There are many ways in which you can use find in incident-response forensics. For example, if you suspect that an intruder broke in by exploiting SUID or SGID files, you can use find to locate all these files (as shown in Listing C) by looking for any log file that references the SUID (2000) or SGID (4000) permission bits. An even better use is to find all these files in advance and dump the output into a log file. You can then check this list by running new find commands from time to time and using the diff command to compare the two log files. By doing this, you'll see whether anyone, possibly an intruder, installed new SUID or SGID files. You would use diff to examine two log files by issuing this command: diff suid_gid_logfile1 suid_gidlogfile2. Typically, the SUID and SGID file list shouldn't change. If you see additions, examine any new files from the SUID and SGID list and determine whether they should be there. You can also use find to look for world-writable files, because these files are also often exploited. To look for all the world-writable files, run find as shown in Listing D. This list shouldn't change much after your system is in production, so I recommend saving this log file and using diff to determine whether any changes occur. Running diff on the log file outputs (e.g., diff worldwrite_logfile1 worldwrite_logfile2) will tell you if new, world-writable log files have been installed after the system has gone into production. You can also build these commands into shell scripts and set up cron to run them on a nightly basis to determine whether new SUID, SGID, or world-writable files have mysteriously appeared. Use dd to preserve the evidence
The dd utility, a Unix command for dumping data, has been a part of almost every Unix-based operating system for as long as I can remember. Use the dd utility when you want to preserve evidence and create a forensic disk image without changing timestamps or anything else. First, figure out where you're going to dump the image; a writable CD or another disk are the most likely places. Various syntaxes for dd exist, but a typical command-line version of it looks like the example in Listing E. The above command would tell your system to copy crime-scene partition /dev/hd1 to a disk image called evidence.img. In the command, the bs switch specifies the block size of the files being transferred, and count tells the system how many blocks to transfer. If you're transferring the evidence image to a CD (CDs can hold 660 MB), set the count to something less than 660 to be sure that you don't accidentally overwrite information to the CD. You can then take the image and burn it on the CD. CDs might be preferable over hard drives, since they're easier to send in the mail and not susceptible to magnetic interference. If you have a 6-GB drive, you'll need to run through a series of dd commands that chops the evidence into images that will fit on a set of CDs. If you're counting by 600-MB blocks, tell dd to skip the 600 block you already copied and copy the next bunch of 600 blocks. To do that, use the skip switch and increment it by 600 each time, as shown in Listing F. Grep, egrep and awk find 0 UID and GID accounts other than root
You'll want to look for root accounts that might not look like root accounts. Often, intruders set up new accounts with root access that aren't associated with the root name. To find these accounts, use the command shown in Listing G. From the output of the command in Listing F, look for nonroot accounts that have 0 UID privileges. These accounts will give you clues about where some of the damage might have been inflicted. Once you locate these 0 UID and 0 GID accounts, you can poke around in their directories for hacker root kits and other malicious tools. What next?
Figuring out who cracked your network is only part of the battle. After you have gathered all the information you can find, you must report the activity to the right institution. When you find you have been cracked and you're able to gather the necessary information, report the criminal. The more of these cracks that are reported, the better the chances that something can be done to stop them.
Have your say instantly in the
Tech Update forum. Find out what's where in the new Tech Update with our
Guided Tour. Let the editors know what you think in the
Mailroom.
Tech Update forum. Find out what's where in the new Tech Update with our
Guided Tour. Let the editors know what you think in the
Mailroom.
