targethost/os-release.txt
3.     
Current system date and time
·         ./busybox-i686 date > targethost/b-date.txt
·         date > targethost/date.txt
4.     
Current IP address
·         ./busybox-i686 ifconfig > targethost/b-ifconfig.txt
·         ifconfig –a > targethost/ifconfig-a.txt
5.     
Current running process list
·         ./busybox-i686 ps –eaf > targethost/b-ps-eaf.txt
·         ps –eaf > targethost/ps-eaf.txt
·         ./busybox-i686 lsof  –a > targethost/b-lsof.txt
·         lsof > targethost/lsof.txt  
6.     
 current network connection lis
·         ./busybox-i686 netstat –anp > targethost/b-netstat-anp.txt
·         netstat –anp > targethost/netstat-anp.txt
·         ./busybox-i686 netstat –anr > targethost/b-netstat-anr.txt
·         netstat –anr > targethost/netstat-anr.txt
7.     
 current list of current logon sessions
·         ./busybox-i686 who –a > targethost/b-who-a.txt
·         who –a > targethost/who-a.txt
·         w > targethost/w.txt
8.     
 list of auto start applications and services
·         chkconfig --list > targethost/chkconfig--list.txt
·         ./busybox-i686 ls –alR /etc/rc* > targethost/ls-al-etc-rc.txt
·         ./busybox-i686 ls –alR /etc/init.d > targethost/ls-al-rc-d.txt
·         more /etc/init.d/* > targethost/more-init-d.txt
·         cat /etc/inittab > targethost/inittab.txt
·         service –-status-all > targethost/service—status-all.txt
·         ./busybox-i686 ls -alR /etc/systemd* > targethost/ls-al-etc-systemd.txt
·         ./busybox-i686 cat /etc/inetd.conf > targethost/inetd.conf
·         cat /etc/inetd.conf > targethost/inetd.conf
9.     
 environment variables
·         ./busybox-i686 env > targethost/b-env.txt
·         env > targethost/env.txt
10.  
 list of cron jobs (scheduler)
·         ./busybox-i686 cat /etc/crontab > targethost/b-crontab.txt
·         cat /etc/crontab > targethost/crontab.txt
11.  
 system event (dmesg) log records
·         ./busybox-i686 dmesg > targethost/b-dmesg.txt
·         dmesg > targethost/dmesg.txt
12.  
 last user activity records
·         ./busybox-i686 last > targethost/b-last.txt
·         last > targethost/last.txt
·         lastb > targethost/lastb.txt
·         lastlog > targethost/lastlog.txt
13.  
 list of installed software
·         rpm –qa targethost/rpm-qa.txt
·         dpkg --get-selections > targethost/dpkg—get-selections.txt
14.  
 list of user accounts
·         ./busybox-i686 cat /etc/passwd > targethost/b-passwd.txt
·         cat /etc/passwd > targethost/passwd.txt
·         ./busybox-i686 cat /etc/group > targethost/b-group.txt
·         cat /etc/group > targethost/group.txt
15.  
 partition table and drive info
·         ./busybox-i686 df –h > targethost/b-df-h.txt
·         df –h > targethost/df-h.txt
·         ./busybox-i686 fdisk -l > targethost/b-fdisk-l.txt
·         fdisk -l > targethost/fdisk-l.txt
·         parted –l targethost/parted-l.txt
·         ./busybox-i686 cat /etc/fstab > targethost/b-fstab.txt
·         cat /etc/fstab > targethost/fstab.txt
·         ./busybox-i686 mount > targethost/b-mount.txt
·         mount > targethost/mount.txt
16.  
 list of loaded modules
·         ./busybox-i686 lsmod > targethost/b-lsmod.txt
·         lsmod > targethost/lsmod.txt
·         ./busybox-i686 cat /proc/modules > targethost/b-proc-modues.txt
·         cat /proc/modules > targethost/proc-modues.txt
17.  
 information about memory usage
·         ./busybox-i686 cat /proc/meminfo > targethost/b-proc-meminfo.txt
·         cat /proc/meminfo > targethost/proc-meminfo.txt

18.  
 iptables rules (firewall)
·         iptables --list > targethost/iptables--list.txt
19.  
 system logs normally stored in /var/log
·         ./busybox-i686 tar –czvf targethost/b-var-log.tgz /var/log
20.  
 memory dump with LiME
As the LiME software needs to be specially built for the target system Linux’s kernel, there are more steps to be done before the tool can be used:
a.     Extract the LiME source file you downloaded.
b.     Change directory into the “src” directory. Type: cd src
c.     Compile the module. Type: make
·         If successful, a new file starting with “lime’ and ending with “.ko” will be created. Example: lime-3.2.6.ko
·         insmod lime*.ko “path=targethost/lime.mem format=lime”
The module is then loaded to the kernel and the memory dump will happen automatically. If you need to run it again, you must first remove the module from the kernel. Type: rmmod lime


21.  
 /dev/mem and /dev/kmem via dd
·         dd if=/dev/mem of=targethost/dd-dev-mem.img
·         dd if=/dev/kmem of=targethost/dd-dev-kmem.img


Thursday, November 7, 2013

Live forensic on Windows


In the last posts, I talked about the processes of IT Forensic. Those are just theories as one might say. Hence, today, let's get more real and technical. How about what can we do to perform live forensic on Windows systems sounds to you?

Before we touch that, why do we need to do live forensic at the first place? For a few reasons:
a) It is a production server and the Business Owner or System Admin would not let you shut down the system/server for offline forensic
b) The server/system is at a location that you could not go there physically
c) We afraid that we may lost crucial information e.g. malware that runs in memory only if we were to shut down the system immediately

Next, what info or data should we gather? What tools to use? In IT Forensic, we normally talk about using trusted binaries. Why is it important? Because on a hacked or malware infected machines, it is not uncommon for the attacker/malware to install rootkits or replace some common commands/binaries of the system/server in order to hide or cover their tracks. Running these binaries might not give you the real output or info as they should be. Therefore, the first steps is to prepare a forensic kit (e.g. write protected USB stick, CD) with your trusted binaries/tools.

Back to what info or data to gather.... Below are the lists of what we should gather and how or using what tool can we gather it (yes, I know some of them are not of trusted binaries but there are also advantages in running them. Can you see those advantages? Answers below :) ) . Basically, we will need these free and great software suites:
a) Sysinternals Suite - http://technet.microsoft.com/en-us/sysinternals/
b) Nirsoft - http://www.nirsoft.net/
c) Redline (for memory dump and analysis) - http://www.mandiant.com/resources/download/redline

No.
What to Acquire
Tools/Commands to Use (Output is saved to a file)
1.        
Hostname, OS version, system info, list of software installed
·         Psinfo –h –s –d > targethost\psinfo-hsd.txt
2.        
System info
·         Systeminfo > targethost\systeminfo.txt
3.        
Current system date
·         Date /t > targethost\date.txt
4.        
Current system time
·         Time /t > targethost\time.txt
5.        
Registry dump
·         Regedit /E targethost\registry.txt
6.        
Current IP address
·         Ipconfig /all > targethost\ipconfig.txt
·         Awatch /stab targethost\awatch.txt
·         Networkinterfacesview targethost\networkinterfacesview.csv

7.        
Running current process list
·         Pslist –t > targethost\pslist-d.txt
·         Pslist –x > targethost\pslist-x.txt
8.        
Current network connection list
·         Netstat –anb > targethost\netstat-anb.txt
·         Netstat –anr > targethost\netstat-anr.txt
·         Tcpvcon –an > targethost/tcpvcon-an.txt
·         Cports.exe /scomma targethost\cports.csv
9.        
Current list of current logon sessions
·         Psloggedon > targethost\psloggedon.txt
10.    
List of auto start applications
·         Autorunsc –a –c > targethost\autorunsc.csv
11.    
Environment variables
·         Set > targethost\set.txt
12.    
List of services
·         Psservice > targethost\psservice.txt
13.    
System event log records
·         Psloglist –x > targethost\psloglist-x.txt
14.    
Last user activity records
·         Lastactivityview /scomma  targethost\lastactivityview.csv
15.    
Windows turn on/off time records
·         Turnontimesview /scomma  targethost\turnontimesview.csv
16.    
Windows user login/logoff records
·         Winlogonview /scomma  targethost\winlogonview.csv
17.    
List of installed software
·         Myuninst /stab targethost\myuninst.csv
18.    
List of loaded dlls
·         Listdlls > targethost\listdlls.txt
19.    
List of user accounts
·         Net user > targethost\net-user.txt
·         Userprofilesview /scomma  targethost\userprofilesview.csv
20.    
Browser history
·         IE
·         Mozilla
·         Chrome
·         Opera
·         Safari
·         Iecacheview /stab  targethost\iecacheview.csv
·         Iehv /stab targethost\iehv.csv
·         Mozillacacheview /scomma targethost\mozillacacheview.csv
·         Mozillahistoryview /scomma targethost\mozillahistoryview.csv
·         Mzcv /stab targethost\mzcv.csv
·         Chromecacheview /scomma targethost\chromecacheview.csv
·         Chromehistory /scomma targethost\chromehistoryview.csv
·         Chromecookiesview /scomma targethost\chromecookiesview.csv
·         Operacacheview /scomma targethost\operacacheview.csv
·         Safarihistoryview /scomma targethost\safarihistoryview.csv
·         Safaricacheview /scomma targethost\safaricacheview.csv
21.    
Using Redline Comprehensive Collector tool to acquire full memory dump, page file data, running processes, registry data etc.
·         Runredlineaudit.bat

Have fun!

Oh wait... what are the advantages of running (carefully) "untrusted" binaries as well?
By comparing the output of trusted binaries vs untrusted binaries, it may give us some clues that the "untrusted binaries" had been modified or "rookitted". We then can analyse this binary in order to track down other malicious binaries  that might get installed on the system as well.