Information Technology Reference
In-Depth Information
2 . 2 S u r v e y a n d S e a r c h P h a s e : S e e k i n g E v i d e n c e u n d e r U N I X
This section cover issues and techniques in performing digital forensics, including
searching, file recovery techniques and other topics.
There are certain basic differences, as I mentioned above, between a forensic exam
done on a target platform such as UNIX and one done under Windows. The prob-
lems that are often encountered regard mainly the reconstruction of data that has been
deleted or scattered around the file system. These problems are even more noticeable
when you are dealing with tapes and/or various types of backup units, often con-
taining only distributed portions of backup. In UNIX, furthermore, a term may not
mean the same thing it would in a Windows-based operating system. The concept of
Slack Space , for example, is slightly different in UNIX. Since UNIX files are stored
compactly, except for the unavoidable wastage in the last block or fragment, it might
be said that UNIX has no slack. However, certain ISV forensic analysis software
producers also identify this type of space as “slack.”
A forensic analysis under UNIX may have two main goals: (1) reconstruction of
events (e.g., an attack); (2) search for evidence of other violations (e.g., pedophilia
or any other abuse of the technology). Depending on the reason for acting, investi-
gators will carry out searches that may be focused on log files rather than fragments
of evidence. Usually, following an intrusion, the decision is made whether to turn
off and disconnect the compromised system. If the system is left on and on line to
collect more information on the intrusion and the intruder, it is good to keep in mind
that the system could be or could have been used as a stepping stone for attacking
another site. In such case, it is very important that the police be contacted imme-
diately and that the recommended measures be taken to decrease the likelihood of
this happening. In many cases, when the system cannot be turned off, another ma-
chine is “associated” on the same network segment, set up in promiscuous mode
with TCP dump, in order to monitor network traffic in and out of the target in ques-
tion.
At any rate, one of the first things that has to be decided regards turning off the
system prior to actually seizing it. The turning off procedure under UNIX has al-
ways been a source of debate among operators; there is no common agreement,
at least not among the community of practitioners, on what operations have to
be carried out. Hence it is recommended that the Standard Operating Procedures
(SOP) of one's agency or office be followed. Some, for example, believe that be-
fore you turn off a UNIX machine, you should change the root password, if the
user is logged as root. The reasoning is that it would otherwise be extremely dif-
ficult to recover the root password later on. This procedure is a part of rather
outdated SOP; it is currently common opinion that any operations carried out on
the “original” machine may compromise the integrity of the evidence and hence
Search WWH ::




Custom Search