SANS Digital Forensics and Incident Response Blog: Tag - unix

Running Malware Analysis Apps as Docker Containers

A new REMnux project initiative provides Docker images of Linux applications useful for malware analysis to offer investigators easier access to malware forensics tools. Docker is a platform for packaging, running and managing applications as "containers," as a lightweight alternative to full virtualization. Several application images are available as of this writing, and you can contribute your own as a way of experimenting with Docker and sharing with the community. Continue reading Running Malware Analysis Apps as Docker Containers

Linux Programming Tools

Digital forensics practitioners, incident responders and *nix system administrators should be aware of programming tools that can aid attackers. It is simple for an attacker to load code when compilers or other tools are installed on a system. In this event, the attacker can simply add any tools that are desired by compiling them on the host. Source code can be uploaded over ASCII connections such as telnet, so even a console can be used to load one's favorite tools when compilers are installed.

In many cases, compilers and other similar tools have been restricted or (ideally) not installed on production systems. Where this is the case, it is still common to discover many related tools (including disassemblers) on a host. Some of these tools are covered in this section. These may allow an attacker to create and load code on a system, so when analysing a compromised host, you need to think beyond gcc and the common compilers.

In many instances, systems

... Continue reading Linux Programming Tools

Understanding *NIX File Linking (ln)

The "ln" command is an important tool in any Unix admin's arsenal and attackers use it too, so it is essential that forensics analysts understand it. It is used to either:

  1. Create a link to a target file with a selected name.
  2. Create a link to a target file in the current directory.
  3. Create links to each target in a directory.

The "ln" command will by default produce hard links. Symbolic links are created with the "-symbolic" option set (or "-s"). In order to create a hard link; the target file has to exist. The primary formats of the commands are:

  • ln [OPTION]... [-T]
  • ln [OPTION]...
  • ln [OPTION]... -t

Some malicious uses of ln are in hiding files, though perhaps not very well, and creating subterfuge by wrapping legitimate programs. The "ln" command need not

... Continue reading Understanding *NIX File Linking (ln)

Unix System Accounting and Process Accounting

Accounting reports created by the system accounting service present the *NIX administrator with the information to assess current resource assignments, set resource limits and quotas, and predict future resource requirements. This information is also valuable to the forensic analyst and allows for the monitoring of system resourcing. This data can be a means of finding what processes and resources have been used and by which user.

When the system accounting has been enabled on a *NIX system, the collection of statistical data will begin when the system starts or a least from the moment that the accounting service is initiated. The standard data collected by system accounting will include the following categories:

  • Connect session statistics
  • Disk space utilization
  • Printer use
  • Process use

The accounting system process starts with the collection of statistical data from which summary reports

... Continue reading Unix System Accounting and Process Accounting

Finer Points of Find

The *NIX "find" command is probably one of the system security tester's best friends on any *NIX system. This command allows the system security tester or digital forensic analyst to process a set of files and/or directories in a file subtree. In particular, the command has the capability to search based on the following parameters:

  • where to search (which pathname and the subtree)
  • what category of file to search for (use "-type" to select directories, data files, links)
  • how to process the files (use "-exec" to run a process against a selected file)
  • the name of the file(s) (the "-name" parameter)
  • perform logical operations on selections (the "-o" and "-a" parameters)

One of the key problems associated with the "find" command is that it can be difficult to use. Many experienced professionals with years of hands-on experience on *NIX systems still find this command to be tricky. Adding

... Continue reading Finer Points of Find