Unix Security: Diagnostics and Forensics

Printer friendly: DVI | Postscript | PDF |

This document is intended to help Unix/Linux sys-admins with the diagnostic and forensic examination of a machine that has been hacked — or help determine whether a suspect machine has been. Specifically the document describes:

immediate steps to take — a compromise between destroying forensic data and restoring service;
further steps to take in order to determine what has been done and how;
tools available to help.

Contents:

Immediate Steps

Don't Panic! Don't Switch the Machine Off

Background Material

On what you should be looking for
Have you been rooted?
Uncompromised tools and utilities

First Steps --- Make these before you reboot

Find and understand every TCP connection
Determine and understand every Open Port
Survey all network traffic
Find and understand every process
Test for a rootkit

Second Steps

Take a low-level filesystem dump
Boot from a clean medium --- Live CDs
Check both local and remote logs
Establish the date/time of the intrusion and use it
Check for a rootkit --- again

Diagnostic/Forensic Tools 1:

Statically-Linked Binaries on a CD-R
lsof and fuser
chkrootkit and rkhunter
strace --- Spying on Processes and Users
ttylog

Diagnostic/Forensic Tools 2: Network

tcpdump, ngrep and ethereal
ntop and bandwidthd

Diagnostic/Forensic Tools 3: Verify Installed Software

MD5 and Fingerprint Databases
Solaris Fingerprint Database
rpm and apt-get

About this document:

Produced from the SGML: /home/umits/public_html/_unix_security/_reml_grp/diagnostic_forensic_tools.reml
On: 23/10/2005 at 13:29:12
Options: reml2 -i noindex -l long -o html -p multiple