Intrusion Analysis Reading: None Additional references: * Intrusion Analysis - a forensic process - specifically for intrusion events, as opposed to DoS, virus, etc. - a search for evidence that will satisfy your goals (answer your questions) * Live analysis vs static reconstruction - live analysis - poking around on the suspect system will change state of system - file access times, etc may be necessary if system has disk encryption with unknown keys (if you take the encrypted disk, it will be useless without the key) - static reconstruction work with an image of the disk drive(s) will not have info about running processes but won't destroy credibility of evidence * Intrusion analysis is a special case of computer forensics - only applies when crime is intrusion - not for cases where computer only contains evidence of other crimes (such as an embezzler's laptop) * Goals - answer some questions - How did they get in? - Where did they come from? - Where did they (try to) go to? - What did they (try to) do? - What tools did they use or have or bring? - What were their motives? * Why those goals? - How did they get in? - How do I fix this? - Do *I* have other vulnerable hosts? - Where did they come from? - Have I seen them before? - Did they come from a known "hot spot"? - Should I contact the source site? (Are they "owned", too?) - Where did they (try to) go to? - Did they try to get into my other systems? - Who else did they get into? - What did they (try to) do? - What kinds of traces should I look for? - Where should I look? - What tools did they use or have or bring? - Where else should I look? - This may help figure out how the got in. - What were their motives? * Will you have the same goals? - Perhaps not. - depends on organization's policies - lots of possible policies - clean up and deny everything - remove what can be found - restore from backups - re-format and re-install - perform full forensics - do you want to find the intruder (and prosecute) of just "make it stop" * kinds of things to look for - "evidence" - traces and signs and hints and clues - trying to find - rootkits - sniffers and sniffer logs - intrusion tools and logs * intrusion analysis process - document everything - use UNIX "script" command - only examine a copy of the media, never the original - keep goals in mind - start with simple things - root shell history file - log files - find set-uid programs - other "easy" traces - move on to harder things - file access and modification times (may be forged!) - deleted files * What is the difference between "data" and "evidence"? - data is just data - evidence is data that has been analyzed according to accepted scientific process - evidence has a trustable history of - who found it - where it was found - who has had access to it since then (chain of custody) * technique notes - use "dd" or other software to make image copy of evidence drive - mount "read only" - start with the simple stuff - .bash_history :-) and work to more complex such as tripwire and high-end forensics tools such as "Encase" - "strings" is very helpful in examing binary files (so you don't run suspect software) - "cat *" and "echo *" can be a handy substitute for "ls" when doing "live forensics"