operating-system-investigation

Posted on April 10, 2016 security

Notes from CPNT-250 course at SAIT.

Approach depends on type of incident. Includes:

  • reviewing logs
  • review relevant files
  • identify unauthorized user accounts or groups
  • checking the shell history
  • identify rogue processes
  • checking for rootkits

linux

stat

stat - display file or file system status

 
$ stat favicon.ico 
  File: ‘favicon.ico’
    Size: 3262            Blocks: 8          IO Block: 4096   regular
    file
    Device: fd02h/64770d    Inode: 293912      Links: 1
    Access: (0664/-rw-rw-r--)  Uid: ( 1000/   mo)   Gid: ( 1000/ mo)
    Context: unconfined_u:object_r:user_home_t:s0
    Access: 2016-04-10 18:40:19.631463576 -0600
    Modify: 2016-04-09 08:19:50.321826875 -0600
    Change: 2016-04-09 08:19:50.321826875 -0600
     Birth: -
  • (M)odified time stamp is updated when the content of the file or directiry is written.
  • (A)ccessed time stamp is updated when the content of the file or directory is read.
  • (C)hanged time stamp is updated when the inode is modified.
  • (D)eleted time stamp is updated only when the file is deleted.

Filesystem Hierarchy

FHS is a standard that describes the proper organization and use of the various directories found on Linux systems.

  • /bin: essential binaries for all users.
  • /boot: files needed for the system bootloader
  • /dev: device files
  • /etc: system configuration files
  • /home: user home directories
  • /lib: essential shared libraries and kernel modules
  • /media: mount points for removable media (usually automounts)
  • /mnt: temporary mount points (usually mounted manually)
  • /opt: add-on application packages (outside of system package manager)
  • /root: root user’s home directory
  • /sbin: system binaries
  • /tmp: temporary files

Ownership and Permissions

Ownership refers to the user and/or group that a file or directory belongs to, whereas permissiosn refer to the things these (and other) users can do with or to the file or directory.

Hidden Files

File are `hidden’ from normal view by beginning the filename with a dot ‘.’.

$ mkdir -p ...
$ ls -a | head -n4
./
../
.../
404.mkd

In the example above ‘.’ refers to the current directory. ‘..’ refers to the parent directory and ‘…’ refers to an actual directory we just created. This is a sneaky way to hide a directory in plain sight.

In the next example we are hiding a secret in the file named ‘ ‘.

$ echo 'secret' > ' '
$ ls -a | head -n4
 
 ./
 ../
 .../

In the next example we alias ls to show control characters. Then we create a filename with a backspace character ‘\b’.

$ alias ls='ls --show-control-chars'
$ echo 'secret' > $'a\bb'
$ ls| head -n2
404.mkd
b
  

User Accounts

Begin looking for information on user accounts in /etc/passwd. It contains a list of users and the full path to their home directory. The passwords for user accounts are generally stored in the /etc/shadow file.

username : hashed password (deprecated) : user id : group id : comment : home dir : shell

$ cat /etc/passwd | head -n1
root:x:0:0:root:/root:/bin/bash

/etc/group file has a format similar to /etc/passwd.

group name : group password hash : group id : csv of group members

$ cat /etc/group | head -n1
root:x:0:
  

/etc/shadow contains the hash user passwords. ‘*’ and ‘!!’ in the password field indicate a daemon account because these are not user accounts and should not need to login. If any daemon accounts have a password field then they should be investigated.

$ sudo cat /etc/shadow
daemon:*:16232:0:99999:7:::
sssd:!!:16775::::::

Shell History

The default shell in most linux distrutions is the Bourne Again Shell (BASH). Commands typed in shell sessions will usually be stored in a file on the users home directory called ‘.bash_history’.

  • .bash_profile: stores the commands that are run when the shell is started. Commonly loads in /etc/skel directory.
  • .bash_history: audit trail of commands the user has run.
  • .bash_logout: set of commands that are run when the shell exists. Look in /etc/skel directory.
  • .bashrc: same purpose as .bash_profile.

Logs

Most logs are stored in clear text, with a single line per event.

/var/run/utmp: holds information about active system logons.

$ last -f /var/run/utmp 
mo    pts/0        :0               Sat Apr  9 10:17   still logged in   
mo    :0           :0               Sat Apr  9 10:17   still logged in   
reboot   system boot  4.5.0-1.el7.elre Sat Apr  9 10:17 - 20:35
(1+10:18)   

utmp begins Sat Apr  9 10:17:00 2016

/var/log/wtmp: stores logon information long term.

$ last -f /var/log/wtmp  | head -n 5
mo    pts/0        :0               Sat Apr  9 10:17   still logged in   
mo    :0           :0               Sat Apr  9 10:17   still logged in   
(unknown :0           :0               Sat Apr  9 10:17 - 10:17  (00:00)    
reboot   system boot  4.5.0-1.el7.elre Sat Apr  9 10:17 - 20:38 (1+10:21)   
mo    pts/0        :0               Sat Apr  9 10:16 - 10:16  (00:00)  
  

lastlog is binary log file that stores the last logon time and remote host for each user on the system.

  
$ lastlog | grep mo
daemon                                     **Never logged in**
mo            :0                        Sat Apr  9 10:17:23 -0600
2016
  • /var/log/messages or /var/log/syslog: catch all, non specified logs.
  • /var/log/auth.log: user authentication attempts.
  • /var/log/audit/audit.log: Auditd/SELinux
  • /var/log/boot.log: Boot process logs.

Processes

ps - report a snapshot of the current processes.

  • -a: all users
  • -x: processes not attached to a terminal
  
$ ps ax | tail -n10
mo     3315  0.0  0.1  34116 14932 ?        Ss   Apr09   1:25 tmux
mo     3316  0.0  0.0 117208  5272 pts/1    Ss   Apr09   0:00  \_ -bash
mo     9533  0.5  0.2 790752 26568 pts/1    Sl+  18:13   0:54  |   \_ mplayer http://relay1.dubstep.fm
mo     9534  0.1  0.0 651204  7976 pts/1    S+   18:13   0:10  | \_ mplayer http://relay1.dubstep.fm
mo     9763  0.0  0.0 117332  5580 pts/2    Ss   18:14   0:00  \_ -bash
mo     9906  1.4  0.1 168588 22856 pts/2    S+   18:14   2:17  |   \_ vim
mo    13575  0.0  0.0 117408  5888 pts/3    Ss   19:18   0:01  \_ -bash
mo    19003  0.0  0.0 151424  4224 pts/3    R+   20:47   0:00      \_ ps auxf ax
mo    19004  0.0  0.0 107944  1844 pts/3    S+   20:47   0:00      \_ tail -n10
mo     3863  0.0  0.0 180940  4820 ?        Sl   Apr09   0:00 /usr/libexec/dconf-service

Network Connections

netstat -tulpn

  • -t: TCP
  • -u: UDP
  • -l: listening
  • -p: list process name
  • -n: addresses as numbers
  • -a: both listening and non-listening
$ netstat -tunlp | head -n 5
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address
 State       PID/Program name    
 tcp        0      0 127.0.0.1:17600         0.0.0.0:\* LISTEN      2981/dropbox        
 tcp        0      0 127.0.0.1:17603         0.0.0.0:\* LISTEN      2981/dropbox        
 tcp        0      0 0.0.0.0:902             0.0.0.0:\* LISTEN      -  
  

lsof - list open files

$ lsof -i:17600
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dropbox 2981 mo      97u  IPv4  32441      0t0  TCP localhost:17600 (LISTEN)
  

crontab - maintains crontab files for individual users.

$ crontab -l
no crontab for mokha
  

windows

  • Registry: hierarchical database that contains configuration for the windows system.
  • File Metadata: Created, Modified, Accessed times.
  • Hibernation File (hiberfil.sys): Sleep data is stored to the hard drive.
  • Prefetch Files: Designed to speed up process startup. Found in %SystemRoot%\prefetch.
  • Event Logs: lets admins view event logs on local or remote machines.
  • Alternate Data Streams: Feature of NTFS to help support HFS. Can be used to store anything. (format: filename:stream)