UNIX and Linux Forensic Analysis DVD Toolkit
eBook - ePub

UNIX and Linux Forensic Analysis DVD Toolkit

  1. 248 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

UNIX and Linux Forensic Analysis DVD Toolkit

About this book

This book addresses topics in the area of forensic analysis of systems running on variants of the UNIX operating system, which is the choice of hackers for their attack platforms. According to a 2007 IDC report, UNIX servers account for the second-largest segment of spending (behind Windows) in the worldwide server market with $4.2 billion in 2Q07, representing 31.7% of corporate server spending. UNIX systems have not been analyzed to any significant depth largely due to a lack of understanding on the part of the investigator, an understanding and knowledge base that has been achieved by the attacker.The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of loadable kernel Modules and malware.Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else.- This book contains information about UNIX forensic analysis that is not available anywhere else. Much of the information is a result of the author's own unique research and work.- The authors have the combined experience of law enforcement, military, and corporate forensics. This unique perspective makes this book attractive to all forensic investigators.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access UNIX and Linux Forensic Analysis DVD Toolkit by Chris Pogue,Cory Altheide,Todd Haverkos in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Syngress
Year
2008
Print ISBN
9781597492690
eBook ISBN
9780080879123
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Chapter 1. Introduction

Solutions in this chapter:

  • History
  • Target Audience
  • What is Covered
  • What is Not Covered

History

In 2007, I completed my Master's Degree in Information Security from Capella University. As an Incident Response Analyst by trade, I figured that writing my thesis on UNIX forensic analysis would be a good topic, relevant both to my job duties and my course work. With Harlan Carvey being a colleague of mine, you would think I would just write something on Windows forensics and ask him for help. However, this was my thesis, and I wanted to do something that would challenge me, so I chose to write my paper on UNIX forensic analysis.
After about a day of research, I found that my original scope would have to be narrowed drastically. This was due both to the vastness of the sheer concept of UNIX forensics, and to the fact that there were no books on it (at least that I could find) anywhere. I did find some really good articles and white papers by Barry Grundy,[1] Mariuz Burdach,[2] and Holt Sorenson,[3] but nothing in the form of a book. I also found that there were some chapters in books like “Incident Response: Investigating Computer Crime” by Mandia and Prosise, “Hacking Exposed: Computer Forensics” by Davis, Philipp, and Cowen, and “Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet,” by Casey, but nothing wholly dedicated to UNIX.
1http://www.linuxleo.com/
2http://www.securityfocus.com/infocus/1769
3http://www.securityfocus.com/infocus/1679
At the time I wrote my thesis, I had no idea how many UNIX variants existed. I know that personally I have worked with, Solaris, AIX, HP-UX, BSD, Tru64, and several versions of Linux including Ubuntu, Fedora Core, Red Hat, Gentoo, SUSE, and Knoppix. Now, writing a book that would include all of these variants and all of the possible architecture and command structure differences is simply not feasible, so I picked one, and stuck with it. This book specifically covers the Linux 2.6.22-14 kernel, and all of our examples are either made using Ubuntu 7.10 Gutsy Gibbon, or Fedora Core 8. However, if you have been around UNIX in any form for any length of time, you can either use the exact command structure we use in this book, or make some slight variations.
At the completion of my thesis, I thought long and hard about the knowledge gap that existed in the world of UNIX forensics. Sure you can read white papers, or get on the CFID or HTCIA mailing lists, or the SMART forum, which are very informative, but don't have all of the information you need in one place. Also, if you are a total n00b, you might feel foolish having to ask questions like, “How do I use dd?” and “How do I see my external hard drive in UNIX?”
So I decided that a book specifically geared toward Linux forensics was needed. I started by gathering information from colleagues such as Harlan, Cory Altheide, Todd Haverkos, Sam Elder, Barry Grundy, Mariuz Burdach, Andy Rosen, and Rick Van Luvender about what this book should look like. I got some great feedback from these trusted colleagues and friends and began to write my outline. Cory and Todd liked the idea so much that they decided to jump on board and contribute, for which I am extremely grateful. Without them, I would have never completed the manuscript on time, and my book would not have been as strong.

Target Audience

Due to the vast proliferation of Windows, about 80 percent of the incidents I encounter as a full time Incident Response Analyst are strictly Windows-based. In talking to Harlan, Cory, and several other colleagues in the law enforcement community, those numbers are pretty consistent across the board. The bottom line is that only about 20 percent of the cases that come across our desks involve some variant of UNIX. These numbers are estimates only, and I have no real empirical data to back them up. Depending on where you work and what you do, these numbers may vary, but in talking to forensic investigators in both the corporate and law enforcement communities, they are generally accurate.
Given the fact that you are reading this book, it's probably safe to assume that you have come across one of the 20 percent of *nix cases. You probably also have little or no experience working with Linux as either a host operating system or as part of a forensic investigation. Don't panic, this book is for you!
I realize that you may not meet either of these criteria, in that you have not had a *nix case as of yet and are reading the book to prepare yourself for the inevitable, or you are familiar with the different flavors of UNIX, have worked several cases, and are looking for some new knowledge to make you a better investigator. If this is the case, this book has some great information for you and you may want to go directly to Chapter 5, “Hacking Top 10” and Chapter 6 “/proc.”

What is Covered

If you know anything about Linux you know that there are a lot of commands that accomplish the same task. To borrow the motto of Perl, a very popular scripting language with a long *nix history: “There's more than one way to do it.” It is possible that no two people will do the same thing the same way, yet get the same results. In our book, we have used what we feel is the quickest and easiest way to accomplish the task at hand. We understand that you may find a way that works better for you, and if that is the case, go with it, and please let us know so we can incorporate it in a later revision of this book.
In Chapter 2 of this book, you will learn about the most common file systems used with Linux, how the disk architecture is configured, and how the operating system interacts with the kernel (at a high level). This includes:
  • Linux distributions
  • Booting a Linux system
  • The shell
  • Disks and devices in Linux
  • File system organization and paths
  • File system formats
  • Logs
  • Daemons
In Chapter 3 of this book, you will learn how to acquire both the volatile and persistent data from a Linux system, using a Linux forensic system. This includes:
  • Connecting to the target machine
  • Locating the external hard drive to which you will transfer the image
  • Mounting the external hard drive to which you will transfer the image
  • Gathering volatile information
  • Creating a forensic image with the “dd” command
  • Verifying your information using Message Digest 5 (MD5)
  • Maintaining your data in a forensically sound manner
In Chapter 4 of this book, you will learn how to analyze the data you have just acquired. This includes the analysis of:
  • Who is logged onto the system
  • Which processes are running
  • Which ports are open, and where they are communicating to or receiving communication from
  • Open file handlers
  • Open Transmission Control Protocol (TCP) hooks
  • Keyword searches
In Chapter 5 of this book, you will learn about the Top 10 most commonly used tools in Linux hacking, either as the launch point or the target. You will also learn what these tools look like when they are installed, how they are used, and what kind of artifacts they may leave behind. The Hacking Top 10 are:
  • nmap
  • nessus
  • netcat
  • nikto
  • Kismet
  • wireshark
  • metasploit
  • paros
  • hping2
  • ettercap
In Chapter 6 of this book, you will learn about the /proc filesystem and what important data you have to collect from it before powering a system down. This includes:
  • Disk and partition information
  • Kernel symbols
  • A copy of physical memory
  • All kernel modules
  • A plethora of information on running processes
In Chapter 7 of this book, you will learn about the various file types that should be analyzed and how to analyze them. These files include:
  • System and security configuration files
  • Init and Run Control scripts
  • Cron jobs
  • Hidden files and hiding places
  • Identifying other files of investigative interest
In Chapter 8 of this book, you will learn about malware as it exists in Linux machines, and what kinds of signatures they leave. This includes:
  • Viruses
  • Worms
  • Trojan Horses
  • Flooders

What is Not Covered

Obviously, with a limited number of pages in this book and a virtually inexhaustible supply of information, we had to narrow our focus to what we thought best encompassed the idea of a true introductory level book. Keeping that in mind, we understand that there may be some items that you wish were covered in greater detail, or perhaps you would have liked to see something addressed that was not. If that is the case, please let us know! We want our next book to not only include some more difficult forensic concepts as they ...

Table of contents

  1. Copyright
  2. Disclaimer
  3. Brief Table of Contents
  4. Table of Contents
  5. List of Figures
  6. List of Tables
  7. Co-Authors
  8. Appendix Contributor
  9. Chapter 1. Introduction
  10. Chapter 2. Understanding Unix
  11. Chapter 3. Live Response
  12. Chapter 4. Initial Triage and Live Response
  13. Chapter 5. The Hacking Top 10
  14. Chapter 6. The /Proc File System
  15. Chapter 7. File Analysis
  16. Chapter 8. Malware
  17. Appendix A. Implementing Cybercrime Detection Techniques on Windows and *nix
  18. Index