Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010194549 | CP 016267 | Open Access Computer File | Compact Disk (Open Shelves) | Searching... |
On Order
Summary
Summary
This book addresses topics in the area of forensic analysis of systems running on variants of the UNIX operating system, which is the choice of hackers for their attack platforms. According to a 2007 IDC report, UNIX servers account for the second-largest segment of spending (behind Windows) in the worldwide server market with $4.2 billion in 2Q07, representing 31.7% of corporate server spending. UNIX systems have not been analyzed to any significant depth largely due to a lack of understanding on the part of the investigator, an understanding and knowledge base that has been achieved by the attacker.
The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of loadable kernel Modules and malware.
Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else.
Author Notes
Chris Pogue has spent the past five years as part of the IBM Ethical Hacking Team. He was tasked with emulating the actions of an actual malicious attacker with the intention of assisting customers to identify and eliminate probable attack vectors. Chris has worked on over 3000 exploitation attempts for both internal IBM systems as well as third party customers. Chris is also a former US Army Warrant Officer and has worked with the Army Reserve Information Operations Command (ARIOC) on Joint Task Force (JTF) missions with the National Security Agency (NSA), Department of Homeland Security, Regional Computer Emergency Response Team-Continental United States (RCERT-CONUS), and the Joint Intelligence Center-Pacific (JICPAC). Chris attended Forensics training at Carnegie Mellon University in Pittsburgh, Pennsylvania, and holds a Master's degree in Information Security. He is a Certified Information Systems Security Professional (CISSP) and a Certified Ethical Hacker (CEH). Chris also holds a Top Secret (TS) security clearance from the Department of Defense.
Cory Altheide is a Security Engineer at Google, focused on forensics and incident response. Prior to returning to Google, Cory was a principal consultant with MANDIANT, an information security consulting firm that works with the Fortune 500, the defense industrial base and the banks of the world to secure their networks and combat cyber-crime. In this role he responded to numerous incidents for a variety of clients. Cory has authored several papers for the computer forensics journal Digital Investigation and was a contributing author for UNIX and Linux Forensic Analysis (2008) & The Handbook Of Digital Forensics and Investigation (2010). Additionally, Cory is a recurring member of the program committee of the Digital Forensics Research Workshop (DFRWS).
Table of Contents
| Chapter 1 Introduction | p. 1 |
| History | p. 2 |
| Target Audience | p. 3 |
| What is Covered | p. 3 |
| What is Not Covered | p. 6 |
| Chapter 2 Understanding Unix | p. 9 |
| Introduction | p. 10 |
| Unix, UNIX, Linux, and *nix | p. 10 |
| Linux Distributions | p. 12 |
| Get a Linux! | p. 12 |
| Booting Ubuntu Linux from the LiveCD | p. 15 |
| The Shell | p. 18 |
| All Hail the Shell | p. 20 |
| Essential Commands | p. 20 |
| Highlights of The Linux Security Model | p. 25 |
| The *nix File system Structure | p. 29 |
| Mount points: What the Heck are They? | p. 31 |
| File Systems | p. 34 |
| Ext2/Ext3 | p. 35 |
| Summary | p. 37 |
| Chapter 3 Live Response: Data Collection | p. 39 |
| Introduction | p. 40 |
| Prepare the Target Media | p. 41 |
| Mount the Drive | p. 41 |
| Format the Drive | p. 42 |
| Format the Disk with the ext File System | p. 42 |
| Gather Volatile Information | p. 43 |
| Prepare a Case Logbook | p. 43 |
| Acquiring the Image | p. 55 |
| Preparation and Planning | p. 55 |
| DD | p. 56 |
| Bootable *nix ISOs | p. 60 |
| Helix | p. 60 |
| Knoppix | p. 61 |
| BackTrack 2 | p. 62 |
| Insert | p. 63 |
| EnCase LinEn | p. 63 |
| FTK Imager | p. 65 |
| ProDiscover | p. 68 |
| Summary | p. 70 |
| Chapter 4 Initial Triage and Live Response: Data Analysis | p. 71 |
| Introduction | p. 72 |
| Initial Triage | p. 72 |
| Log Analysis | p. 74 |
| zgrep | p. 76 |
| Tail | p. 76 |
| More | p. 76 |
| Less | p. 77 |
| Keyword Searches | p. 77 |
| strings /proc/kcore-t d > /tmp/kcore_outfile | p. 78 |
| File and Directory Names | p. 79 |
| IP Addresses and Domain Names | p. 80 |
| Tool Keywords | p. 80 |
| Tricks of the Trade | p. 82 |
| User Activity | p. 86 |
| Shell History | p. 86 |
| Logged on Users | p. 87 |
| Network Connections | p. 89 |
| Running Processes | p. 92 |
| Open File Handlers | p. 95 |
| Summary | p. 98 |
| Chapter 5 The Hacking Top 10 | p. 99 |
| Introduction | p. 100 |
| The Hacking Top Ten | p. 104 |
| Netcat | p. 105 |
| Reconnaissance Tools | p. 106 |
| Nmap | p. 106 |
| Nessus | p. 110 |
| Try it Out | p. 111 |
| Configuring Nessus | p. 111 |
| Plug-ins | p. 113 |
| Ports | p. 114 |
| Target | p. 114 |
| Nikto | p. 116 |
| Wireshark | p. 118 |
| Canvas/Core Impact | p. 120 |
| The Metasploit Framework | p. 121 |
| Paros | p. 134 |
| hping2 - Active Network Smashing Tool | p. 138 |
| Ettercap | p. 144 |
| Summary | p. 152 |
| Chapter 6 The /Proc File System | p. 153 |
| Introduction | p. 154 |
| cmdline | p. 155 |
| cpuinfo | p. 155 |
| diskstats | p. 156 |
| driver/rtc | p. 156 |
| filesystems | p. 156 |
| kallsyms (ksyms) | p. 157 |
| kcore | p. 157 |
| modules | p. 158 |
| mounts | p. 158 |
| partitions | p. 159 |
| sys/ | p. 159 |
| uptime | p. 159 |
| version | p. 159 |
| Process IDs | p. 159 |
| cmdline | p. 160 |
| cwd | p. 161 |
| environ | p. 161 |
| exe | p. 161 |
| fd | p. 161 |
| loginuid | p. 162 |
| Putting It All Together | p. 162 |
| sysfs | p. 166 |
| modules | p. 166 |
| block | p. 166 |
| Chapter 7 File Analysis | p. 169 |
| The Linux Boot Process | p. 170 |
| init and runlevels | p. 171 |
| System and Security Configuration Files | p. 173 |
| Users, Groups, and Privileges | p. 173 |
| Cron Jobs | p. 176 |
| Log Files | p. 176 |
| Who | p. 177 |
| Where and What | p. 177 |
| Identifying Other Files of Interest | p. 178 |
| SUID and SGID Root Files | p. 178 |
| Recently Modified/Accessed/Created Files | p. 179 |
| Modified System Files | p. 180 |
| Out-of-Place inodes | p. 180 |
| Hidden Files and Hiding Places | p. 181 |
| Chapter 8 Malware | p. 183 |
| Introduction | p. 184 |
| Viruses | p. 185 |
| Storms on the Horizon | p. 188 |
| Do it Yourself with Panda and Clam | p. 190 |
| Download ClamAV | p. 190 |
| Install ClamAV | p. 190 |
| Updating Virus Database with Freshclam | p. 191 |
| Scanning the Target Directory | p. 192 |
| Download Panda Antivirus | p. 193 |
| Install Panda Antivirus | p. 193 |
| Scanning the Target Directory | p. 193 |
| Web References | p. 194 |
| Appendix Implementing Cybercrime Detection Techniques on Windows and *nix | p. 195 |
| Introduction | p. 196 |
| Security Auditing and Log Files | p. 197 |
| Auditing for Windows Platforms | p. 199 |
| Auditing for UNIX and Linux Platforms | p. 206 |
| Firewall Logs, Reports, Alarms, and Alerts | p. 208 |
| Commercial Intrusion Detection Systems | p. 211 |
| Characterizing Intrusion Detection Systems | p. 212 |
| Commercial IDS Players | p. 217 |
| IP Spoofing and Other Antidetection Tactics | p. 218 |
| Honeypots, Honeynets, and Other "Cyberstings" | p. 220 |
| Summary | p. 223 |
| Frequently Asked Questions | p. 226 |
| Index | p. 229 |
