Forensics with BackTrack and Sleuth Kit
Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.
Computer crime is a serious problem – in large part because almost all corporate information is now managed on computers rather than through traditional paper and people tools. Your computers and networks represent a juicy target for attackers, and depending on what they want, an attack might be anything from annoying to catastrophic. Because almost all your company information is on computers, anyone who accesses that information with criminal intent will probably leave clues.
One thing attacks have in common is that when you first notice an incident has occurred, you probably won't have all the information you need to deal with it. Lining up the facts sometimes requires a forensic investigation. Was the attack an inside job, or did it make use of an externally available flaw? Did the attacker access a single system, or your whole network? Did the attacker steal data? Plant a virus? Install a rootkit?
The BackTrack Live Linux distro  and the Sleuth Kit forensics toolkit  will help you gather information about the attack. In this article, I'll show you how to get started with BackTrack and Sleuth Kit, but first, I'll begin with a look at some preliminary steps to take before starting your forensic analysis.
Electronic forensics is a huge topic, and even narrowing it down to just a few tools for Linux systems leaves a lot of material to cover. In this article, I will make the following assumptions:
- You have already tracked down which systems are (likely) compromised. (I will not cover general attack-detection tools such as Snort and Tripwire).
- You will not be going to law enforcement. (There are simply too many issues regarding jurisdiction, collection of evidence, and chain of custody to cover here).
- You are able to shut the affected system(s) down to image them.
- You already have backup and recovery procedures in place.
Although I focus on Linux, the tools I cover can be used to examine other forms of Unix and Windows systems.
Forensics systems require lots of storage. Having too much storage is unlikely. You want enough space for a copy of the evidence, plus some room to work; a safe bet is 2-3 times as much space as the total amount of raw evidence. The good news is that 2TB hard drives are shipping now.
If you want to search for keywords or check for deleted files, you'll want fast disks. The thing to remember is that you are accessing the drives in a manner that is more like a tape drive (steady streaming of extremely large files) than a traditional hard drive (seeking and reading relatively small files). Thus, depending on devices such as RAID products might actually slow things down.
By its very nature, electronic forensics requires the system to process and sort through large amounts of information. Most modern workstations will have a hard drive that is at least 100GB, if not larger. My workstation has a 750GB hard drive that cost US$ 200 when I bought it a half year ago. Searching 100GB of information – let alone 750GB – for key words like "pornography" or a string of credit card numbers requires some pretty hefty CPU power.
The good news is that, like hard drives, CPUs have become extremely fast and cheap. You're going to want to go with at least a dual core chip and plenty of memory to buffer information.
Dead Systems and Live Systems
One major decision you will face is whether or not to shut down the system once you know or suspect that it has been compromised. And if you decide to shut it down, you must decide how to shut it down – in an orderly fashion, or by pulling the power plug? Forensic examination of a live system has several advantages. You can view the process table to see what is running, you can list network connections, and you can copy the contents of memory for later examination.
Also, there are several major disadvantages to investigating a live system, including that what you see might not be what you actually have. Modern rootkits can easily hide processes and data, for example, by inserting kernel-level hooks. A dead system is easier to examine, and you can guarantee that after you turn it off, you have not modified or deleted evidence from the state the system was in.
But how do you turn the system off? An orderly shutdown could trigger programs that clean up after the attacker and delete evidence or, if the attacker is especially nasty, overwrite hard drive firmware or system firmware. However, simply pulling the plug might leave the system in an inconsistent state or prevent data from being written to the hard drives. Examine the issues carefully – the best choice for how to shut down the system will probably depend on what information you want to collect and what you plan to do with it.
Law Enforcement and Rules of Evidence
I am not a lawyer, and this is not legal advice; however, I do know that in some jurisdictions, you can gather evidence within your organization without needing a search warrant. If you decide to go to the police, you might be considered an agent of the police and thus need a search warrant for any further discovery and examination. Additionally, the rules of evidence collections, chain of custody, and accepted tools vary from jurisdiction to jurisdiction. If you do plan to go to the police at any point, you should consult with a lawyer to find out the intricacies, and you should be very careful about documenting everything you do.
Forensics on Linux
The process of collecting and examining evidence from a Linux system follows this general pattern:
- Shut down the affected system.
- Image the hard drive(s).
- Examine the drive image with tools such as Sleuth Kit.
- Process the evidence and information to come to a conclusion.
The following sections take a closer look at this process.
The purpose of forensics is to figure out what happened and find evidence to support decision making or, in some cases, legal action. This takes time, and the more time an attacker can force the process to consume, the more likely they are to escape. Additionally, if an attacker can pollute the evidence by wiping files and data, injecting false data, or modifying what is left, there is a greater chance that real evidence will escape notice. The bad news is that attackers are getting much better at anti-forensics, with a number of advanced toolkits now available.
Shutting Down the Affected System
If at all possible, an orderly shut down is recommended; however, if you have any suspicion that the attacker has left logic bombs or cleanup scripts in place, you should consider pulling the plug. The advantage of shutting down the system is that you can boot off of trusted media, such as a recovery CD or a forensics CD like BackTrack, and create an image of the disk. If you image a live system, it is possible for rootkits to hide information.
Hardware Write Blockers
Consider investing in a hardware write blocker. According to the Forensics Wiki, a write blocker allows "… acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands… ."
Typically, a write blocker costs US$ 100-300, and a full kit (for parallel, serial ATA, SCSI, memory cards, USB devices, etc.) can cost between US$ 1,000--2,000. However, the cost of accidently modifying or deleting evidence should be weighed against the cost of the device. (The lack of a write blocker might also be enough to raise a reasonable doubt in a court of law).
Buy this article as PDF