Introduction to Forensics
Kyle Rankin
Senior Systems Administrator
QuinStreet Inc.
Agenda
- What is Forensics
- MAC Times
- Data Volatility
- Before You Do Anything
- Sleuthkit and Autopsy
- Our Sample Image
- A Forensics Walk-through
What is Forensics
- Forensic science or forensics applies sciences to answer questions in the legal system.
- Often involves clue-gathering/analysis for crimes
- Computer forensics: gathering clues on a computer system(s)
- Many computer forensics tools
- For this talk: Analyzing a break-in
MAC Times
- Extra timestamps on every file
- M: Last time the file contents were Modified
- A: Last time the file contents were Accessed
- C: Last time the file's metadata was Changed
- Examples
Order of Volatility
- Some data "expires" before others
- Network connections
- Running processes
- RAM
- System settings
- Hard Disk
- File system
Before You Do Anything
- Goal: Destroy as few clues as possible
- Develop a break-in policy
- A few basic questions:
- Do I prosecute?
- How do I halt the system?
- How do I image the system?
Sleuthkit and Autopsy
- http://sleuthkit.org
- Series of command line forensics tools
- Can be complicated to use, especially at first
- Autopsy: web-based front-end, case organizer
- To install, use package manager or get source
- To start, run autopsy as root, connect to local url
Our Sample Image
- Standard Ubuntu 5.10 install in a VM on a Tuesday
- Wednesday evening added multiple users with password of "password"
- Started SSH and forwarded external SSH traffic to host
- Tcpdump captured traffic from VM
- Thursday morning admin noticed 3.2 million logged packets
- Then logged into machine, ran lastlog, noticed breach, triggered VMware snapshot, then halted machine
A Forensics Walk-through
Demos are always dangerous...
Questions?
Additional Resources