[sf-lug] forensics with Linux
Michael.Paoli at cal.berkeley.edu
Sat Nov 21 17:17:44 PST 2009
Some bits that might help, in not necessarily any particular order.
o Follow one's documented incident response plan (the handling of such
incidents was properly planned for, right?).
o Having, or not having the above, DON'T PANIC! Quick rash decisions
can cause problems, and may not be reversible.
o There's often the typical trade-off to be considered between:
o Continue to watch, track, and investigate; try not to tip one's hand
(at least not prematurely, anyway).
o Shut stuff down, try to thwart further damage, clean up, and move on
o One may not have a choice (e.g. governmental, law enforcement,
contractual obligations, practical matters and/or policy may dictate
what methods are used, and when).
o Never trust that a compromised system is reporting anything
accurately, or is, or was doing what it should be doing. E.g. "root
kits", kernel modules, etc. can make it infeasible to impossible to
determine from compromised system itself if the system itself is
compromised or not.
o Shutting down as or about as abruptly as possible may enhance
preservation of disk data. "Normal" shutdown procedures/sequences may
be compromised, and may alter or destroy evidence. E.g. for fast
shutdown, remove power - for a laptop that may entail removing
external power and pulling the laptop battery. Note also that many
modern systems, when "power switch"/button is pressed may not
immediately shut down, but instead will (with short press), attempt to
start a normal shutdown procedure (press and hold may drop power - but
it might not be fast enough, as that may attempt to start normal
shutdown procedures first). Removing power connections (power cords)
and pulling any (e.g. laptop) battery power source may be best and
fastest. Absolutely no guarantees that such an approach would be
harmless to all hardware (e.g. pulling laptop battery from a running
laptop may damage the laptop hardware and/or battery - but is
improbable to damage the hard drive hardware).
o shutting down may lose evidence of what's resident in RAM - and
possibly only in RAM - some malware will run only in RAM and not exist
on disk (e.g. some network worms / bot nets may operate that way to
make it harder to catch and examine the malware).
o shutting down allows one to then boot from good known operating system
(e.g. validated CD-ROM or USB, etc.), and examine disk(/flash/ROM/...)
of compromised or suspected compromised system - and to accurately see
what is there.
o Don't know that it's ever been used or successfully used in any public
forensics cases or the like yet, but copying a full image of the hard
drive data isn't quite the same. There are advanced techniques,
which, at least in theory, may allow for recovery of data that was
physically overwritten on the hard drive. This evidence may not be
accessible from the external interfaces of the hard drive (may require
access to raw data from drive heads and/or advanced scanning of the
magnetic media). See, e.g.:
o Stuff (e.g. malware) can be tucked away in CMOS/BIOS/flash, etc.
BIOS/CMOS may allow areas of disk to be "hidden"/reserved - stuff
could be hidden there. Filesystems and storage can be abused - e.g.
data stored where it shouldn't legitimately belong, or filesystems
tampered with in ways to further hide data.
o It's often/generally infeasible to "clean up" the data/programs, etc.
of a compromised system - most commonly much more efficient to do a
fresh clean install, apply security updates/patches, make sufficiently
sure vulnerabilities that allowed exploit have been closed, and if any
data/programs are going to be merged or brought in from what was
compromised system/image, they must be fully validated as
clean/correct before reintroducing them.
o clean-up; don't trust information reported by or actions taken by
compromised or possibly compromised system, see also:
o Have a peek at:
o Many other good/excellent points/tips already earlier on this
o I am not a lawyer, nor do I play one on TV.
o I am not a forensics expert.
> Date: Wed, 18 Nov 2009 07:05:33 -0800
> From: Pseudo Anonymous <pseudo.anonymous70 at gmail.com>
> Subject: [sf-lug] forensics with Linux
> To: sf-lug at linuxmafia.com
> forensics with Linux
> Let's say someone hands us a laptop that is or likely has been
> compromised. Let's say we actually want to preserve an exact image
> copy of the laptop hard drive. Let's say we also want to compute some
> secure cryptographic hashes of entire laptop hard drive and
> digitally sign - such as with gpg - those hashes and statement about
> those hashes. Let's say we've got quite sufficiently large external
> USB drive that we can attach and that wasn't at all involved in
> compromise and hasn't been attached to that laptop before.
> So, how would we best proceed to: boot Linux off of CD or DVD (or
> possibly even USB stick) and make absolutely no write access to the
> laptop hard drive - e.g. nothing that would automatically or by default
> mount or attempt to mount anything on the laptop filesystem(s) rw?
> We'd also want to be sure nothing attempts to run/boot/execute anything
> off the laptop hard drive. Let's say we've got someone that well knows
> how to wield fdisk/cfdisk/sfdisk/mke2fs/dd/gpg/openssl, and at least
> most common Linux systems administration tasks, but may or may not be a
> forensics expert, and we're mostly interested in preserving evidence of
> state and data of laptop hard drive.
> Any particular recommendations of handy readily available Linux
> distribution that would be best/easiest to accomplish these tasks -
> such as run from live CD image, and if needed, including actions or
> boot options to ensure it doesn't make or attempt to make any write
> access to laptop hard drive by default including having it not making
> nor attempting to make any rw mounts of laptop filesystem(s).
> And for the legal or legally inclined folks, particular recommendations
> for evidence preservation/handling for possible use in criminal and/or
> civil case(s) in such described situation?
More information about the sf-lug