Investigating a computer breach is like investigating a crime
scene. Detectives collect evidence, note any strange clues, and
take inventory on loss and damage. An analysis of a computer
compromise can either be done as the attack is happening or
Although it is unwise to trust any system log files on an
exploited system, there are other forensic utilities to aid in the
analysis. The purpose and features of these tools vary, but they
commonly create bit-image copies of media, correlate events and
processes, show low level file system information, and recover
deleted files whenever possible.
It is also a good idea to record of all of the investigatory
actions executed on a compromised system by using the script command, as in the following example:
Replace <file-name> with
file name for the script log. Always save
the log file on media other than the hard drive of the compromised
system — a floppy disk or CD-ROM works particularly well for
By recording all your actions, an audit trail is created that
may prove valuable if the attacker is ever caught.
Creating a bit-image copy of media is a feasible first step. If
performing data forensic work, it is a requirement. It is
recommended to make two copies: one for analysis and investigation,
and a second to be stored along with the original for evidence in
any legal proceedings.
You can use the dd command that is part
of the coreutils package in Red Hat
Enterprise Linux to create a monolithic image of an exploited
system as evidence in an investigation or for comparison with
trusted images. Suppose there is a single hard drive from a system
you want to image. Attach that drive as a slave to the system and
then use dd to create the image file, such
as the following:
dd if=/dev/hdd bs=1k conv=noerror,sync of=/home/evidence/image1
This command creates a single file named image1 using a 1k block size for speed. The
conv=noerror,sync options force dd to continue reading and dumping data even if bad
sectors are encountered on the suspect drive. It is now possible to
study the resulting image file or even attempt to recover deleted
The topic of digital forensics and analysis itself is quite
broad, yet the tools are mostly architecture specific and cannot be
applied generically. However, incident response, analysis, and
recovery are important topics. With proper knowledge and
experience, Red Hat Enterprise Linux can be an excellent platform
for performing these types of analysis, as it includes several
utilities for performing post-breach response and restoration.
10-1 details some commands for file auditing and management. It
also lists some examples that can be used to properly identify
files and file attributes (such as permissions and access dates) to
allow the collection of further evidence or items for analysis.
These tools, when combined with intrusion detection systems,
firewalls, hardened services, and other security measures, can help
reduce the amount of potential damage when an attack occurs.
For detailed information about each tool, refer to their
respective man pages.
||Creates a bit-image copy (or disk
dump) of files and partitions. Combined with a check of the
md5sums of each image, administrators can compare a pre-breach
image of a partition or file with a breached system to see if the
||dd if=/bin/ls of=ls.dd |md5sum ls.dd
||Finds useful string (text) information inside files and
directories as well as reveals permissions, script changes, file
attributes, and more. Used mostly as a piped command of for
commands like ls, ps, or ifconfig.
||ps auxw |grep /bin
||Prints the strings of printable characters within a file. It is
most useful for auditing executables for anomalies such as
mail commands to unknown addresses or
logging to a non-standard log file.
||strings /bin/ps |grep 'mail'
||Determines the characteristics of files based on format,
encoding, linked-libraries (if any), and file type (binary, text,
and more). It is useful for determining whether an executable such
as /bin/ls has been modified using static
libraries, which is a sure sign that the executable has been
replaced with one installed by a malicious user.
||Searches directories for particular files. It is a useful tool
for searching the directory structure by keyword, date and time of
access, permissions, and more. It can also be useful for
administrators that perform general system audits of particular
directories or files.
||find -atime +12 -name *log* -perm
||Displays file status information, including time last accessed,
permissions, UID and GID bit settings, and more. It can be useful
for checking when a breached system executable was last used or
||Calculates the 128-bit checksum using the md5 hash algorithm.
Use this command to create a text file that lists all crucial
executables that are often modified or replaced in a security
compromise. Redirect the sums to a file to create a simple database
of checksums and then copy the file onto a read-only medium such as
Table 10-1. File Auditing Tools