Unit 2: Linux/Unix Acquisition 2.1 Linux/Unix Acquistion Acquisition Preparation and System Info...-CSDN博客

Acquisition Preparation and System Information Acquisition

采购准备与系统信息获取

>> We covered general forensic process in unit one.

>>我们介绍了第一单元的一般法医程序。

Now we will study technologies used in computer forensics for Linux/Unix operating system.

现在我们将研究用于Linux / Unix操作系统的计算机取证的技术。

Linux/Unix forensics follows the general forensic process of collecting, preserving,
analyzing, and reporting evidence.

Linux / Unix取证遵循收集，保存，分析和报告证据的一般取证过程。

In the next few lectures we will focus on forensic tools and the technologies used
in investigating Linux/Unix systems.

在接下来的几个讲座中，我们将重点介绍取证工具和用于调查Linux / Unix系统的技术。

Before we start a forensic investigation, we should have prepared for a couple of things.

在我们开始进行法医调查之前，我们应该为几件事做好准备。

First is a set of forensic tools, including a bootable live CD.

首先是一套取证工具，包括可引导的现场CD。

The reason is simple: You should never trust any tools from the suspect machine
since it has potentially compromised.

原因很简单：您永远不应该相信可疑机器中的任何工具，因为它可能会受到损害。

If you have to reboot the suspect machine, you will boot the system using a forensic
bootable CD because booting a system using its original
operating system will modify data and metadata on system drives, for example, files, access
times.

如果必须重新启动可疑计算机，则将使用取证可启动CD启动系统，因为使用其原始操作系统启动系统将修改系统驱动器上的数据和元数据，例如文件，访问时间。

When booting using a forensic bootable CD in forensic mode,
the internal suspect hard drive is not touched.

在取证模式下使用取证可引导CD引导时，不会触摸内部可疑硬盘驱动器。

Second is a powerful machine, sometimes we call it forensic machine or evidence server.

其次是功能强大的机器，有时我们称之为取证机或证据服务器。

This system has forensic tools installed and its drives are wiped clean for storing
acquired evidence.

该系统安装了取证工具，其驱动器被擦干净以存储获得的证据。

I have to point out that not every tool can be called a forensic tool.

我必须指出，并非每个工具都可以称为取证工具。

We learned that the Unix command CP is a great sys admin tool, but it is not a forensic tool
because copying a file using CP will modify the original file's access time.

我们了解到Unix命令CP是一个很棒的系统管理工具，但它不是一个取证工具，因为使用CP复制文件会修改原始文件的访问时间。

This action alters evidence, and in some cases access time is potentially a crucial evidence
for investigation.

此操作会改变证据，在某些情况下，访问时间可能是调查的关键证据。

In general, forensic tools have these properties: First,
they must conduct a forensically-sound operation, that is, they do not modify evidence;
next, the system analysis tools usually can work with both acquired images and live systems
by taking a partition or disc image as intput.

一般来说，取证工具具有以下特性：首先，它们必须进行取证性操作，即它们不会修改证据;接下来，系统分析工具通常可以通过采用分区或处理获取的图像和实时系统。光盘图像为输入。

These tools are capable of processing data structure, bypassing kernel's support
because we are expecting them to show deleted content and other data that is typically hidden.

这些工具能够处理数据结构，绕过内核的支持，因为我们期望它们显示已删除的内容和通常隐藏的其他数据。

Now let's move on to the acquisition process for both volatile and non-volatile data.

现在让我们继续讨论易失性和非易失性数据的采集过程。

In this video we will study technologies for volatile data acquisition.

在本视频中，我们将研究用于易失性数据采集的技术。

Volatile evidence is evidence that can easily be changed.

挥发性证据是可以轻易改变的证据。

In some evidences, for example, RAM is more volatile than others.

例如，在一些证据中，RAM比其他RAM更不稳定。

If the suspect machine is up and connected, volatile evidence such as running processes,
memory dump, and network connections, logged in users are still a variable to be collected.

如果可疑机器已启动并已连接，则登录用户的易失性证据（如运行进程，内存转储和网络连接）仍然是要收集的变量。

Every memory dump will be different since memory is constantly changing.

每次内存转储都会有所不同，因为内存不断变化。

That's why we should first acquire the data that is most volatile.

这就是为什么我们应该首先获得最不稳定的数据。

A possible order of collection from most volatile to least volatile
until non-volatile is memory; swap space or page file; network status; connections;
processes running; open files; drives, and removable media.

从大多数易失性到最不易挥发直到非易失性的可能收集顺序是存储器; 交换空间或页面文件; 网络状况; 连接;进程运行; 打开文件; 驱动器和可移动媒体。

Since you are directly collecting volatile evidence from a suspect machine,
you are inevitably changing data.

由于您直接从可疑机器收集易变的证据，因此您不可避免地会更改数据。

To ensure a minimal impact to the original data, you should always try
to use small footprint tools and you should always document everything you have done.

为了确保对原始数据的影响最小，您应该始终尝试使用小型工具，并且应始终记录您已完成的所有操作。

Now let me show you some Linux/Unix commands that can be used
to collect valuable system information.

现在让我向您展示一些可用于收集有价值的系统信息的Linux / Unix命令。

For example, Linux/Unix command lsof will list all open files
that belong to any active processes.

例如，Linux / Unix命令lsof将列出属于任何活动进程的所有打开文件。

The common syntax is list open file, followed by optional options or file names PID.

常用语法是列表打开文件，后跟可选选项或文件名PID。

If you already learnt lsof without any options, it will list all open files.

如果您已经在没有任何选项的情况下学习了lsof，它将列出所有打开的文件。

The tool is actually quite powerful in Linux/Unix world
because everything is a file in Linux/Unix.

该工具在Linux / Unix世界中实际上非常强大，因为一切都是Linux / Unix中的文件。

RAM is a file named /dev/mem, a directory is a file, and even keyboard maps to a file.

RAM是一个名为/ dev / mem的文件，一个目录是一个文件，甚至键盘映射到一个文件。

So a file can be a regular file; a directory; a block special file like a hard drive;
a character device file; a library; or a stream network file connected to TCP ports.

所以文件可以是常规文件; 目录; 块特殊文件，如硬盘驱动器;字符设备文件; 图书馆; 或连接到TCP端口的流网络文件。

Here are some examples of list open file and what they show.

以下是列表打开文件及其显示内容的一些示例。

lsof -i IP address will list the Internet connections belonging to the given IP address.

lsof -i IP地址将列出属于给定IP地址的Internet连接。

Now, the next list open file command will list all open IPv4 network files.

现在，下一个列表打开文件命令将列出所有打开的IPv4网络文件。

And certainly it can list all open files on a device, and also,
it can find process that has the given file open.

当然，它可以列出设备上的所有打开文件，而且，它可以找到打开给定文件的进程。

Most interestingly, you can find lsof to find malicious processes that use hidden disc spaces.

最有趣的是，您可以找到lsof来查找使用隐藏磁盘空间的恶意进程。

Here is the scenario.

这是场景。

If you create a process that opens the file while the process is still running,
you can delete the file.

如果创建在进程仍在运行时打开文件的进程，则可以删除该文件。

Since the file is still opened in memory, you can continue to write to the file,
but it is invisible to the ls command since you have deleted the file.

由于文件仍在内存中打开，因此您可以继续写入该文件，但由于您已删除该文件，因此它对ls命令不可见。

List open file +l1 shows you all open files that has a link count less than one.

列表打开文件+ l1显示链接计数小于1的所有打开文件。

I assume you have the prior knowledge of basic Linux/Unix file system
to understand the word is link count.

我假设你已经掌握了基本Linux / Unix文件系统的先验知识，理解这个词是链接数。

Please review it by yourself if you don't know.

如果您不知道，请自行查看。

A link count less than one means the file is requested to be deleted.

链接计数小于1表示请求删除该文件。

Once you find the open file, you can run list open file given the file you found to find
which process that has this file open.

找到打开的文件后，您可以运行list open file，给定您找到的文件，找到打开此文件的进程。

Here are the other commands that will provide you useful information
about the system life information.

以下是其他命令，它们将为您提供有关系统寿命信息的有用信息。

For example, date shows current system date time; uptime shows when was the system rebooted;
uname will display system information; ifconfig will display network interface,
whether it can find it's running in a promiscuous mode or not;
ps or top show you all the processes in the net stat;
and list open file will show you network connections.

例如，日期显示当前系统日期时间; 正常运行时间显示系统何时重启; uname将显示系统信息; ifconfig将显示网络接口，是否可以找到它在混杂模式下运行; ps或top显示net stat中的所有进程;列表打开文件将显示网络连接。

Who, OW, or users will show you logged on users.

Who，OW或用户将向您显示登录用户。

When we run these commands, where should we save the result or output?

当我们运行这些命令时，我们应该在哪里保存结果或输出？

As I mentioned in unit one, we have to redirect the result outside of the suspect machine
to avoid modifying the original evidence.

正如我在第一单元中提到的，我们必须将结果重定向到可疑机器之外，以避免修改原始证据。

Commonly you probably will use redirect option greater than or greater greater than.

通常，您可能会使用大于或大于的重定向选项。

Here let me introduce a well-known computer networking utility called NETCAT
to redirect output to a connected machine.

这里让我介绍一个名为NETCAT的着名计算机网络实用程序，将输出重定向到连接的机器。

NETCAT -- in some cases it's NC -- is designed to read from and write
to network connections using TCP or UDP.

NETCAT - 在某些情况下它是NC - 旨在使用TCP或UDP读取和写入网络连接。

It is a powerful tool with many features, and people call it the Swiss Army knife for
TCP/IP.

它是一个功能强大的工具，具有许多功能，人们称之为TCP / IP的瑞士军刀。

How does this tool play a role in the computer forensics field?

该工具如何在计算机取证领域发挥作用？

Forensic examiners use NETCAT to transfer or to retrieve the data
to a forensic workstation over the network.

法医检查员使用NETCAT通过网络将数据传输或检索到取证工作站。

Here is how it works.

下面是它的工作原理。

First set up NETCAT listener on the forensic workstation.

首先在取证工作站上设置NETCAT监听器。

Any received data will be stored in a file, in this case we call it meaningful name.

任何收到的数据都将存储在一个文件中，在这种情况下我们将其称为有意义的名称。

And we are listening on port 2222.

我们正在收听2222号港口。

So NETCAT-l means listen, -p is port, and then the file will be directed to meaningful-Name.

所以NETCAT-l意味着监听，-p是端口，然后文件将被定向到有意义的名称。

If we want to send information of who is currently logged in from the suspect machine
to the forensic workstation -- let's say the forensic workstation IP address is 192.168.0.2
-- and we will run a who at the suspect machine and pipe
to NETCAT the listener machine's IP address and then the port what is listening, 2222.

如果我们想要将当前从可疑机器登录的人员的信息发送到取证工作站 - 假设取证工作站IP地址是192.168.0.2 - 我们将在可疑机器上运行一个人并管道到NETCAT 监听器机器的IP地址，然后端口正在监听，2222。

You will notice besides NETCAT, there is a similar tool called CRYPTCAT.

您会注意到除了NETCAT之外，还有一个名为CRYPTCAT的类似工具。

CRYPTCAT's functionalities are similar to NETCAT, except that CRYPTCAT encrypts the
data between the sender and then the receiver.

CRYPTCAT的功能类似于NETCAT，除了CRYPTCAT加密发送方和接收方之间的数据。

Collect information from a live system demo

从实时系统演示中收集信息

In this exercise, we will try to collect evidence from a live computer.

在本练习中，我们将尝试从实时计算机中收集证据。

So, here I have Ubuntu system and it is potentially compromised.

所以，这里我有Ubuntu系统，它可能会受到损害。

So, in this case, I cannot trust anything, any tool from this machine.

所以，在这种情况下，我不能相信任何东西，这台机器上的任何工具。

And I will use my trusted tools from a USB mounted on desktop.

我将使用安装在桌面上的USB中可靠的工具。

Trusted tools in the Bing directory.

Bing目录中的可信工具。

And also, when I run those commands and the output has to be saved to outside
from this machine and then I will save that into a folder called evidence,
which is also reside my USB, external USB.

而且，当我运行这些命令并且输出必须从本机保存到外部然后我将其保存到名为evidence的文件夹中，该文件夹也驻留在我的USB外部USB中。

So, let's start.

那么，让我们开始吧。

Now, for all the steps, like, for example, if I want to run date and then I have to redirect,
save that result to my evidence machine.

现在，对于所有步骤，例如，如果我想运行日期然后我必须重定向，将结果保存到我的证据机器。

For simplicity, I will not do that, but assume we will export--
we will export everything to the external USB drive.

为简单起见，我不会这样做，但假设我们将导出 - 我们将所有内容导出到外部USB驱动器。

So, what we'll try here, date.

所以，我们将在这里尝试，约会。

So, this give us what is the current date, time from the system.

所以，这给了我们来自系统的当前日期和时间。

And after I run all of the commands and I usually will run the date again
so we will know the starting time, the system time I started these operations
and then when is the time I finished.

在我运行所有命令后，我通常会再次运行日期，因此我们将知道开始时间，系统时间，我开始这些操作，然后是什么时候我完成。

So, now I will introduce couple of useful tools I mentioned about that in the class.

所以，现在我将介绍我在课堂上提到的几个有用的工具。

For example, uptime.

例如，正常运行时间。

Uptime supposedly will tell you how long the system has been up.

据说正常运行时间会告诉你系统运行了多长时间。

To understand that is important.

要理解这一点很重要。

If a system is compromised and then if someone reboots the machine after the incident happened,
then it will rewrite lots of info-- critical information.

如果系统遭到破坏，然后如果有人在事件发生后重新启动机器，那么它将重写大量信息 - 关键信息。

So, we need to know that.

所以，我们需要知道这一点。

We need to know when the system was booted.

我们需要知道系统何时启动。

And then uname dash A, this is the command which will give us the UNIX Linux systems information.

然后uname dash A，这是给我们UNIX Linux系统信息的命令。

What is this operating system and file system and other information.

什么是此操作系统和文件系统以及其他信息。

Ifconfig, this one will display network interface information and then--
now a couple of things is important to look at.

Ifconfig，这个将显示网络接口信息，然后 - 现在看一些重要的事情。

Definitely will look at the IP address here.

绝对会在这里查看IP地址。

The IP address.

IP地址。

And also to look at if this interface is in promisc mode or not.

并且还要查看此接口是否处于promisc模式。

Because if it is in promisc mode and it is listening--
it is listening for all the traffics passing through,
even the packet is not destinate [phonetic] to this machine it will also collect.

因为如果它处于promisc模式并且它正在监听 - 它正在监听所有通过的流量，即使数据包不是命运[phonetic]到这台机器它也将收集。

And most of hacked machine, compromised machine, will have promisc mode.

大多数黑客机器，受损机器都将采用promisc模式。

So, it will try to listening for everything it's passed to-- passed into this network.

因此，它将尝试倾听传递给它的所有内容 - 传递到此网络中。

Next, certainly we want to look at the processes running, currently running,
and there are various ways to use it.

接下来，我们当然希望查看当前正在运行的进程，并且有多种方法可以使用它。

If I do PS dash EAF.

如果我做PS破折号电弧炉。

Now, lots of process to-- running, so I use pipe more, so see one page by one page.

现在，有很多进程 - 运行，所以我使用更多的管道，所以每页看一页。

So, those are the process currently running.

那么，这些是当前正在运行的过程。

And then you need to exam the processes, but those information should be saved
into your evidence file to be analyzed later.

然后，您需要检查流程，但这些信息应保存到您的证据文件中，以便稍后进行分析。

Once again, all those commands output should not be output
to the standard output should be redirect to the evidence file on my USB drive.

再次，所有那些命令输出不应输出到标准输出应该重定向到我的USB驱动器上的证据文件。

Next, let's also try to look at some network connections.

接下来，我们还尝试查看一些网络连接。

Now, a couple of ways to do that, one is the famous one called netstat.

现在，有两种方法可以做到这一点，一种是着名的netstat。

If we only look at TCP connection, so we do dash at, TCP.

如果我们只看TCP连接，那么我们就是破解TCP。

Definitely during your investigation you should look at UDP as well.

绝对在你的调查过程中你也应该看看UDP。

So, here we just look at TCP connection.

所以，这里我们只看一下TCP连接。

So, in this list, you can see especially for this TCP connection
at port 888 is currently listening.

因此，在此列表中，您可以看到特别是端口888上的此TCP连接当前正在侦听。

OK. It is currently listening.

好。它正在听。

There are-- we also talk about list the open file.

有 - 我们还谈论列出打开的文件。

So, if we use list the open file, let's say we're only interested in IPV four.

所以，如果我们使用列表打开文件，假设我们只对IPV四感兴趣。

So, if you run that, now, list the open file will give you also open network open files.

所以，如果你运行它，现在，列出打开文件将给你打开网络打开文件。

So, it says here the command net cat was a PID 2718 and it has-- it's listening on port 8888.

所以，它在这里说命令网络猫是一个PID 2718，它有 - 它正在监听端口8888。

So, this is the information quite important.

所以，这是非常重要的信息。

And list the open file in the lecture we also talk about has other uses, so if I say oh,
let me look at this process ID, which is 2718, for this process, what are the other files open.

并列出了讲座中我们也谈到的开放文件有其他用途，所以如果我说哦，让我看看这个进程ID，即2718，对于这个过程，其他文件是什么打开的。

Now you can see so many files opened by this particular 2718 PID.

现在您可以看到这个特定的2718 PID打开了这么多文件。

Another-- one more thing I want to mention about here is list the open file plus dash L one,
which will list the open files, but those files are deleted
because the link count is less than one.

另一个 - 我想在这里提到的另一件事是列出打开的文件加上破折号L one，它将列出打开的文件，但这些文件被删除，因为链接数小于1。

The link count less than one means those files are requested to be deleted.

链接计数小于1表示请求删除这些文件。

So, surprisingly you see-- we see so many open files.

所以，令人惊讶的是你看到 - 我们看到很多打开的文件。

Those files-- you will not see that use LS command because they are deleted,
but currently still open in memory.

这些文件 - 您将看不到使用LS命令，因为它们已被删除，但目前仍在内存中打开。

There are other tools, for example, w or who or users will show you who is currently logged in.

还有其他工具，例如，用户或用户将向您显示当前登录的用户。

The user. Because the attacker might still be logged in at this point,
so this one shows who is currently logged in.

用户。因为此时攻击者可能仍然登录，所以此人显示当前登录的用户。

One more thing I want to show you is set UID program.

我想告诉你的另一件事是设置UID程序。

Now, what is set UID program?

现在，设置UID程序是什么？

I know the command password command all is a set UID,
so let's see where is the password command located-- it's in the user bin password.

我知道命令密码命令all是一个设置UID，所以让我们看一下密码命令所在的位置 - 它在用户bin密码中。

So, let's do LS dash L user bin password.

那么，让我们做LS dash L用户bin密码。

Let's look at this one.

我们来看看这一个。

Now, interestingly, this file marked as red in Linux systems.

现在，有趣的是，这个文件在Linux系统中标记为红色。

So-- which means alert.

所以 - 这意味着警觉。

Why? If I look-- if we look at the permission, OK, the first field, readable, writable,
so owner has a readable, writable, supposed to be executable, but it is an S here instead
of X. Instead of X, it is S, which means whoever logged in and then run this command,
during the duration of running this command, that user has the permission of owner
of this file, the owner of file is root.

为什么？如果我看 - 如果我们查看权限，好的，第一个字段，可读，可写，所以所有者有一个可读，可写，应该是可执行的，但它是一个S而不是X.而不是X，它是S，这意味着无论谁登录然后运行此命令，在运行此命令期间，该用户具有该文件的所有者的权限，文件的所有者是root。

Let's-- for example, if I logged in right now as IPAI, I-P-A-I, and then when I run password,
during that time I will have permission of root.

让我们 - 例如，如果我现在以IPAI，I-P-A-I登录，然后当我运行密码时，在此期间我将获得root权限。

Why this permission has that permission as permission?

为什么此权限具有该权限作为权限？

Because we can change our own password.

因为我们可以更改自己的密码。

So, for example, I want to change my own IPAI password, I can do that.

所以，例如，我想更改自己的IPAI密码，我可以这样做。

To able to do that, I have to modify two files.

为了能够做到这一点，我必须修改两个文件。

One is actually password file and one is a shadow file.

一个是密码文件，一个是影子文件。

Both files are owned by root.

这两个文件都归root所有。

Normal user are not supposed to modify, but because of this set UID,
which means the owner executable set to S, then during that time you are--
you have root privilege, so then you can modify those two files.

普通用户不应该修改，但由于这个设置UID，这意味着所有者可执行文件设置为S，那么在那段时间你 - 你有root权限，那么你可以修改这两个文件。

Once that password command is done, then you're back to your own normal permissions.

完成该密码命令后，您将恢复自己的正常权限。

So, those type are called set UID.

因此，这些类型称为set UID。

Those programs are quite dangerous, but it's useful because we use that.

这些程序非常危险，但它很有用，因为我们使用它。

We use that to change our own password.

我们用它来改变我们自己的密码。

As a forensics investigator, you need to find
out in this program whether there is a malicious set UID program or set GID.

作为取证调查员，您需要在此程序中找出是否存在恶意设置UID程序或设置GID。

Set GID, in other words, actually is the group position instead
of executable it is S. So, how do we find that?

设置GID，换句话说，实际上是组位置而不是可执行它是S.所以，我们如何找到它？

We can use a very nifty tool everyone probably know that user find.

我们可以使用一个非常漂亮的工具，每个人都可能知道用户找到了。

So, if we say find start from root and I want to find UID zero, which is root owned
because root owned UID is powerful during the execution time you have the root privilege.

所以，如果我们说find从root开始，我想找到UID为零，这是root拥有的，因为root拥有的UID在执行期间是强大的，你拥有root权限。

And then the permission, the perm, for set UID is 4000 and for set GID is 2000.

然后设置UID的权限，烫发是4000，设置GID是2000。

So, you can run to-- again for 2000, but just-- let's just look into that.

所以，你可以再次奔向2000年，但只是 - 让我们来看看。

And I don't want to see error messages because you will see permission denied and lots
of permission denied issues here and I just say all the error messages
through to there now so the output will be cleaner.

而且我不希望看到错误消息，因为你会看到权限被拒绝，许多权限被拒绝在这里，我只是说所有的错误消息到现在，所以输出将更清洁。

Let's try that.

我们试试吧。

So, this is all the set UID programs in this-- on this machine currently.

所以，这就是所有设置的UID程序 - 目前在这台机器上。

The output-- now we see the-- this one.

输出 - 现在我们看到 - 这个。

Early on, we look into the password.

在早期，我们查看密码。

The password command, that's not the password file, OK, the password command you use
to run-- change your own password.

密码命令，不是密码文件，OK，用于运行的密码命令 - 更改自己的密码。

This is a set UID.