| |
|
Home
|
| Red Hat Linux 8.0: The Official Red Hat Linux Security Guide |
|---|
| Prev | Chapter 11. Incident Response | Next |
Investigating the IncidentInvestigating a computer breach is like investigating a crime
scene. Investigators collect evidence, note any strange clues, and take
inventory on loss and damage. Analysis of computer compromise can either
be live (as the attack is happening) or
post-mortem (after the attack). Although it is unwise to trust any system log files on an exploited
system, there are other forensic utilities to aid us in our analysis.
The purpose and features of these tools vary, but they commonly create
bit-image copies of media, correlate events and processes, show low
level filesystem information, and recover deleted files whenever
possible. Collecting an Evidential ImageCreating a bit-image copy of media is a feasible first step. If
performing data forensic work, it is a requirement. It is recommended
to make two copies, one for analysis and investigation, and a second
to be stored along with the original for evidence in any legal
proceedings. You can use the dd command that is part of the
fileutils package in Red Hat Linux. Suppose there is a
single hard drive from a system you want to image. Attach that drive
as a slave to your system, and then use dd to
create the image file, such as the following: dd if=/dev/hdd bs=1k conv=noerror of=/home/evidence/image1 |
This command creates a single file named image1
using a 1k block size for speed. The conv=noerror
option forces dd to continue reading and dumping data
even if bad sectors are encountered on the suspect drive. It is now
possible to study the resulting image file, or even attempt to recover
deleted files. Gathering Post-Breach InformationThe topic of digital forensics and analysis itself is quite broad,
yet the tools are mostly architecture specific and cannot be applied
generically. However, incident response, analysis, and recovery are
important topics. With proper knowledge and experience, Red Hat Linux can be
an excellent platform for performing these types of analysis, as it
includes several utilities for performing post-breach response and
restoration. Table 11-1 details some
commands for file auditing and management. It also lists some examples
that you can use to properly identify files and file attributes, such
as permissions and access dates, so that you can collect further
evidence or items for analysis. These tools, when combined with
intrusion detection systems, firewalls, hardened services, and other
security measures, can help in reducing the potential damage when an
attack occurs.  | Note |
|---|
| | For detailed information about each tool, refer to their
respective manual pages.
|
Table 11-1. File Auditing Tools | Command | Function | Example |
|---|
| dd | Creates a bit-image copy (or
disk dump) of files and
partitions. Combined with a check of the md5sums of each image,
administrators can compare a pre-breach image of a partition or
file with a breached system to see if the sums match.
| dd if=/bin/ls of=ls.dd |md5sum ls.dd >ls-sum.txt
| | grep | Find useful string (text) information on and inside files
and directories such as permissions, script changes, file
attributes, and more. Used mostly as a piped command of
another command such as ls,
ps, or ifconfig | ps auxw |grep /bin | | strings | Prints the strings of printable characters in a file. It is
most useful for auditing executables for anomalies such as
mail commands to unknown addresses or logging to
a non-standard log files. | strings /bin/ps |grep 'mail' | | file | Determines the characteristics of files based on format,
encoding, libraries that it links (if any), and file type (binary,
text, and more). Useful for determining whether an executable such
as /bin/ls has been modified using static
libraries, a sure sign that that a modification has
occurred. | file /bin/ls | | find | Search directories for particular
files. find is a useful tool for searching the
directory structure by keyword, date and time of access,
permissions, and more. This can be useful for administrators that
perform general system audits of particular directories or files.
| find -atime +12 -name *log* -perm
u+rw | | stat | Displays various information about a file, including time
last accessed, permissions, UID and GID bit settings, and
more. Useful for checking when a breached system executable was last
used and/or when it was modified. | stat /bin/netstat | | md5sum | Calculates the 128-bit checksum using the md5 hash
algorithm. You can use the command to create a text file that lists
all crucial executables that could be modified or replaced in a
security compromise. Redirect the sums to a file to create a simple
database of checksums, and then copy the file onto a read-only
medium such as CD-ROM. | md5sum /usr/bin/gdm >>md5sum.txt |
| Prev | Home | Next | | Implementing the Incident Response Plan | Up | Restoring and Recovering Resources |
|
|
|
|
|
|
|
|
Disclaimer: For authoritative source or latest update to this
documentation, please refer to http://www.redhat.com/docs/manuals/linux/ |
|
 |
|
|
|
Quotes: The spirit, the will to win, and the will to excel are the things that endure. These qualities are so much more important than the events that occur.
|
|
|
|
|
|
|
