CMPS 340 - Lab 04

Lab 04: Collecting Live Data from a Unix/Linux Machine

Resources:

CMPS 150 Assignments
Lecture Notes posted on Moodle
Additional Notes for Ch 06

Introduction

In this lab you will perform the four phases in a forensics investigation vis-a-vis live data on a running Unix or Linux computer. Your job is to analyze the data and determine the crime.

The first phase is to "tag and bag" the live evidence. Live evidence is anything that would be lost after the computer is powered down. In addition, if you intend to pull-the-plug and duplicate the disk, you need to gather the information in order to do so (number and size of disks, type of disks, partition information and so forth).

The second phase is "evidence extraction." This is where you extract relevant data from the data you collected. It takes some skill and experience for this phase not be become the "looking-for-a-needle-in-a-haystack-where-did-the-last-four-hours-go" phase. There is benefit in close inspection once to understand what is happening at that level - you just don't want to do it every time.

The third phase is "evidence analysis." It is here that you try to determine what crime was committed and how it was done.

The final phase involves creating a reasonable response plan based on what you learned from the investigation so far.

The #1 goal when gathering information from a running system is to do so WITHOUT leaving any traces (artifacts). You must show due diligence not to modify anything on the hard drive of the suspect machine and to preserve any evidence you extract in a forensically sound way. To prove due diligence document everything you do. For this lab just create a logfile of all commands that you execute.

In a real investigation, you would usually use a flash drive or external drive to store the evidence, rather than creating a file on the suspect machine. To do this, you would find out the device name for the drive and then use the mount command to add the drive to the filesystem.

The following command will give you the device name for your drive, such as /dev/sde1

   dmesg | grep usb

Next, you find a mount point. Usually there is an /mnt or /media directory on Linux. You may need to select a subdirectory out of that directory (such as /mnt/usb or /media/hd). Use the ls command to see what exists:

   ls /mnt
   ls /media

Use the mount command from this information:

   mount /dev/sde1 /mnt

Use standard redirection to send the output of a command to a file on the drive:

   <command> >> /mnt/logfile.txt

When done, use the umount command (Linux equivalent of "eject") to remove the drive from the system:

   umount /mnt

You do not need to download any tools for this lab. Use the commands on the suspect machine (not a good idea in practice). You will need super-user privilege which you can get with sudo.

Step 1.

Start VMware Workstation (Applications->System Tools->VMware Workstation) and accept the license if prompted. Do NOT boot the Windows virtual machine. For today's lab, select "Open a Virtual Machine", then navigate to and double-click cs340/vmware/Linux/etch.vmx and then "Power on".

When prompted if you "moved" or "copied" the virtual machine, select "I copied it". It will take a while for the virtual machine to boot up since it has not been used for quite some time.

Step 2.

When the machine has finished booting, it will present a text logon prompt. Click on the virtual machine window to let VMware take keyboard input (hit CTRL-ALT at any time to return the keyboard and mouse to the CS340 desktop).

Logon with the 'student' username and password that you use to logon to the desktop for the department lab machines. Immediately sudo to root.

   sudo -s

Give the 'student' password when prompted for the password by sudo.

Step 3.

Because you are dealing with a copy of a virtual machine, you will need to enable network access. Normally, you would not do this on a real investigation (and instead you would use a flash drive to store information), but VMware is not playing nice with flash drives.

To enable networking, do the following as root:

rm /etc/udev/rules.d/z25_persistent-net.rules
shutdown -r now

After the system reboots, log back in and sudo to root following Step 2's instructions. Verify that you have networking by issuing the command:

ifconfig eth0

You should be given networking information (IP address, netmask, etc) if the virtual machine has an active network connection.

Live Evidence Collection Phase

At a minimum you will need to run the commands below. Refer to the lecture notes and additional resources on Moodle for background.

   date                   # get date
   sudo -s                # to get super-user access 
   mount                  # list all mounted disks
   df -k                  # get disk sizes
   fdisk -l /dev/sda      # get partition information off a device
   w                      # view who is currently logged in (utmp) 
   whoami                 # display your username
   last -10               # view last 10 login/outs on the system (wtmp)
   uname -a               # get Unix version, processor type, and more
   ifconfig               # display network interface configuration
   ps -ef                 # list all processes running on the system
   ls -al /proc           # list virtual files associated with processes 
   netstat -an            # list network connections
   crontab -l             # list scheduled processes
   lsof -p {pid}          # list all open files for a particular process
   file {filename}        # find out the file type      
   {command}              # any other Ch 6 command not listed above except dd

Send the output of each information gathering command into a logfile with redirection. This is similar to what we did for Lab 3. For example, to redirect the output of date to the logfile, use:

date >> /root/logfile.txt

When you are done gathering the information, send logfile to your cs340 desktop by using the scp command. First, use CTRL-ALT to return the keyboard and mouse to the CS340 desktop and open a Terminal on the cs340 desktop. Find out your host's VMware IP address with the following command:

/sbin/ifconfig vmnet8

Look for the "inet addr" line and use that IP address as the vmwareIPaddress in the following scp command. Click back on your etch virtual machine to transfer the keyboard to the virtual machine and type the following command:

scp /root/logfile.txt cs340@<vmwareIPaddress>:Desktop/

Use CTRL-ALT to transfer the keyboard and mouse control back to the desktop and continue on to the analysis portion of the lab.

Don't forget to shutdown your etch virtual machine with the command

    shutdown -h now

when you are done with this lab.

Evidence Extraction and Analysis Phase

Now you must extract pertinent data from everything you collected and analyze that data to determine what activity is occuring on the computer. Review the output of your live data collection. Find the suspicious processes that is currently running (there is one). Find one process that is scheduled to run. Now answer these questions:

What suspicious process is running on the machine? What does the process do?
What is the location of the log file for the process in #1 and what type of file is it?
There is a suspicous scheduled process on the machine. What is it and what does it do?

What to Submit for this Lab

Submit the following:

If your logfile.txt file is smaller than 2MB, upload it. Otherwise, upload the first 2MB of the file (use a text editor to make it small enough for Moodle's upload limit).
Submit your answers to the questions in the Analysis Phase in the text box on Moodle or by uploading an OpenOffice, PDF or DOC file.