So you've been broken into, and you're in a bit of a panic about what
to do. You hunt around for help, answers, anything, and perhaps run
across this software or had heard about it in the back of your mind.
Since there's no way we can think of telling you that will soften the
blow, let us simply say it outright - you're out of luck. This set
of forensic tools probably won't help you out unless you've already
looked at it, played with it, and know what the tools do as well as
what to expect from them. The tools will run for a long time, give
no immediate results, and at the end you'll quite possibly be none
the wiser (and perhaps ticked off at wasting your time on our lame and
so-called security tools).
However, since a vast percentage of all security-related actions are in
fact knee-jerk reactions to negative security incidents, we'll assume,
without recrimination, that's why you're here (and, if not,
congratulations! ;-)). If it comforts you to know, it doesn't really
matter how good or careful you are - everyone's systems are at risk at
being compromised, and most long-term Internet denizens have experienced
this negative thrill first-hand (we certainly didn't write this in a
hypothetical vacuum) And while yet another book could easily be written
about dealing with intrusions and security incidents, here's a few quick
pointers and a small bibliography. We'll hope that you at least know the
system fairly well, what it does, what sort of valuable stuff is there
(if anything), and if the system is connected or trusted by any other,
perhaps even more critical systems.
You might skip to the bibliography sections for more detailed ways of
handling troubles and for additional resources.
What to expect
---------------
Running the toolkit (see below) is going to take a lot of time. But
that's nothing compared to the time that people can spend on an incident.
You may get away with a few hours with a "restore service as usual"
response. The more fanatical can spend days or even months in a
virtual pursuit of the intruder(s).
Your basic goal is predicting the past based on the evidence you
gather; as you uncover what happened in the past life of a machine
you can often expect to stumble over evidence of additional break-ins
as well! This is because it is rare to detect a compromise the first
time it happens - more typically a system is compromised several
times before it is found out. In one case we found traces of past
break-ins dating back more than a year, apparently by completely
different parties.
Note that in the course of an investigation - especially when working on
systems with multiple users - you'll frequently come across information
that you'll have no "right" to examine. The legal ramifications are
problematic enough, but the ethical ones are just as - if not more -
serious. Personal correspondence, private notes, and web surfing
patterns are a small sampling of some of the highly sensitive bits of
information stored on computers today. Since even deleted files can
be examined it is imperative that you remain highly scrupulous about
your dealings with such information. If uncertain how to act *always*
err on the side of caution. Never, under any circumstances, use the
information gleaned from an investigation to your or other's personal
advantage.
What you'll need
-----------------
o A pad of paper
o Something to write with
o A secure, *OFF-LINE* location to store information
A second computer that could talk to the network would be a welcome, but
not necessary, aide. A laptop can be used to store results, notes,
and data, but be cautious about who has access to the second system.
Ideally it will only be accessible from you.
Discretion is another fine thing to have. Do not email others about
what is going on (and if you do, at least encrypt it!), don't keep logs
or records of your activities where the wrong people can see it, etc.
On the other hand, strongly consider initiating a dialogue (initially via
the telephone) with an emergency response team (if your own organization
doesn't have a security group or incident response team you can contact
CERT, CIAC, and other FIRST groups) Since by definition a break-in
involves the network, you aren't alone - you can get (or provide) valuable
help if others have encountered the same intruder(s) or type of problem.
What to do
-----------
The first 3 basic steps to handling a "situation" (roughly taken from
the wonderful Criminalistics, An Introduction to Forensic Science, by
Saferstein (see the "bibliography" file) are:
o Secure and isolate the scene
o Record the scene
o Conduct a systematic search for evidence
And while speed is of the essence, attempt to stay calm and don't panic.
And do *NOT* touch the keyboard or the computer yet unless you absolutely
have to.
We repeat. Do *NOT* touch the keyboard or the computer yet.
Did you hear us? STAY AWAY FROM THE COMPUTER! Anything you do will
destroy evidence, so simply don't touch it for now, or do as little as
possible and don't start looking for damage yet.
And while you might get lucky and find all the damage and evidence and
perpetrator immediately, don't get your hopes up too much, this is still
not an exact science, and almost every case has more than its share of
disappointments.
Secure & Isolate
-----------------
If possible, a good first step is to simply disconnect the system from
the network. Pull out the network cable, turn off the wireless NIC,
whatever. Unless you're the one breaking into your own system there's
usually not much an intruder will or can do to harm you when your system
can't talk to anyone. A poor substitute for this is to disable as many
network services as you can (inetd, sendmail, httpd, etc.) This all
serves to isolate the scene of the crime.
Record
-------
Next, pull out a notebook (you know, those old paper things, not a laptop!)
and take stock of the situation. What system is being affected? Note
the time, date, who discovered the problem and how you were made aware of
it. From now on every time you do something try to make a note of the
situation describing what actions were taken, what results were found, and
when & where it all took place.
Evidence
---------
The systematic search for evidence is where the TCT comes into play.
Ideally it would be on a CDROM or other immutable media, ready
for action, or perhaps built and ready to go on another, duplicate,
system clone ready for NFS mounting, or at least close facsimile to the
affected system, or perhaps even on a spare disk lying around somewhere.
Failing all that, having it already precompiled on the system is barely
acceptable; while the intruder could have messed with your toolkit, they
would have had ample opportunity to do a lot more than that prior to your
running it. At the very least know how to get it, drag it down from the
network and get it ready (preferably on a *different* system than the
affected one!)
The easiest way to get started from scratch with the TCT is to type:
make
And hope that there are no grevious errors. Compiling the program after
a break-in is a bad idea (it'll potentially destroy valuable forensic
information), but sometimes there is no help for that.
Once you have the TCT, you'll want to type something like:
script
grave-robber -v /
(The "script" command saves everything that appears or is typed into
a terminal window; type "exit" or "logout" to escape. The "grave-robber"
is the main forensic data collecting agent that TCT has, and the -v
flag gives a verbose listing of what the program does as it runs.)
Have some disk space available (a few hundred megabytes at least) and wait
a long time (30 minutes to several hours) for something to happen. The
-v flag gives you some sense of what is going on, the "script" command
creates a record of what is typed, which is good.
When the grave robber says:
Finished preprocessing your toolkit... you may now use programs or
examine files in the above directories
You should now start to read the TCT documentation. Hopefully you'll
be done before time the program stops. At a minimum read the file
"README.FIRST", as well as everything in the "docs" subdirectory.
By the time the TCT ends its run of data collection, at least a bare-bones
set of data will have been collected and ready to analyze.
More evidence
--------------
After the initial data gathering you should start the analysis of what
it all means, as well as gathering additional information based on that
data. This is the hard part, without a doubt, and, unfortunately, beyond
the scope of this simple document (this is one of the things we knew you
wouldn't like to read here) but you can find additional help at:
http://www.cert.org
(Good general information)
Practical Unix & Internet Security, Garfinkle & Spafford; O'Reilly
(The best book on Unix & Internet security out there, some good
tips on intrusions and other topics.)
One of the more difficult things to judge is how much effort to put
into the analysis. Oftimes the more analytical sweat you emit the
more clarity and understanding you have of the situation. That said,
at times the intruders are more careful and/or skilled than others, and
unfortunately you never know prior to the break-in what to expect.
Indeed, the truly skilled intruders could easily try to fool you
into thinking they're novices by placing some simple blunders that
will easily be caught, obfuscating the real damage or mischief. The
truth is you'll never absolutely, positively know that you've found
all that you can. Experience will be your only guide here.
What next?
-----------
At this point you hopefully have at least some idea of what the extent
of the problem is. It's now time to decide what course of action to
take. Remember all throughout this process to keep your brain in gear -
it doesn't help anyone, least of all yourself, to take uninformed or
ill-though out actions.
While setting your goals - do you want to simply get back to work and
forget about it, catch the miscreant and string them up, monitor the
situation but keep things running, etc. - you'll also need to consider
how much time it will take to accomplish them. As a completely
non-scientific WAG, we came up with this chart:
ACTION EXPERTISE REQUIRED TIME CONSUMED
------- ------------------- --------------
Go back to work None Almost none
Minimal effort Installing system software 1/2 - 1 day
Minimum Recommended Jr. system administrator 1-2 days+
Serious effort Sr. SA 2+ days - weeks
Fanaticism Expert SA days - months+
A tremendous amount of time can be consumed taking care of the problem
at hand, but as a rule of thumb if you don't expend at least a day or
two you're probably short changing yourself and your system - so much
can be done to subvert a system once compromised you owe it to yourself
to put in some time to at least prevent a recurrence.
Many modern organizations now have internal security or response teams,
which should ALWAYS be contacted in the case of security incidents, no
matter how trivial they may initially seem. And while legal counsel
should be sought whenever appropriate, we would highly advise contacting
one of the many free (and often publically funded) incident teams about
the incident. They're very discreet and can often lend significant
technical assistance. The local police and governmental agencies (such
as the FBI and Secret Service in the US) are also increasing the number
of specialized personnel that can lend assistance if the incident is
serious enough.
After performing damage control to any serious bleeding wounds, unless
you're interested in setting a trap or tracking the intruder you should
immediately start securing your system. There are many documents about
this on the Internet (see our bibliography), and many of the operating
system vendors will have a guide on their web sites. In general you'll
want to:
o Create a security policy. This can be the most important
thing you can do - detail what you *want* the systems to
look like so you can actually do it! Documenting the
changes you made to secure your system can be an excellent
start to such a document.
o Install any and all vendor security patches that you can
find on your operating system vendor WWW site.
o Turn off all network services that you don't use, use
one-time passwords (logdaemon and s/key), encrypted
login sessions (ssh), and run security/auditing tools
on your system.
o Learn your system better. Spend more time learning the
ins and outs of your computers, including (especially?)
the capabilities that you don't use.
o Turn on logging & accounting. Almost all systems can be
modified or configured to create more records. Do this -
and look at them!
o Create a baseline. Create backups, run MD5's on your
system files, save the output of a TCT run, etc., and
keep them in a secure place to compare against later on
when you have troubles.
o Regularly audit or at least examine your systems. Need
we say more?
Deleted Data
-------------
Sometimes data will be loss through malice, chance, or simple mistakes.
Unlike PC's the Unix file system is optimized for performance and stability -
but at a price. Files deleted in Unix have a hard time coming back to
life unless a good backup strategy was previously implemented.
TCT has a pair of programs that can potentially help - "unrm" and
"lazarus" - but they are far from being a good, general purpose solution.
Nonetheless they can potentially recover valuable data that was either
left behind by the intruder(s) (break-in tools, files of interest, clues,
etc.) or that were removed. See the individual "unrm" and "lazarus"
documentation for more on these tools.
The Future
-----------
It's rarely entertaining to go through the process of recovering from
a break-in. Our main advice is that you keep your eyes open and learn
from your mistakes - both in the investigative process and the mistakes
that got you in this situation in the first place.
Good, recoverable backups are, without a doubt, your best defense
against computerized disasters of almost any sort. Watch over your
system and be alert, and, most of all, hope you don't have to go
through any of this again!
Bibliography
-------------
[More information can be found in our "bibliography" file.]
Slides of our forensics class & the TCT toolkit - relatively sketchy,
but perhaps of some use:
http://www.fish.com/forensics/
http://www.porcupine.org/forensics/
CERT's (Computer Emergency Response Team) home page, chock-full of
information about how to report & respond to incidents:
http://www.cert.org/
AUSCERT's (Australian CERT) nice Unix checklist about removing common
security vulnerabilities:
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
distrib
>
Mandriva
>
9.1
>
ppc
>
media
>
contrib
>
by-pkgid
>
5e1cf60a1e92dccc53ea673ff3e4aa07
>
files
>
32
