Red Hat Linux 9: Red Hat Linux Security Guide
Prev	Chapter 10. Incident Response	Next

10.4. Investigating the Incident

Investigating a computer breach is like investigating a crime scene. Detectives collect evidence, note any strange clues, and take inventory on loss and damage. An analysis of computer compromise can either be done as the attack is happening or post-mortem (after the attack).

Although it is unwise to trust any system log files on an exploited system, there are other forensic utilities to aid in your analysis. The purpose and features of these tools vary, but they commonly create bit-image copies of media, correlate events and processes, show low level file system information, and recover deleted files whenever possible.

10.4.1. Collecting an Evidential Image

Creating a bit-image copy of media is a feasible first step. If performing data forensic work, it is a requirement. It is recommended to make two copies: one for analysis and investigation, and a second to be stored along with the original for evidence in any legal proceedings.

You can use the dd command that is part of the fileutils package in Red Hat Linux to create a monolithic image of an exploited system as evidence in an investigation or for comparison with trusted images. Suppose there is a single hard drive from a system you want to image. Attach that drive as a slave to your system, and then use dd to create the image file, such as the following:

dd if=/dev/hdd bs=1k conv=noerror,sync of=/home/evidence/image1

This command creates a single file named image1 using a 1k block size for speed. The conv=noerror,sync options force dd to continue reading and dumping data even if bad sectors are encountered on the suspect drive. It is now possible to study the resulting image file, or even attempt to recover deleted files.

10.4.2. Gathering Post-Breach Information

The topic of digital forensics and analysis itself is quite broad, yet the tools are mostly architecture specific and cannot be applied generically. However, incident response, analysis, and recovery are important topics. With proper knowledge and experience, Red Hat Linux can be an excellent platform for performing these types of analysis, as it includes several utilities for performing post-breach response and restoration.

Table 10-1 details some commands for file auditing and management. It also lists some examples that can be used to properly identify files and file attributes (such as permissions and access dates) so that you can collect further evidence or items for analysis. These tools, when combined with intrusion detection systems, firewalls, hardened services, and other security measures, can help in reducing the potential damage when an attack occurs.

Note

Note

For detailed information about each tool, refer to their respective manual pages.

	Note
	For detailed information about each tool, refer to their respective manual pages.

Command

Function

Example

dd

Creates a bit-image copy (or disk dump) of files and partitions. Combined with a check of the md5sums of each image, administrators can compare a pre-breach image of a partition or file with a breached system to see if the sums match.

dd if=/bin/ls of=ls.dd |md5sum ls.dd >ls-sum.txt

grep

Finds useful string (text) information on and inside files and directories such as permissions, script changes, file attributes, and more. Used mostly as a piped command of another command such as ls, ps, or ifconfig

ps auxw |grep /bin

strings

Prints the strings of printable characters in a file. It is most useful for auditing executables for anomalies such as mail commands to unknown addresses or logging to a non-standard log file.

strings /bin/ps |grep 'mail'

file

Determines the characteristics of files based on format, encoding, libraries that it links (if any), and file type (binary, text, and more). It is useful for determining whether an executable such as /bin/ls has been modified using static libraries, which are a sure sign that that the executable has been replaced with one installed by a malicious user.

file /bin/ls

find

Searches directories for particular files. find is a useful tool for searching the directory structure by keyword, date and time of access, permissions, and more. This can be useful for administrators that perform general system audits of particular directories or files.

find -atime +12 -name *log* -perm u+rw

stat

Displays various information about a file, including time last accessed, permissions, UID and GID bit settings, and more. Useful for checking when a breached system executable was last used and/or when it was modified.

stat /bin/netstat

md5sum

Calculates the 128-bit checksum using the md5 hash algorithm. You can use the command to create a text file that lists all crucial executables that could be modified or replaced in a security compromise. Redirect the sums to a file to create a simple database of checksums and then copy the file onto a read-only medium such as CD-ROM.

md5sum /usr/bin/gdm >>md5sum.txt

Command	Function	Example
`dd`	Creates a bit-image copy (or disk dump) of files and partitions. Combined with a check of the md5sums of each image, administrators can compare a pre-breach image of a partition or file with a breached system to see if the sums match.	`dd if=/bin/ls of=ls.dd \|md5sum ls.dd >ls-sum.txt`
`grep`	Finds useful string (text) information on and inside files and directories such as permissions, script changes, file attributes, and more. Used mostly as a piped command of another command such as `ls`, `ps`, or `ifconfig`	`ps auxw \|grep /bin`
`strings`	Prints the strings of printable characters in a file. It is most useful for auditing executables for anomalies such as `mail` commands to unknown addresses or logging to a non-standard log file.	`strings /bin/ps \|grep 'mail'`
`file`	Determines the characteristics of files based on format, encoding, libraries that it links (if any), and file type (binary, text, and more). It is useful for determining whether an executable such as `/bin/ls` has been modified using static libraries, which are a sure sign that that the executable has been replaced with one installed by a malicious user.	`file /bin/ls`
`find`	Searches directories for particular files. `find` is a useful tool for searching the directory structure by keyword, date and time of access, permissions, and more. This can be useful for administrators that perform general system audits of particular directories or files.	`find -atime +12 -name log -perm u+rw`
`stat`	Displays various information about a file, including time last accessed, permissions, UID and GID bit settings, and more. Useful for checking when a breached system executable was last used and/or when it was modified.	`stat /bin/netstat`
`md5sum`	Calculates the 128-bit checksum using the md5 hash algorithm. You can use the command to create a text file that lists all crucial executables that could be modified or replaced in a security compromise. Redirect the sums to a file to create a simple database of checksums and then copy the file onto a read-only medium such as CD-ROM.	`md5sum /usr/bin/gdm >>md5sum.txt`

Table 10-1. File Auditing Tools

Prev	Home	Next
Implementing the Incident Response Plan	Up	Restoring and Recovering Resources

ActorActressGallery.com	CheapConsumerElectronics.com	ArtistActorActress.com
Bill88.com	CalvaryMusic.org	Link-Web.net
NewReleaseBooks.com	GermanBooks88.com	GermanElectronics88.com
RingTone88.com	SmallPanda.com