| |
|
Home
|
| Red Hat Linux 9: Red Hat Linux Security Guide |
|---|
| Prev | Chapter 10. Incident Response | Next |
10.4. Investigating the IncidentInvestigating a computer breach is like investigating a crime
scene. Detectives collect evidence, note any strange clues, and take
inventory on loss and damage. An analysis of computer compromise can
either be done as the attack is happening or
post-mortem (after the attack). Although it is unwise to trust any system log files on an exploited
system, there are other forensic utilities to aid in your analysis. The
purpose and features of these tools vary, but they commonly create
bit-image copies of media, correlate events and processes, show low
level file system information, and recover deleted files whenever
possible. 10.4.1. Collecting an Evidential ImageCreating a bit-image copy of media is a feasible first step. If
performing data forensic work, it is a requirement. It is recommended
to make two copies: one for analysis and investigation, and a second
to be stored along with the original for evidence in any legal
proceedings. You can use the dd command that is part of the
fileutils package in Red Hat Linux to create a monolithic
image of an exploited system as evidence in an investigation or for
comparison with trusted images. Suppose there is a single hard drive
from a system you want to image. Attach that drive as a slave to your
system, and then use dd to create the image file,
such as the following: dd if=/dev/hdd bs=1k conv=noerror,sync of=/home/evidence/image1 |
This command creates a single file named image1
using a 1k block size for speed. The conv=noerror,sync
options force dd to continue reading and dumping data
even if bad sectors are encountered on the suspect drive. It is now
possible to study the resulting image file, or even attempt to recover
deleted files. 10.4.2. Gathering Post-Breach InformationThe topic of digital forensics and analysis itself is quite broad,
yet the tools are mostly architecture specific and cannot be applied
generically. However, incident response, analysis, and recovery are
important topics. With proper knowledge and experience, Red Hat Linux can be
an excellent platform for performing these types of analysis, as it
includes several utilities for performing post-breach response and
restoration. Table 10-1 details some commands for
file auditing and management. It also lists some examples that can be
used to properly identify files and file attributes (such as
permissions and access dates) so that you can collect further evidence
or items for analysis. These tools, when combined with intrusion
detection systems, firewalls, hardened services, and other security
measures, can help in reducing the potential damage when an attack
occurs.  | Note |
|---|
| | For detailed information about each tool, refer to their
respective manual pages.
|
| Command | Function | Example |
|---|
| dd | Creates a bit-image copy (or
disk dump) of files and
partitions. Combined with a check of the md5sums of each image,
administrators can compare a pre-breach image of a partition or
file with a breached system to see if the sums match.
| dd if=/bin/ls of=ls.dd |md5sum ls.dd >ls-sum.txt
| | grep | Finds useful string (text) information on and inside files
and directories such as permissions, script changes, file
attributes, and more. Used mostly as a piped command of
another command such as ls,
ps, or ifconfig | ps auxw |grep /bin | | strings | Prints the strings of printable characters in a file. It is
most useful for auditing executables for anomalies such as
mail commands to unknown addresses or logging to
a non-standard log file. | strings /bin/ps |grep 'mail' | | file | Determines the
characteristics of files based on format, encoding, libraries
that it links (if any), and file type (binary, text, and
more). It is useful for determining whether an executable such
as /bin/ls has been modified using static
libraries, which are a sure sign that that the executable has
been replaced with one installed by a malicious user. | file /bin/ls | | find | Searches directories for particular
files. find is a useful tool for searching the
directory structure by keyword, date and time of access,
permissions, and more. This can be useful for administrators that
perform general system audits of particular directories or files.
| find -atime +12 -name *log* -perm
u+rw | | stat | Displays various information about a file, including time
last accessed, permissions, UID and GID bit settings, and
more. Useful for checking when a breached system executable was last
used and/or when it was modified. | stat /bin/netstat | | md5sum | Calculates the 128-bit checksum using the md5 hash
algorithm. You can use the command to create a text file that lists
all crucial executables that could be modified or replaced in a
security compromise. Redirect the sums to a file to create a simple
database of checksums and then copy the file onto a read-only
medium such as CD-ROM. | md5sum /usr/bin/gdm >>md5sum.txt |
Table 10-1. File Auditing Tools
| Prev | Home | Next | | Implementing the Incident Response Plan | Up | Restoring and Recovering Resources |
|
|
|
|
|
|
|
|
Disclaimer: For authoritative source or latest update to this
documentation, please refer to http://www.redhat.com/docs/manuals/linux/ |
|
 |
|
|
|
Quotes: The poor wish to be rich, the rich wish to be happy, the single wish to be married and the married wish to be dead.People who have attained things worth having in this world have worked while others have idled, have persevered while others gave up in despair, and have practiced early in life the valuable habits of self-denial, industry, and singleness of purpose. As a result, they enjoy in later life the success often erroneously attributed to good luck.
|
|
|
|
|
|
|
