 |
| UNIX and Linux Forensic Analysis DVD Toolkit |
Chris Pogue
Cory Altheide
Todd Haverkos
Michael Cross (MCSE, MCP+I, CNA, Network+) is an internet specialist/
programmer with the Niagara Regional Police Service. In addition to
designing and maintaining the Niagara Regional Police’s Web site (www.nrps.
com) and intranet, he has also provided support and worked in the areas of
programming, hardware, database administration, graphic design, and network
administration. In 2007, he was awarded a Police Commendation for work
he did in developing a system to track high-risk offenders and sexual offenders
in the Niagara Region. As part of an information technology team that
provides support to a user base of over 1,000 civilian and uniformed users,
his theory is that when the users carry guns, you tend to be more motivated
in solving their problems.
Michael was the first computer forensic analyst in the Niagara
Regional Police Service’s history, and for five years he performed computer
forensic examinations on computers involved in criminal investigations.
The computers he examined for evidence were involved in a wide range of
crimes, inclusive to homicides, fraud, and possession of child pornography.
In addition to this, he successfully tracked numerous individuals electronically,
as in cases involving threatening e-mail. He has consulted and assisted
in numerous cases dealing with computer-related/Internet crimes and
served as an expert witness on computers for criminal trials.
Michael has previously taught as an instructor for IT training courses
on the Internet, Web development, programming, networking, and hardware
repair. He is also seasoned in providing and assisting in presentations on
Internet safety and other topics related to computers and the Internet.
Despite this experience as a speaker, he still finds his wife won’t listen to him.
Michael also owns KnightWare, which provides computer-related
services like Web page design, and Bookworms, which provides online sales
of merchandise. He has been a freelance writer for over a decade and has
been published over three dozen times in numerous books and anthologies.
Contents
Chapter 1 Introduction
History. 2
Target Audience. 3
What is Covered . 3
What is Not Covered. 6
Chapter 2 Understanding Unix
Introduction . 10
Linux Distributions. 12
Get a Linux! . 12
Booting Ubuntu Linux from the LiveCD. 15
The Shell. 18
All Hail the Shell. 20
Essential Commands . 20
Highlights of The Linux Security Model. 25
The *nix File system Structure. 29
Mount points: What the Heck are They?. 31
File Systems. 34
Ext2/Ext3. 35
Summary. 37
Chapter 3 Live Response: Data Collection
Introduction . 40
Prepare the Target Media. 41
Mount the Drive. 41
Format the Drive. 42
Format the Disk with the ext File System. 42
Gather Volatile Information.. 43
Prepare a Case Logbook. 43
Acquiring the Image . 55
Preparation and Planning . 55
DD. 56
Bootable *nix ISOs. 60
Helix. 60
Knoppix. 61
BackTrack 2. 62
Insert. 63
EnCase LinEn. 63
FTK Imager . 65
ProDiscover. 68
Summary. 70
Chapter 4 Initial Triage and Live Response: Data Analysis
Introduction . 72
Initial Triage 72
Log Analysis. 74
zgrep . 76
Tail. 76
More . 76
Less . 77
Keyword Searches. 77
strings /proc/kcore –t d > /tmp/kcore_outfile. 78
File and Directory Names. 79
IP Addresses and Domain Names. 80
Tool Keywords . 80
Tricks of the Trade. 82
User Activity. 86
Shell History . 86
Logged on Users . 87
Network Connections. 89
Running Processes. 92
Open File Handlers. 95
Summary. 98
Chapter 5 The Hacking Top 10
Introduction . 100
The Hacking Top Ten. 104
Netcat. 105
Reconnaissance Tools. 106
Nmap . 106
Nessus. 110
Try it Out. 111
Configuring Nessus. 111
Plug-ins. 113
Ports. 114
Target. 114
Nikto. 116
Wireshark . 118
Canvas/Core Impact. 120
The Metasploit Framework. 121
Paros. 134
hping2 - Active Network Smashing Tool. 138
Ettercap. 144
Summary. 152
Chapter 6 The /Proc File System
Introduction . 154
cmdline. 155
cpuinfo. 155
diskstats. 156
driver/rtc. 156
filesystems. 156
kallsyms (ksyms). 157
kcore. 157
modules. 158
mounts. 158
partitions. 159
sys/. 159
uptime . 159
version . 159
Process IDs. 159
cmdline. 160
cwd. 161
environ. 161
exe. 161
fd . 161
loginuid. 162
Putting It All Together. 162
sysfs. 166
modules. 166
block. 166
Chapter 7 File Analysis
The Linux Boot Process. 170
init and runlevels . 171
System and Security Configuration Files. 173
Users, Groups, and Privileges. 173
Cron Jobs. 176
Log Files. 176
Who. 177
Where and What . 177
Identifying Other Files of Interest. 178
SUID and SGID Root Files. 178
Recently Modified/Accessed/Created Files. 179
Modified System Files. 180
Out-of-Place inodes. 180
Hidden Files and Hiding Places. 181
Chapter 8 Malware
Introduction . 184
Viruses . 185
Storms on the Horizon . 188
Do it Yourself with Panda and Clam. 190
Download ClamAV. 190
Install ClamAV. 190
Updating Virus Database with Freshclam. 191
Scanning the Target Directory. 192
Download Panda Antivirus. 193
Install Panda Antivirus. 193
Scanning the Target Directory. 193
Web References. 194
Appendix Implementing Cybercrime Detection
Techniques on Windows and *nix. 195
Introduction . 196
Security Auditing and Log Files . 197
Auditing for Windows Platforms. 199
Auditing for UNIX and Linux Platforms. 206
Firewall Logs, Reports, Alarms, and Alerts. 208
Commercial Intrusion Detection Systems. 211
Characterizing Intrusion Detection Systems. 212
Commercial IDS Players. 217
IP Spoofing and Other Antidetection Tactics. 218
Honeypots, Honeynets, and Other “Cyberstings”. 220
Summary. 223
Frequently Asked Questions. 226
Index. 229
Co-Authors
Chris Pogue is an Incident Response Manager and Forensic Analyst for a major
Information Technology service provider. With over ten years of administrative and security experience he was worked cases all over the globe assisting organizations from fortune 500 companies to single owner small businesses build defense in depth into their infrastructure. Prior to becoming a forensic analyst, Chris spent the five years as part of the Ethical Hacking Team for the same service provider. Tasked with emulating the actions of a malicious attacker, he assisted customers in identifying and eliminating probable attack vectors. Brining that knowledge and experience to bear to the Incident
Management team, Chris specializes in incidents involving intrusion, and unauthorized access.
Chris is also a former US Army Warrant Officer (Signal Corps) and has worked with the Army Reserve Information Operations Command (ARIOC) on Joint Task Force ( JTF) missions with the National Security Agency (NSA), Department of Homeland Security, Regional Computer Emergency Response Team-Continental United States (RCERT-CONUS), and the Joint Intelligence Center-Pacific ( JICPAC).
Chris attended Forensics training at Carnegie Mellon University (CMU) in Pittsburgh, Pennsylvania, and was the ARIOC primary instructor for UNIX, Networking, and Incident Response for all CMU sponsored courses. Chris holds a Bachelor’s Degree in Applied Management, a Master’s degree in Information Security, is a Certified Information Systems Security Professional, (CISSP), a Certified Ethical Hacker (CEH), and a VISA PCI DSS Qualified Security Assessor (QSA).
Chris resides in Tulsa, Oklahoma with his wife Michelle, and his two children, Jenna age 4, and Colin age 2. While the world of computer forensics is fast paced, and challenging …
nothing compares to the rush and excitement of being a husband and father.
First and foremost, I would like to thank my Lord and savior Jesus Christ, without whom nothing in my life would be possible. Since being saved, He has walked along side of me when I needed a friend, walked in front of me when I needed a perfect example of how to live my life, and carried me when I needed a Messiah. All that I am able to do is only through His grace and mercy. My earthly strength comes from my beautiful wife Michelle, and my two children Jenna and Colin. Next to my salvation, Michelle is the greatest gift the Lord has ever bestowed upon me, and without her I would not be the man I am today. She is a wonderful wife, and mother.
Thank you so much for supporting me, loving me, and being by best friend even though I am hands down, the biggest nerd you ever met. My kids keep me young at heart. I cannot begin to count the number of times while writing this book; I played puppy with Jenna and asked Colin to kindly get off my desk. I love being a dad and hope and pray that I am half the father they deserve. Finally, I would like to thank everyone who contributed in way or another to the completion of this work. Specifically I would like to thank Harlan Carvey, Tom Millar, Jon Evans, Sam Elder, Keith Fanselow, Clint Ruoho, Barry Grundy, Mariuzz Burdach, Todd Haverkos, Cory Altheide, Andrew Rosen, Rick Van Luvender, Darrell Vydra, Mark Eifert, my mother Donna Pogue, and my sister Juli Czajkowski. Without all of you helping me, guiding me, and encouraging me along the way, I would have never finished this freaking thing. Thank you all … and stuff.
Cory Altheide has been performing forensics & incident investigations for the past
seven years for employers ranging from the National Nuclear Security Administration
to Google. Cory has developed and presented hands-on forensics training for various
government, law enforcement, and civilian entities geared towards improving investigator’s
skills in examining less common digital media, exotic operating systems, and
live analysis and acquisition. He holds the GIAC GCIH and PCI QSA certifications
and is on the technical program committee for the 8th Annual Digital Forensics
Research Workshop (DFRWS).
I would like to the The Macallan.
Todd Haverkos has 16 years of experience in Information Technology (IT) and high
technology, including 7 years with a Fortune 50 computer services company working in network security, ethical hacking roles and most recently Security Consulting and Penetration Testing roles, 6 years with an international semiconductor and communications company as an integrated circuit designer for which he holds a US Patent, and 4 years with large regional electric utility in database administration, IT, and telecom. He has 6 years of dedicated experience in Information Security and has expertise with penetration testing, application security testing, vulnerability assessments and recommendations, security policy and procedure development, network architecture, firewall, switch and router configuration and management, and technical security documentation. Todd holds a bachelor’s degree in Electrical Engineering from the University of Dayton, a master’s degree in Computer Engineering from Northwestern University, and holds EC-Council Certified Ethical Hacker, and EC-Council Certified Security Analyst certifications.
Thanks first to Chris Pogue for the opportunity to contribute to the book (in an albeit-small,
one chapter sort of way). It’s a pleasure to have the opportunity to spread *nix thoughts! James Lee,
thank you for inspiration and encouragement to jump into the water.
Thanks also to the English faculty of St. Xavier High School in Cincinnati, OH, particularly
Walter Koral, Jim Downie, Patricia Culley, and Mike Marchal. While I know at least one of you
was quite unhappy with my choice of engineering as a career path lo, those many years ago, I would
like to offer this consolation: The ability to communicate well–particularly in writing–is easily the
most valuable skill I have brought to any technical job I’ve had, and a skill I use every day of this
Internet-connected life. Many thanks!
Thanks also to Mom who so wisely and generously found a way to make sure I had that
education and the one from her, and for all those other great things Mom’s do that earn them a
much-deserved place in acknowledgements!
To those who like to keep a low profile, but who have been so generous in sharing their
technical knowledge and friendship with me over the years, thank you!
And to Phet and Boon, you make everything worth working for.
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 5,020 KB |
Pages
|
243 p |
File Type
|
PDF format |
ISBN-13
| 978-1-59749-269-0 |
Copyright
| 2008 by Elsevier, Inc |
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
