SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

The Chain of Custody for 2010-03-14 - Weekly Tweets

Unix Network and System profiling

It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.


Netstat lists all active connections as well as the ports where processes are listening for connections. The command, "netstat -p -a -inet" (or the equivalent on other UNIX'es) will print a listing of this information. Not all UNIX versions support the "netstat -p" option for netstat. In this case other tools may be used.


The command, "lsof" allows the reviewer to list all open files where "An open file may be a regular file, a directory, a block special file, a character

... Continue reading Unix Network and System profiling

Digital Forensics Case Leads: From Cellebrite to celebrities

This week we have news of threats posted on social networks that closed some schools in the US, the take down of an ISP spreading malware and Mandiant's State of the Hack Webinar.For your reading pleasure thereare the SANS Forensic Whitepapers along with posts by Joe Garcia and Lance Mueller.In the tools section some updated enscripts, and one of our own posts on building an incident response disk, and more.


Good Reads:


Unix Logging

There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX. It is important that the digital forensics analyst become familiar with the logging deployed on the UNIX system that they are reviewing. In particular, have a look at the syslog configuration file, the "/var/log" and "/var/run" directories and check if there are any remote log servers. Syslog is a network service that is most commonly run locally. This allows for the capability of sharing logs to a remote system.

Syslog and Other Standard Logs

There are five primary log files that will exist on nearly any UNIX system (the location may vary slightly). These have been listed in the table below.

The 5 primary Unix Log files

  • /var/log/btmp btmp contains the failed login history
  • /var/log/messages

... Continue reading Unix Logging

Building a UNIX/Linux Incident response / Forensic Disk

There are many Linux distributions readily available. This however should not stop you creating your own version of a UNIX forensic tools disc. Whether you are on Solaris, HP-UX or any other variety of UNIX it is simple to create a forensic tools CD that can go between systems. The added benefit of this method is that the tools do not need to be left on the production server. This in itself could be a security risk and the ability to unmount the CD and take it with you increases security.

The ability to create a customized CD for your individual system means that the analyst can have their tools available for any UNIX system that they need to work with. It may also be possible to create a universal forensic CD. Using statically linked binaries, a single DVD or CD could be created with separate directories for every UNIX variety in use in the organization that you are working on. For instance, the same CD could contain a directory called "/Solaris" which would act as the base

... Continue reading Building a UNIX/Linux Incident response / Forensic Disk