~/src/www.mokhan.ca/xlgmokha [main]
cat operating-system-investigation.md
operating-system-investigation.md 13165 bytes | 2016-04-10 19:31
symlink: /dev/random/operating-system-investigation.md

Operating System Investigation

Notes from CPNT-250 course at SAIT.

Approach depends on type of incident. Includes:

  • reviewing logs
  • review relevant files
  • identify unauthorized user accounts or groups
  • checking the shell history
  • identify rogue processes
  • checking for rootkits

linux

stat

stat - display file or file system status

$ stat favicon.ico 
  File: ‘favicon.ico’
    Size: 3262            Blocks: 8          IO Block: 4096   regular
    file
    Device: fd02h/64770d    Inode: 293912      Links: 1
    Access: (0664/-rw-rw-r--)  Uid: ( 1000/   mo)   Gid: ( 1000/ mo)
    Context: unconfined_u:object_r:user_home_t:s0
    Access: 2016-04-10 18:40:19.631463576 -0600
    Modify: 2016-04-09 08:19:50.321826875 -0600
    Change: 2016-04-09 08:19:50.321826875 -0600
     Birth: -
  • (M)odified time stamp is updated when the content of the file or directiry is written.
  • (A)ccessed time stamp is updated when the content of the file or directory is read.
  • (C)hanged time stamp is updated when the inode is modified.
  • (D)eleted time stamp is updated only when the file is deleted.

Filesystem Hierarchy

FHS is a standard that describes the proper organization and use of the various directories found on Linux systems.

  • /bin: essential binaries for all users.
  • /boot: files needed for the system bootloader
  • /dev: device files
  • /etc: system configuration files
  • /home: user home directories
  • /lib: essential shared libraries and kernel modules
  • /media: mount points for removable media (usually automounts)
  • /mnt: temporary mount points (usually mounted manually)
  • /opt: add-on application packages (outside of system package manager)
  • /root: root user’s home directory
  • /sbin: system binaries
  • /tmp: temporary files

Ownership and Permissions

Ownership refers to the user and/or group that a file or directory belongs to, whereas permissiosn refer to the things these (and other) users can do with or to the file or directory.

Hidden Files

File are ‘hidden’ from normal view by beginning the filename with a dot ‘.’.

$ mkdir -p ...
$ ls -a | head -n4
./
../
.../
404.mkd

In the example above ‘.’ refers to the current directory. ‘..’ refers to the parent directory and ‘…’ refers to an actual directory we just created. This is a sneaky way to hide a directory in plain sight.

In the next example we are hiding a secret in the file named ‘ ‘.

$ echo 'secret' > ' '
$ ls -a | head -n4

 ./
 ../
 .../

In the next example we alias ls to show control characters. Then we create a filename with a backspace character ‘\b’.

$ alias ls='ls --show-control-chars'
$ echo 'secret' > $'a\bb'
$ ls| head -n2
404.mkd
b

User Accounts

Begin looking for information on user accounts in /etc/passwd. It contains a list of users and the full path to their home directory. The passwords for user accounts are generally stored in the /etc/shadow file.

username : hashed password (deprecated) : user id : group id : comment : home dir : shell

$ cat /etc/passwd | head -n1
root:x:0:0:root:/root:/bin/bash

/etc/group file has a format similar to /etc/passwd.

group name : group password hash : group id : csv of group members

$ cat /etc/group | head -n1
root:x:0:

/etc/shadow contains the hash user passwords. ‘*’ and ‘!!’ in the password field indicate a daemon account because these are not user accounts and should not need to login. If any daemon accounts have a password field then they should be investigated.

$ sudo cat /etc/shadow
daemon:*:16232:0:99999:7:::
sssd:!!:16775::::::

Shell History

The default shell in most linux distrutions is the Bourne Again Shell (BASH). Commands typed in shell sessions will usually be stored in a file on the users home directory called ‘.bash_history’.

  • .bash_profile: stores the commands that are run when the shell is started. Commonly loads in /etc/skel directory.
  • .bash_history: audit trail of commands the user has run.
  • .bash_logout: set of commands that are run when the shell exists. Look in /etc/skel directory.
  • .bashrc: same purpose as .bash_profile.

Logs

Most logs are stored in clear text, with a single line per event.

/var/run/utmp: holds information about active system logons.


$ last -f /var/run/utmp 
mo    pts/0        :0               Sat Apr  9 10:17   still logged in   
mo    :0           :0               Sat Apr  9 10:17   still logged in   
reboot   system boot  4.5.0-1.el7.elre Sat Apr  9 10:17 - 20:35
(1+10:18)

utmp begins Sat Apr  9 10:17:00 2016

/var/log/wtmp: stores logon information long term.


$ last -f /var/log/wtmp  | head -n 5
mo    pts/0        :0               Sat Apr  9 10:17   still logged in
mo    :0           :0               Sat Apr  9 10:17   still logged in
(unknown :0           :0               Sat Apr  9 10:17 - 10:17  (00:00)
reboot   system boot  4.5.0-1.el7.elre Sat Apr  9 10:17 - 20:38 (1+10:21)
mo    pts/0        :0               Sat Apr  9 10:16 - 10:16  (00:00)

lastlog is binary log file that stores the last logon time and remote host for each user on the system.

$ lastlog | grep mo
daemon                                     **Never logged in**
mo            :0                        Sat Apr  9 10:17:23 -0600
2016
  • /var/log/messages or /var/log/syslog: catch all, non specified logs.
  • /var/log/auth.log: user authentication attempts.
  • /var/log/audit/audit.log: Auditd/SELinux
  • /var/log/boot.log: Boot process logs.

Processes

ps - report a snapshot of the current processes.

  • -a: all users
  • -x: processes not attached to a terminal
$ ps ax | tail -n10
mo     3315  0.0  0.1  34116 14932 ?        Ss   Apr09   1:25 tmux
mo     3316  0.0  0.0 117208  5272 pts/1    Ss   Apr09   0:00  \_ -bash
mo     9533  0.5  0.2 790752 26568 pts/1    Sl+  18:13   0:54  |   \_ mplayer http://relay1.dubstep.fm
mo     9534  0.1  0.0 651204  7976 pts/1    S+   18:13   0:10  | \_ mplayer http://relay1.dubstep.fm
mo     9763  0.0  0.0 117332  5580 pts/2    Ss   18:14   0:00  \_ -bash
mo     9906  1.4  0.1 168588 22856 pts/2    S+   18:14   2:17  |   \_ vim
mo    13575  0.0  0.0 117408  5888 pts/3    Ss   19:18   0:01  \_ -bash
mo    19003  0.0  0.0 151424  4224 pts/3    R+   20:47   0:00      \_ ps auxf ax
mo    19004  0.0  0.0 107944  1844 pts/3    S+   20:47   0:00      \_ tail -n10
mo     3863  0.0  0.0 180940  4820 ?        Sl   Apr09   0:00 /usr/libexec/dconf-service

Network Connections

netstat -tulpn

  • -t: TCP
  • -u: UDP
  • -l: listening
  • -p: list process name
  • -n: addresses as numbers
  • -a: both listening and non-listening
$ netstat -tunlp | head -n 5
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address State       PID/Program name
 tcp        0      0 127.0.0.1:17600         0.0.0.0:\* LISTEN      2981/dropbox
 tcp        0      0 127.0.0.1:17603         0.0.0.0:\* LISTEN      2981/dropbox
 tcp        0      0 0.0.0.0:902             0.0.0.0:\* LISTEN      -

lsof - list open files

$ lsof -i:17600
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dropbox 2981 mo      97u  IPv4  32441      0t0  TCP localhost:17600 (LISTEN)

crontab - maintains crontab files for individual users.

$ crontab -l
no crontab for mokha

windows

  • Registry: hierarchical database that contains configuration for the windows system.
  • File Metadata: Created, Modified, Accessed times.
  • Hibernation File (hiberfil.sys): Sleep data is stored to the hard drive.
  • Prefetch Files: Designed to speed up process startup. Found in %SystemRoot%\prefetch.
  • Event Logs: lets admins view event logs on local or remote machines.
  • Alternate Data Streams: Feature of NTFS to help support HFS. Can be used to store anything. (format: filename:stream)
Lines: 257 | Words: 1366 | Reading time: 7 min