Shulou(Shulou.com)06/03 Report--

A case of Information Collection in Forensics in UNIX/Linux system

In UNIX/Linux system forensics, it is very important to collect hard disk information in time. The book "Unix/Linux Network Log Analysis and Traffic Monitoring" will discuss in detail various common system process system calls and image file acquisition methods. Here are a few simple examples.

1. Collect running processes

In UNIX/Linux forensics, a lot of system and network information exists for a short time is fleeting, how to accurately capture what clues? Network security personnel need to have keen observation and rich experience. Here are several common methods.

First, start a listening process on the collection host:

# nc-l-p 10005 > ps_lsof_log

After executing this command, enter, the system opens port 10005 to wait for acceptance, and then runs the appropriate ps call on the other host under investigation:

# (ps aux; ps-auxeww; lsof) | nc 192.168.150.100 10005-w 3

When you return to the command prompt a few seconds later, it is important to note that the two commands appear in pairs. The port opened after sending data closes the port after receiving the data. If you do not open the listening port for the second time, continue sending ps data will result in connection access denied.

# (ps aux;ps auxeww;losf) | nc 192.168.150.109 10005-w 3

(UNKNOWN) [192.168.150.109] 10005 (?): Conection refused

Among the above commands, some commands produce long output results and some produce short output results, which should be used as evidence collection. So what commands can use tools to collect information about running processes?

For example:

Who

Uptime

Ps (check the memory address of the process: ps-ealf)

Top

Lsof (view files opened by the process: lsof-p PID)

Strace (system calls and signals for tracking processes: strace-p PID)

Truss

Ltrace (library calls for tracking processes: ltrace-p PID) and so on.

The system calls the viewing tool under 2.Linux

Like tampering with system files or inserting *, you may be able to fool junior administrators on the console. Once you go deep into the system level, you will reveal your true colors. Strace is often used to track system calls and received signals during process execution. In Linux system, processes cannot access hardware devices directly. When processes need to access hardware devices (such as reading disk files, receiving network data, etc.), they must switch from user mode to kernel mode and access hardware devices through system calls. The so-called system call (Systemcall) is a series of powerful functions provided by the kernel. These system calls are implemented in the kernel, and then give the system calls to the user in a certain way. Strace can track system calls generated by a process, including parameters, return values, and execution time. For the application of Strace in this book, see case study 1 in this chapter.

The system calls the viewing tool under 3.UNIX

DTrace is a dynamic tracking tool under the Unix platform, which is developed by Sun. It can dynamically track the core (kernel) and application (user application). Of course, it can also find out the system bottleneck. After Oracle acquired Sun, this technology was transplanted to the Oracle Linux system to continue to carry forward (see Announcement:Dtrace for Oracle Linux General Availability for more).

This tool can be used on both Solaris and Open Solaris platforms.

4. Application example

① displays dynamic Dtrace probe probe in current dynamic system

# dtrace-l | more

② usually we look at the system firefox process using the following command

# ps-e | grep firefox

You can also view the probe probe with Dtrace, as follows:

How to look at the machine busy and idle state, commonly used vmstat, know to generate more than 2535 system calls. But how do you simply find the problem with which process? It is recommended to use the dtrace tool for trial.

From the last line, it is obvious that firefox-bin is a program that generates a large number of system calls, and then look at the Imax O distribution. For example, if it is a firefox process, enter the following command.

Through the above display, it can be observed that a large number of Firefox-generated Imax O is between 8 bytes and 64 bytes, and then take a closer look at the internal situation of the Firefox program and enter the following command.

Dtrace has powerful functions and high precision, while the old system tracking tool truss under Solaris 10, it is worth noting that the truss tool sometimes reduces the CPU utilization of the system by 25% to 30%.

Expand reading:

Detailed use of Dtrace document: http://docs.oracle.com/cd/E19253-01/819-6959/

Reference: "Dtrace:DynamicTracing in Oracle Solaris,MacOS X and FreeBSD"

5.Systrace

Another more powerful system call with alarm function of open source software systrace is embedded in the OpenBSD system, in FreeBSD and Linux can also be installed. Systrace tool, can be used to prevent the harm of * software to the system. In this example, as shown in the following figure, Systrace detection contains a malicious script * in a configuration under the fragroute-1.2 directory.

Systrace check *

Download address of Systrace tool: http://www.citi.umich.edu/u/provos/systrace/systrace-1.6f.tar.gz

6. Collect information in / proc system

Proc has been accompanied by Liux kernel. Up to now, it has been mainly used in network-related aspects in Linux. Later, in order to simplify system management and debugging, it is gradually applied to other aspects. Today, proc has become one of the most widely used and successful features in the Linux kernel. Proc establishes a virtual file node in memory, and the user can directly use the standard system call in the file system to access the information under proc. When the user makes a request to access the "file" under / proc, it is generated dynamically by the system. So Proc is a virtual file system, implemented through the file system interface, and the file system data will disappear when the system is rebooted or powered off. / proc also provides a structured interface for / dev/kmem to make it easy for the system to diagnose and view the environment of each running executable. Each process in memory has a directory in / proc, named after its process ID. If the processes not seen in the output of ps listed above appear in / proc, it is possible that ps has been Troyized (tampered with and added dangerous programs), so we need to be familiar with Proc in order to deal with the files under proc. Trace:DynamicTracing in Oracle Solaris,MacOS X and FreeBSD "

The following is how to collect proc processes through the network through the nc command. In order to collect Proc processes, use the following two commands:

# nc-l-p 10006 > proc_log

# ls-d/proc [1-9] * | nc 192.168.0.2 10006-w 3

The next case forecast, for this nc command, can play a key role in network forensics, in the following network security incident analysis plays a key role in nc.

In the selection of excellent lecturers in 51CTO College, I look forward to your valuable vote!

Voting address: http://edu.51cto.com/index.php?do=activityvote&m=voteRanking&cid=47#t

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.