SANS Digital Forensics and Incident Response Blog: Author - craigswright

Unix Logging

There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX. It is important that the digital forensics analyst become familiar with the logging deployed on the UNIX system that they are reviewing. In particular, have a look at the syslog configuration file, the "/var/log" and "/var/run" directories and check if there are any remote log servers. Syslog is a network service that is most commonly run locally. This allows for the capability of sharing logs to a remote system.

Syslog and Other Standard Logs

There are five primary log files that will exist on nearly any UNIX system (the location may vary slightly). These have been listed in the table below.

The 5 primary Unix Log files

  • /var/log/btmp btmp contains the failed login history
  • /var/log/messages

... Continue reading Unix Logging

Building a UNIX/Linux Incident response / Forensic Disk

There are many Linux distributions readily available. This however should not stop you creating your own version of a UNIX forensic tools disc. Whether you are on Solaris, HP-UX or any other variety of UNIX it is simple to create a forensic tools CD that can go between systems. The added benefit of this method is that the tools do not need to be left on the production server. This in itself could be a security risk and the ability to unmount the CD and take it with you increases security.

The ability to create a customized CD for your individual system means that the analyst can have their tools available for any UNIX system that they need to work with. It may also be possible to create a universal forensic CD. Using statically linked binaries, a single DVD or CD could be created with separate directories for every UNIX variety in use in the organization that you are working on. For instance, the same CD could contain a directory called "/Solaris" which would act as the base

... Continue reading Building a UNIX/Linux Incident response / Forensic Disk

An Analysis of SpyKing

In this post, I am going to touch on several methods of analysis used in discovering how a potentially malicious program functions. In this case, I have selected a covert surveillance program called SpyKing. The marketing hype concerning this program states:

"SpyKing Vista Spy secretly logs all keystrokes, web sites, emails, chats & IMs: MSN Messenger, Windows Live Messenger, ICQ, AOL Messenger, AIM, Yahoo! Messenger, Windows Messenger and Skype. Takes screen snapshots at every X seconds like a surveillance camera. Displays exact activities, like MySpace, Facebook, PC games, online searches & shopping, file transfers and webmails. You can receive reports remotely via emails or ftp."

As you can see from the image below, the site has been reported as a known attack site with a number of malicious scripts being located on their system.

Reverse Enginnering Java

You have just come across a site compromise. You believe that the client was impacted due to a malicious java .class file on a rogue website that they visited. The class file is compiled, what can you do?

Luckily, java class files are simple to reverse engineer. In fact, using just the native JDK, the process could not be much simpler (the setting of classpath and ensuring that your java JDK is configured correctly is critical).

At the simplest, the process would be to use the command:

  • javac -c classfile

The '-c' option is used to specify that you want to decompile the java bytecode.

The term 'classfile' is where you specify the file that you are seeking to decode.

When reversing java based malware, the chances are that the code will have been obscured. This means that the stages above are not the totality of accessing the code. Compression and cryptors are some of the methods deployed. This will add a layer of

... Continue reading Reverse Enginnering Java

System State Backup

The Windows system state backup is in effect a backup of the complete system. Everything that is present within the system will be copied as backup so that no data or information is lost whenever there is a system crash or corruption of the driver files, if certain system files stop the system from functioning properly. To perform a forensic analysis of evidence on a Windows system, backing up a system's registry is insufficient. An extensive backup of data is essential so that the system can be secured against any malfunctions.

This is most commonly an issue when conducting a live analysis.

A full system state backup saves the: