Forensics with BackTrack and Sleuth Kit
Sleuthing
Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.
Computer crime is a serious problem – in large part because almost all corporate information is now managed on computers rather than through traditional paper and people tools. Your computers and networks represent a juicy target for attackers, and depending on what they want, an attack might be anything from annoying to catastrophic. Because almost all your company information is on computers, anyone who accesses that information with criminal intent will probably leave clues.
One thing attacks have in common is that when you first notice an incident has occurred, you probably won't have all the information you need to deal with it. Lining up the facts sometimes requires a forensic investigation. Was the attack an inside job, or did it make use of an externally available flaw? Did the attacker access a single system, or your whole network? Did the attacker steal data? Plant a virus? Install a rootkit?
The BackTrack Live Linux distro [1] and the Sleuth Kit forensics toolkit [2] will help you gather information about the attack. In this article, I'll show you how to get started with BackTrack and Sleuth Kit, but first, I'll begin with a look at some preliminary steps to take before starting your forensic analysis.
Electronic forensics is a huge topic, and even narrowing it down to just a few tools for Linux systems leaves a lot of material to cover. In this article, I will make the following assumptions:
- You have already tracked down which systems are (likely) compromised. (I will not cover general attack-detection tools such as Snort and Tripwire).
- You will not be going to law enforcement. (There are simply too many issues regarding jurisdiction, collection of evidence, and chain of custody to cover here).
- You are able to shut the affected system(s) down to image them.
- You already have backup and recovery procedures in place.
Although I focus on Linux, the tools I cover can be used to examine other forms of Unix and Windows systems.
Hardware Requirements
Forensics systems require lots of storage. Having too much storage is unlikely. You want enough space for a copy of the evidence, plus some room to work; a safe bet is 2-3 times as much space as the total amount of raw evidence. The good news is that 2TB hard drives are shipping now.
If you want to search for keywords or check for deleted files, you'll want fast disks. The thing to remember is that you are accessing the drives in a manner that is more like a tape drive (steady streaming of extremely large files) than a traditional hard drive (seeking and reading relatively small files). Thus, depending on devices such as RAID products might actually slow things down.
By its very nature, electronic forensics requires the system to process and sort through large amounts of information. Most modern workstations will have a hard drive that is at least 100GB, if not larger. My workstation has a 750GB hard drive that cost US$ 200 when I bought it a half year ago. Searching 100GB of information – let alone 750GB – for key words like "pornography" or a string of credit card numbers requires some pretty hefty CPU power.
The good news is that, like hard drives, CPUs have become extremely fast and cheap. You're going to want to go with at least a dual core chip and plenty of memory to buffer information.
Dead Systems and Live Systems
One major decision you will face is whether or not to shut down the system once you know or suspect that it has been compromised. And if you decide to shut it down, you must decide how to shut it down – in an orderly fashion, or by pulling the power plug? Forensic examination of a live system has several advantages. You can view the process table to see what is running, you can list network connections, and you can copy the contents of memory for later examination.
Also, there are several major disadvantages to investigating a live system, including that what you see might not be what you actually have. Modern rootkits can easily hide processes and data, for example, by inserting kernel-level hooks. A dead system is easier to examine, and you can guarantee that after you turn it off, you have not modified or deleted evidence from the state the system was in.
But how do you turn the system off? An orderly shutdown could trigger programs that clean up after the attacker and delete evidence or, if the attacker is especially nasty, overwrite hard drive firmware or system firmware. However, simply pulling the plug might leave the system in an inconsistent state or prevent data from being written to the hard drives. Examine the issues carefully – the best choice for how to shut down the system will probably depend on what information you want to collect and what you plan to do with it.
Law Enforcement and Rules of Evidence
I am not a lawyer, and this is not legal advice; however, I do know that in some jurisdictions, you can gather evidence within your organization without needing a search warrant. If you decide to go to the police, you might be considered an agent of the police and thus need a search warrant for any further discovery and examination. Additionally, the rules of evidence collections, chain of custody, and accepted tools vary from jurisdiction to jurisdiction. If you do plan to go to the police at any point, you should consult with a lawyer to find out the intricacies, and you should be very careful about documenting everything you do.
Forensics on Linux
The process of collecting and examining evidence from a Linux system follows this general pattern:
- Shut down the affected system.
- Image the hard drive(s).
- Examine the drive image with tools such as Sleuth Kit.
- Process the evidence and information to come to a conclusion.
The following sections take a closer look at this process.
Anti-Forensics
The purpose of forensics is to figure out what happened and find evidence to support decision making or, in some cases, legal action. This takes time, and the more time an attacker can force the process to consume, the more likely they are to escape. Additionally, if an attacker can pollute the evidence by wiping files and data, injecting false data, or modifying what is left, there is a greater chance that real evidence will escape notice. The bad news is that attackers are getting much better at anti-forensics, with a number of advanced toolkits now available.
Shutting Down the Affected System
If at all possible, an orderly shut down is recommended; however, if you have any suspicion that the attacker has left logic bombs or cleanup scripts in place, you should consider pulling the plug. The advantage of shutting down the system is that you can boot off of trusted media, such as a recovery CD or a forensics CD like BackTrack, and create an image of the disk. If you image a live system, it is possible for rootkits to hide information.
Hardware Write Blockers
Consider investing in a hardware write blocker. According to the Forensics Wiki, a write blocker allows "… acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass but by blocking write commands… ."[3]
Typically, a write blocker costs US$ 100-300, and a full kit (for parallel, serial ATA, SCSI, memory cards, USB devices, etc.) can cost between US$ 1,000--2,000. However, the cost of accidently modifying or deleting evidence should be weighed against the cost of the device. (The lack of a write blocker might also be enough to raise a reasonable doubt in a court of law).
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.