by Derek Cheng
|Freeware Forensics Tools for Unix
by Derek Cheng CISSP, GCIH, Procinct Security
last updated November 1, 2001
You are a security specialist brought in to investigate the suspected security compromise of a Unix machine. You are expected to gather as much information as possible without altering or contaminating the evidence. The data you collect must be good enough to determine whether a compromise has actually occurred on the system. During the analysis of data, you will need to create a detailed time-based reconstruction of the attack and compromise. You must also answer questions such as: when and where did the compromise occur, how did the compromise occur, how many systems were affected, and what files were affected. This information is critical in determining who attacked your system, how they gained access, and whether prosecution is justified.
You may need to rely on forensic tools to perform these tasks. Unfortunately, your company cannot afford to purchase expensive commercial forensics tools. Fortunately for you, there are sophisticated forensics tools that can help you accomplish these tasks for free. This article will discuss three popular freeware forensics tools for the Unix platform: The Coroner's Toolkit (TCT), TCTUtils, and Autopsy Forensic Browser. These tools, when used together, offer a comprehensive solution for forensic data gathering.
(While an indepth discussion of forensics is beyond the scope of this article, readers may want to check out Timothy E. Wright's Field Guide for Investigating Computer Crime.)
In this article, you will learn basic steps to take when gathering data using TCT, TCTUtils, and Autopsy. The following is an overview of these freeware forensic tools, which will then be followed by step-by-step instructions. It is essential to run all of these tools from a source that is known to be good, preferably either from a CD or an analysis test system. Be sure to review the documentation and instructions before using these tools on your system. Readers should note that these instructions are for Linux and may not work with other flavors of Unix.
Overview of Popular Freeware Forensics Tools for Unix
TCT is the leader on the Unix operating system. Designed by Dan Farmer and Wietse Venema, TCT is a collection of four distinct groups of tools that, when used together, provide powerful techniques for collection and analysis of forensic data with the goal of reconstructing past events. TCT has the ability to analyze activities on a live system and capture current state information that would be difficult to capture manually. It is important to mention that TCT was not designed to collect evidence that would be admissible in court; it was designed to help determine what happened on a compromised machine. TCT includes the following programs:
Written by Brian Carrier, TCTUtils is a collection of utilities that adds functionality to TCT. The following programs are included with TCTUtils.
The Autopsy Forensic Browser is an easy-to-use browser-based GUI for TCT and TCTUtils. It allows an investigator to browse and analyze forensic images at the file, block, and inode level. It also provides a convenient interface for searching for key words in an image.
For these step-by-step instructions, we will be using the Linux file system and a disk image file (dev_hda1.img) created by the Unix dd command.
Throughout these instructions, we will use the following file names and directories:
dev_hda1.img Name of the image file (/root partition) /image Directory where the image is copied to /mnt/forensics/root Directory for where the image file is mounted /usr/local/tct-1.07 Directory where TCT is stored /usr/local/tctutils-1.01 Directory where TCTUtils is stored /usr/local/autopsy-1.01 Directory where Autopsy Forensic Browser is stored /tmp/deleted Directory to store recovered deleted files
Before running any of these tools, we need to perform the following preparation steps:
Create the following directories: # mkdir /mnt/forensics # mkdir /mnt/forensics/hack # mkdir /image
Copy the image file, usually from a CD-ROM, to the /image directory:
# mount /mnt/cdrom # cp /mnt/cdrom/dev_hda1.img /image
Mount the image file as a loop device to the /mnt/forensics/root directory, making sure that it is mounted read-only.
# mount -o ro,loop,nodev,noexec,nosuid,noatime /image/dev_hda1.img /mnt/forenics/root
Running TCT version 1.07
TCT is a collection of four distinct groups of tools that, when used together, provide powerful techniques for collection and analysis of forensic data
Working on the live system:
Working with the Disk Image:
Running TCTUtils version 1.01
Together with TCT, TCTUtils adds enhanced functionality such as image analysis at the file, block, and inode level.
After installing TCTUtils, do not forget to edit the Makefile and change the TCT_DIR to point to the directory where TCT is stored.
Working with the disk image:
1. To create a better timeline that includes deleted files showing when they were modified, accessed, and deleted:
# cd /usr/local/tct-1.07/bin # ./grave-robber -m /mnt/forensics/root # cd /usr/local/tctutils-1.01/bin # ./fls -m -/mnt/forensics/root/" /image/dev_hda1.img 2 >> /usr/local/tct-1.07/data/[name of directory (localhost.localdomain)]/body # cd /usr/local/tct-1.07/bin # ./mactime 4/01/2001 > /tmp/full_mactime.report
Autopsy Forensic Browser
Autopsy merges the information from TCT and TCTUtils into a simple point and click GUI.
After installing Autopsy, run the 'configure' program and make sure that you have the correct directories for TCT, TCTUtils, and the Morgue (or image) directory. Next you must edit the 'fsmorgue' file under the /image directory to let Autopsy know how to mount the imaged partitions.
Working with the disk image:
2. To start the Autopsy Forensic Browser:
# cd /usr/local/autopsy-1.01/bin # ./autopsy [any port number] localhost &
Autopsy will give you a URL to enter into your browser.
TCT, TCTUtils, and Autopsy Forensic Browser are extremely valuable to investigators because sophisticated and comprehensive investigations can be conducted without having to purchase expensive commercial tools. These freeware tools do an excellent job of gathering data. However, the daunting task of data analysis is left to the investigator. Data must still be analyzed manually and formal investigation reports and data sets must be created regardless of whether you wish to prosecute the attacker.
Derek Cheng, CISSP, GCIH, is a Senior Security Engineer at Procinct Security where he consults with clients on emerging security issues. He has extensive knowledge and expertise on numerous security products, technologies, and architectures. Derek's main areas of expertise include security risk assessments, vulnerability testing, and security product analysis and research.
Basic Steps in Forensic Analysis of Unix Systems
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.