[Chixla] Re: Interesting UUASC meeting on Forensics

[SMichelle]

Well, sorry for the both of you that you missed this ... it was quite
good. Soon Yee, Betty, Catherine, and myself (me! a.k.a. Sharon) went,
so I'm sure that if I forget something in my recap below someone will
offer a correction.
The following meeting description follows the handout that the speaker,
Darren S. Hoch, distributed. The handout followed his presentation
pretty closely and includes the Linux commands used to detect a possible
intrusion. I'm not sure how best to make this handout available -- it's
15 pages so scanning and posting seems to be an outragous bandwidth
waste. The next scheduled meeting is in March, Sunday 3-28, so I'll
tentatively set the meeting agenda to go over his handout and the
commands that were demonstrated when detecting a hacked computer.
First covered was the beginnings of a compromise and the differences
between portscanning, buffer overflows, rootkits and loadable kernel
modules. Then he covered the creation of a statically compiled rescue
disk which includes the commonly used tools in hack detection, i.e., ls,
ps, find, netstat, lsof, truss, md5, ssh, wget, and mdb -- with
compromised systems these would be the tools which are replaced with
rootkited versions. (And I don't know what some of those commands are
... they are future research subjects.)
Darren then covered bound ports and rogue processes and then searching
for the files associated with rootkits and trojan binaries. He then
covered using truss to trace system calls and the diffent calls made
from legit binaries and trojaned ones. Also covered was the open source
chkrootkit utility http://www.chkrootkit.org/ and tripwire
http://www.tripwire.org/ used to detect rootkit installations. 
He then covered, albeit briefly, compromises which involved loadable
kernel modules ... which are near impossible to detect as there is
*nothing* on the system which can be trusted, not even the rescue
utilities on the cd drive. There is a description of one possible method
to detect the installation of rogue loadble kernel modules, but it was
beyond my current level of understanding so I won't even try to give a
description.
The meeting finished with a brief overview and demostration of the
Solaris only program called BSM (Basic Security Module) which traces
system calls, login information, and binary execution calls in real
time. The information is stored in a binary file, which can be used as a
legal evidence in a computer related hacking trial. One interesting note
with respect to BSM is that if the file is streamed over a network
connection to another computer or location, then the information
contained in the logs are no longer admissible in a court of law. The
logged information is only admissible if contained *on* the machine
which was being logged, or backed up to a device attached to the
machine, i.e., cd, tape backup, etc. etc.
Well, that's about it. Again, I'll make some copies and bring to the
next meeting in March.
Let me know if any questions.
/SMichelle
> Anybody who went to this meeting and would be willing to debrief me,
> I'd appreciate it. Also, if anybody is actually doing Unix/Linux
> forensics, please get in touch; I may have work assignments for you
> periodically.
> 
> Thanks,
> 
> Monique Bryher
> 818 774-0043
> 
>> -----Original Message-----
>> From: Dianna Del Rio <toocuteforwindws at hotmail.com>
>> Sent: Feb 6, 2004 3:18 PM
>> To: Chixla at linuxchixla.org
>> Subject: [Chixla] Re: Interesting UUASC meeting on Forensics
>> 
>> I'm new to this group but this meeting looks like something right up
>my > alley.  My name is Dianna and I am tech support/network support in
>
>> Riverside.  I look forward to getting to know you all and learn from
>you.  > Thanks for this info!
>> 
>> Dianna