Hack 47 Collect Forensics Data

When your computer is broken into, use Knoppix to collect all of the forensics data for later analysis.

Possibly the worst sentence for a system administrator to hear is "The server has been hacked." If you take pride in the systems you run, finding out some vandal is having his way with your server makes you feel, well, violated. When your system gets hacked, and you want to track down the attacker, or at least how he hacked it, you must collect forensics data from the server.

An excellent tool for collecting forensics data is the Coroner's Toolkit (http://www.porcupine.org/forensics/tct.html). Two of the tools from this toolkit, unrm and lazarus, are covered in [Hack #58] . The tool you should use to collect forensics data is called grave-robber. Grave-robber scans the system and collects as much useful information as it can (and it collects a lot) so that it can be pored through at a later date. You want to get as much data from the current state of the computer as possible; if you need to format and put the system back into service quickly, you can still see the state at which the machine was compromised.

If you intend on collecting data stored on a swap drive, boot Knoppix with the noswap cheat code; otherwise, Knoppix automatically mounts any swap drives it finds and, as it uses the space, overwrites any data that was previously on there.

With a Knoppix disc, you can either boot onto the compromised server and scan the hard drives directly, or work with an image of the compromised server's hard drives. Grave-robber refers to this type of machine as a corpse, because (besides the TCT author's fondness for grave metaphors) the machine is no longer live. In fact, if you can, follow the steps in [Hack #48] to create an image of your drive, so that you can leave the original alone and do all of your work from the copy. Grave-robber can potentially generate a few megabytes of output, depending on the size of the drive scanned and the data it collects. Keep this drive in as pristine a state as possible by finding some other media, such as another hard drive on the system, a USB drive, or a network share, to store the data. The default is to save all data in /var/cache/tct/data, but as that directory is running from the ramdisk under Knoppix, not only does it not have enough room to store the data, the data is erased once Knoppix is shut down. So find a larger, more permanent place to store everything.

Mount both drives, and then start the script command as root, so that you can review the verbose output from grave-robber at a later date and follow the process of grave-robber:

knoppix@ttyp0[knoppix]$ sudo mount /dev/hda1 /mnt/hda1



knoppix@ttyp0[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1



knoppix@ttyp0[knoppix]$ sudo mkdir /mnt/hdb1

/data

knoppix@ttyp0[knoppix]$ sudo script /mnt/hdb1

/grave-robber-output

Script started on Tue Jul 13 21:53:20 2004

root@0[knoppix]#

Replace /dev/hda1 with the drive from which you want to collect data, and replace /dev/hdb1 with the drive to which you want to save data. The script command saves all input and output from the terminal into /mnt/hdb1/grave-robber-output so you can review your steps. If you run script with sudo, you should now have a root prompt to run the grave-robber command:

root@0[knoppix]# grave-robber -c /mnt/hda1

 -o LINUX2 -d /mnt/hdb1

/data -v

The -c argument tells grave-robber that instead of scanning the current machine (the default), to scan a corpse mounted at a specified directory, in this case /mnt/hda1. The -o option tells grave-robber which OS the corpse was running and is required if you are scanning a corpse. This example was scanned on a Linux system, but grave-robber also supports FreeBSD, OpenBSD, and other OSes (view the manpage for the current list). The -d option specifies where to save the data grave-robber collects, and the -v option gives verbose output, so you can see each step grave-robber takes.

Once the command completes, type the following command to exit the screen and get back to a normal prompt:

root@0[knoppix]# exit

Script done, file is /mnt/hdb1/grave-robber-output

knoppix@ttyp0[knoppix]$

Most of files that grave-robber creates are readable only by root, so they are simpler to browse if you click K MenuKNOPPIXRoot Shell to open a root terminal. Now change to the data directory that you have created to browse through the grave-robber output:

root@ttyp0[knoppix]# cd /mnt/hdb1/data

root@ttyp0[data]# ls

body body.S command_out conf_vault icat proc trust

If you understand how grave-robber organizes the output, you have a good point at which to start the analysis. Here are a few of the important files and directories:

body

Contains a database of information of all the files and directories on the drive, including md5sums of all of the files, permissions, user and group ownership, and size. Here is a sample from the file:

class|host|start_time

body|Knoppix|1089770144

md5|file|st_dev|st_ino|st_mode|st_ls|st_nlink|st_uid|st_gid|st_rdev|        

st_size|st_atime|st_mtime|st_ctime|st_blksize|st_blocks

000|/mnt/hda1/var|61440|352722|16877|drwxr-xr-x                             

|16|0|0|0|2048|1084817810|1075129507|1076277991|4096|4

000|/mnt/hda1/var/yp|61440|32190110|16877|drwxr-xr-x                        

|3|0|0|0|2048|1084817810|1084660839|1084660839|4096|4

000|/mnt/hda1/var/yp/binding|61440|33599814|16877|drwxr-xr-x                

|2|0|0|0|2048|1084817810|1005606373|1076277977|4096|4

c282385f892919eb4135dd333096fa06|/mnt/hda1/var/yp/Makefile|61440|33599692|  

33188|-rw-r--r--|1|0|0|0|16868|1084660839|1084009530|1084660839|4096|33

e8407552a8b0c1447940b81fc1ad57a4|/mnt/hda1/var/yp/nicknames|61440|33599934| 

33188|-rw-r--r--|1|0|0|0|185|1084722449|1003331481|1076277978|4096|1

body.S

Similar to body, this database contains only SUID files (file set to run as root) for quick reference.

command_out

As grave-robber runs, it executes certain system programs, such as df, dpkg/rpm, and lsof to grab extra information about the system. The output from these commands is stored in individual files in this directory.

conf_vault

Stores a copy of any files that grave_robber finds interesting, including configuration files and other critical files and directories. The index.html file in the root of this directory links to each of these files in an easy-to-view HTML format.

pcat/icat

Stores images of running processes recovered during the scan named by the ID process, and the date and time the image was made. When you scan a corpse, you receive images of your Knoppix processes.

proc

Similar to the pcat/icat directories, this directory contains images from running processes, but based on the proc filesystem. Again, this is not too useful when scanning from a corpse.

trust

Contains .forward and .rhosts files, and crontab and at output, along with other files related to trusted relationships.

user_vault

Stores copies of sensitive user files such as shell histories, ssh keys, etc.

Computer forensics is a complicated subject that requires a lot of time and experience and is outside the scope of this hack. For more information on forensics analysis, visit http://www.cert.org.