Difference between revisions of "Security Forensics"

From GridPP Wiki
Jump to: navigation, search
 
(No difference)

Latest revision as of 08:39, 21 May 2013

NOTE: UNDER CONSTRUCTION


Order of volatility

  1. CPU cache and registers
  2. Memory
  3. Swap
  4. Disk
  5. Archived media

Links

Filesystem Capture

Filesystem Analysis

The Sleuth Kit is a widely support open source forensics toolkit. It is available to download. A branch supporting ext4fs is available on github.
These include the following groups of tools.

  • mm - partition information
    • mmls - display partition table (eg fdisk)
    • mmcat - dump contents of partition (eg dd)
    • mmstat - identifies partition table type (eg file)
  • j - journal information
    • jls - list journal contents
    • jcat - dump journal block
  • f - file information
    • fsstat - display information about the filesystem (eg dumpe2fs)
    • fls - display file listing. (eg ls but with deleted files)
      • -l display time information
      • -d just show deleted files
      • -r recurse
  • i - inode information
    • ils - list inodes. By default only lists removed files (eg ls -i)
    • icat - dump file based on inode
    • ifind - find metadata structure given disk unit or filename
    • istat - display statistics about given inode (mac
  • blk - data block information
    • blkls - lists datablocks
    • blkcat - dumps section of image (eg dd)
    • blkstat - displays details of a datablock


  • Example
    • Take copy of disk or specific volume (eg /dev/mapper/VolGroup-NNN)
dd if=/dev/sdN of=image
or
blkls -e /dev/sdN > image 
    • List root directory
fls image
    • List specific directory (inode)
fls image 12345
    • Extract metadata (descending from directory/inode)
fls -dr -m / image 12345 > metadata.dump </ptr>
** Generate timeline
<pre>mactime -b metadata.dump > macdata.txt
    • Recover contents of, possibly deleted, file given inode
icat image 12345 > interestingfile

File Analysis

Network Capture

Network Analysis

Memory Capture

On modern (2.6.27) the STRICT_DEVMEM option restricts access to /dev/mem. Third party software is required to gain a dump of kernel memory. Some additional configuration on the host is therefore required. Details of all interaction with the host should be logged.

LiME

Source code available at LiME

LiME allows you to specific the output file as either a local file or network socket.

Compile the kernel module on another machine with an identical kernel version/architecture. Install the module specifying the disk or tcp egress method.

[root@local]# insmod lime-2.6.32-279.el6.x86_64.ko “path=/mnt/usb/memory.dump format=lime”

or

[root@local]# insmod lime-2.6.32-279.el6.x86_64.ko "path=tcp:4444 format=lime"

[root@remote]# nc local 4444 > memory.dump

The tcp version has the advantage of not requiring any locally mounted storage. It however listens on 0.0.0.0 so precautions should be taken to ensure only authorised users can access this port.

The "lime" format prepends a header providing address space information which can be utilised by analysis tools. It also allows you to verify that the memory dump is complete and makes the memory dump more compact.

Using KProbes

A description of an alternative method making use of KProbes to allow access to /dev/mem. KProbes are used to change the behaviour of the devmem_is_allowed() routine so that it always returns true. This allows you to use dd to read /dev/mem like you would any other device.

[root@local]# insmod kretprobe-bypass-devmem_is_allowed.ko
[root@local]# dd if=/dev/mem of=/mnt/usb/memory.dump

or

[root@local]# insmod kretprobe-bypass-devmem_is_allowed.ko
[root@local]# dd if=/dev/mem | nc remote 4444

Note: The memory dump contains sensitive information and should be carefully protected. Memory dumps should only be transferred in the clear over trusted local networks and they should be secured with appropriate access permissions when stored on analysis/collection infrastructure.

Memory Analysis

One of the most widely used tool for Windows memory forensics is Volatility. The 2.2 version has support for analysing Linux memory images, including those stored in the LiME format. Details of how to install and configure volatility with linux support are available on their wiki page.