Unix/linux System Forensics Information collection case

Unix/linux System Forensics Information collection case

in the Unix/linux System Forensics, the timely collection of hard disk information is very important, "Unix/linux Network log analysis and traffic monitoring" in the book, will be discussed in detail a variety of common system process system calls and image file acquisition methods. Here are a few examples.

1.to collect running processes

In Unix/linux forensics, many systems and network information is short-term existence is fleeting, how to accurately capture what clues? Cyber security personnel need to have a keen eye for observation and a wealth of experience the following examples illustrate several common methods.

First, start a listening process on the collection host:

#nc-L-P 10005 >ps_lsof_log

After executing this command, enter, the system opens port 10005 for acceptance, and then runs the corresponding PS call on the other host being investigated:

# (PS aux; ps-auxeww; lsof) |nc 192.168.150.100 10005-w 3

after a few seconds back to the command line prompt, note that the two commands are paired , the port after the data is sent to receive the data is closed port, if you do not open the listening port for the second time, continue to send PS data will appear connection access denied.

# (PS aux;ps AUXEWW;LOSF) | NC 192.168.150.109 10005–w 3

(UNKNOWN) [192.168.150.109] 10005 (?): Conection refused

in the above command, some commands produce long output results, and some produce short output results, which are used as evidence gathering. So what are the commands that can be used to gather information about running processes?

For example:

• who;

• uptime;

• PS ( View the memory address of the process: ps-ealf);

• top;

• lsof ( View files opened by the process: Lsof-p PID);

• strace ( trace the system call and signal of the process: Strace-p PID);

• Truss;

• ltrace ( Trace Process Library call: Ltrace-p PID) and so on.

2.Linux under System invoke View tool

similar to tampering with the system files, Trojan Horse may be in the console can cheat the junior administrator, once deep into the system level Trojan will be true, strace commonly used to track the process execution of the system calls and received signals. Linux system, the process cannot directly access the hardware device, when the process needs to access hardware devices (such as reading disk files, receiving network data, etc.), the user mode must be switched to the kernel mode, through system calls to access the hardware device. the so-called system call (systemcall) is a series of functions that the kernel provides, which is very powerful. These system calls are implemented in the kernel, and then the system is called to the user in a certain way. Strace can trace the system calls generated by a process, including parameters, return values, and time spent executing. The application of Strace in this book is shown in case study one of this chapter.

3. system invoke View tool under UNIX

DTrace is a dynamic tracking tool under the UNIX platform, developed by Sun to dynamically track the core (kernel) and applications (user application) and, of course, to identify system bottlenecks, After Oracle acquired Sun, the technology was ported to the Oracle Linux system (more reference announcement:dtrace for Oracle Linux general availability).

This tool is Available under both Solaris and Open Solaris platforms.

4. Application Examples

① shows dynamic in the current dynamic system Dtrace probe probe

#dtrace-L |more

② Usually we look at the status of the system Firefox process using the following command

#ps-E |grep Firefox

can also be used Dtrace looks at the probe probe and operates as follows:

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M02/82/EA/wKioL1dlA-rgqwg7AACUI6g2nBE541.jpg "title=" 6-18. JPG "alt=" wkiol1dla-rgqwg7aacui6g2nbe541.jpg "/>

What to look at the busy state of the machine, commonly used Vmstat , learned to produce 2535 multiple system calls. But, how do you find the problem of which process is simple? Trial recommendations Use the dtrace tool.

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M02/82/EB/wKiom1dlBE3TiSTVAACbO_lMOo8584.jpg "title=" 6-19. JPG "alt=" wkiom1dlbe3tistvaacbo_lmoo8584.jpg "/>

from the last line, it's obvious that Firefox-bin is a program that generates a lot of system calls , and then I'm looking at I/O distributions. For example, or a firefox process, enter the following command.

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M00/82/EA/wKioL1dlBJ3DsYECAAB_y6ReH70964.jpg "title=" 6-120. JPG "alt=" wkiol1dlbj3dsyecaab_y6reh70964.jpg "/>

with the above display, you can observe a large number of The I/O generated by Firefox is between 8 and bytes, followed by a deep look inside the Firefox program, enter the following command.

650) this.width=650; "src=" http://s2.51cto.com/wyfs02/M00/82/EB/wKiom1dlBPHw2HTPAAESsKKCap0588.jpg "title=" 6-121. JPG "alt=" wkiom1dlbphw2htpaaesskkcap0588.jpg "/>

Dtrace is powerful, high-precision, and Solaris 's legacy system tracking tool Truss, it's worth noting that truss tools sometimes degrade the system 25%~ 30% CPU utilization.

Expand reading:

Dtrace Detailed Usage Documentation: http://docs.oracle.com/cd/E19253-01/819-6959/

Reference: "dtrace:dynamictracing in Oracle solaris,macos X and FreeBSD"

5.Systrace

another powerful system that calls the out-of-box open source software systrace is embedded in the OpenBSD system and can be installed on its own in FreeBSD and Linux. The Systrace tool can be used to prevent Trojan horse software from harming the system. As shown in this example , Systrace detects A malicious script Trojan in a configuration in the fragroute-1.2 directory.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/82/EB/wKiom1dlBXmj_O0kAADT3ixheD8565.jpg "title=" 6-122. JPG "alt=" wkiom1dlbxmj_o0kaadt3ixhed8565.jpg "/>

Systrace Check Trojan

Systrace Tools : http://www.citi.umich.edu/u/provos/systrace/systrace-1.6f.tar.gz

6.Collect/procinformation in the system

Proc has been accompanied by liux kernel, the development of Linux in the beginning of the main application in the network-related aspects, and later in order to simplify the system management and debugging, gradually apply it to other aspects. Now, Proc has become one of the most widely used and most successful features in the Linux kernel. Proc in memory to establish a virtual file node, the user can directly use the file system in the standard system calls to access the information under Proc, when the user issued access to the/proc "file" request, and then by the system dynamically generated. So proc is a virtual file system, through the interface of the file system, when the system restarts or the power is off, the file system data will disappear. /proc also provides a structured interface for/DEV/KMEM, which makes it easy for the system to diagnose and view the environment of each running executable file. Each process in memory has a directory in/proc, named after its process ID. If the invisible process in the output of PS listed above appears in/proc, it is possible that PS has been Trojan (tampered and dangerous), so we should familiarize ourselves with proc so that the attacker can tamper with the files under Proc. trace:dynamictracing in Oracle solaris,macos X and FreeBSD

650) this.width=650; "src=" http://s1.51cto.com/wyfs02/M01/82/EA/wKioL1dlBkCDaPRmAABeqhQ0tGI434.jpg "title=" 6-123. JPG "alt=" wkiol1dlbkcdaprmaabeqhq0tgi434.jpg "/>

The following is a way to collect the proc process through the network through the NC command, in order to collect Proc process, using The following 2 commands are used :

#nc-l–p 10006>proc_log

#ls-d/proc[1-9] * | NC 192.168.0.2 10006-w 3

The next case forecast, for this NC command, in the network forensics can play a key role in the following network security incident analysis in NC played a key role.

650) this.width=650; "src=" http://s5.51cto.com/wyfs02/M01/82/EC/wKiom1dlBznTN6cpAAHzTrZMEJI993.jpg "title=" 6-124. JPG "alt=" wkiom1dlbzntn6cpaahztrzmeji993.jpg "/>

51CTO Academy outstanding Lecturer in the selection, I look forward to your valuable vote!

voting address :http://edu.51cto.com/index.php?do=activityvote&m=voteRanking&cid=47#t

This article is from the "Lee Chenguang Original Technology blog" blog, please be sure to keep this source http://chenguang.blog.51cto.com/350944/1790630

Unix/linux System Forensics Information collection case