by December 2, 2003 0 comments

Forensics is the most sophisticated part of any crime investigation, as it requires special skills to detect evidence for a crime.
Computer forensics is even more specialized–since evidence could be deeply buried inside the PC, even a single human error can destroy all the evidence. Computer forensics deals with gathering as much evidence as possible, without destroying it, from the compromised machine. 

Many computer forensic tools, such as Slutykit and TCT (The Coroner’s Toolkit), are available. In this article, we’ll talk about how you can use TCT to gather and analyze evidence. This can then be used to generate proof that will tell what exactly happened on the compromised workstation. 

Have you been attacked?
The first question is: how do you to determine that your system has been attacked. To find the answer, you’ll have to look for unusual machine behavior. For example, your hard drive’s light may glow continuously or your processor utilization may be high even when you’re not working on the machine. This attack can be either physical or over the network. 

Oh my God! What next? 
The first thing to do is isolate the machine from the network so that it can’t be accessed remotely by anyone. Also, remember that you mustn’t restart the effected machine. This would destroy any volatile data in the main or virtual memory, thereby reducing chances of finding the evidence. Now use TCT. We will use three of TCT’s tools (grave-robber, unrm and lazarus) and a fourth one (dd) that is a Linux command. The order in which you will use these tools will differ depending on the type of attack. We have described below the sequence of steps that we used.

Back up your swap area
Usually, a hacker not just runs a script on your computer, but also removes that script from your hard disk. But, you can find such scripts in the swap area, unless the system has been rebooted. So, once you know that your system has been attacked, you should first take a backup of your swap to analyze it later. Before running any command, run the script command so that a log can be maintained about what all you did on the system. This will help you to track the steps you’ve followed. The command is as follows:

#script /script.log 

Now, to take the backup, first mount a removable disk on your machine or a network share and run the command like this:

#dd bs=1024 if=/dev/hdxy of=/mnt/output/swap.out

Here /dev/hdxy stands for the partition mounted as your swap partition. You can find it by running fdisk —l command. And the /mnt/output is no-local media mounted for taking the backup and swap.out is the file that will contain the image of the swap partition.

Install TCT
It’s not safe to install TCT on the compromised machine, as it could lead to loss of crucial evidence data. So, it is best to install it on another machine with the same OS running and copy the compiled TCT contents to a read-only media (like CD) and run the commands from it. To do so, first take a machine with a fresh installation of Linux on it and copy the tct-1.12.tar.gz file from this month’s DVD and run the following commands.

#cp tct-1.12.tar.gz ~
#tar —zxvf tct-1.12.tar.gz
#cd tct-1.12

Now copy the tct-1.12 folder to any floppy and write protect it or just burn it on a CD-ROM.

Find the hacker
The grave-robber is a tool to collect as much data as possible. It runs a series of Linux commands such as top and finger in addition to some special commands to get the recent status of the hacked machine, saves them in a sub-directory and creates the MD5 checksum for each output file. 

It puts the MD5 checksum number of all the files to a single file and again takes an MD5 checksum of that file, so that no one can modify or manipulate the evidence. 

A deleted mail which has been retrieved by Lazarus

By analyzing the output of grave-robber you can get a lot of valuable information such as the username of the person who connected to your machine, his IP, the location from where he connected and what commands he ran. It also shows the deleted but running processes, which can help you understand what exactly was run on your machine. 

To run grave-robber, mount a network share or removable drive to save the output to it. Then, place the CD or floppy containing the TCT binaries that we compiled in the previous step and run the following command.

#bin/grave-robber —d /mnt/output/tct-data —v /

Here, /mnt/output is the mounted network or removable media. 

This command will take a long time to complete and will result in a long tree of directories under the folder /mnt/output/tct-data. The directory tree will contain the following folders.

Recover deleted files 
Even if a hacker created and then removed a script from your system, rebooted your system, or deleted valuable files, you can recover them with these tools. For this you have to use Lazarus. Lazarus can retrieve any data from any binary file and group it under different categories, such as text, graphics and C code. Here, we will run Lazarus in two files. First on the image of swap partition that we created earlier and then on the output that we get after running the unrm command on the / partition. So, let’s first understand what unrm does.

Folders Descriptions
Command_out Contains output of commands such as top and finger. It saves them in a file with the name of the command. You will also notice another file by the name of command, but with an md5 extension. For each file, it contains the md5 checksum of the output file
removed_but_running This contains all the deleted files that are still open or running in memory
user_vault Contains copies of all sensitive files, such as .bask_history (contains the key log of the user) and SSH keys, for all users
trust Contains the list of trusted relationships of machines that could have also been compromised 
pcat Contains images of the running processes
proc Contains image of the running proc filesystem processes

Unrm is similar to the dd command, which can create an image out of any media or device. The only difference is that it creates the image of only the free space, as any deleted file means a free space in the file system. So, to create the image of the free space of your compromised machine’s hard disk, run the following command.

#bin/unrm /dev/hdxy >> /mnt/output/unrm.out

You can also run this command just after backing up your swap area and keep the file for further analysis.

Now, run Lazarus on both the files (output of dd and unrm) to extract the data from them, like this:

#mkdir /mnt/output/unrm/html —p
#mkdir /mnt/output/unrm/html
#lazarus —h —H /mnt/output/unrm —D /mnt/output/unrm/blocks —w /mnt/output/unrm/html /mnt/output/unrm.out
(For unrm)
#mkdir /mnt/output/swap/html —p
#mkdir /mnt/output/swap/html
#lazarus —h —H /mnt/output/swap —D /mnt/output/swap/blocks —w /mnt/output/swap/html /mnt/output/swap.out
(for swap)

This will result in a large amount of data. To search information from it, there are two ways. First, if any of your important files had been deleted then you can search for the content of those files in the /mnt/output/unrm/block or /mnt/output/swap/block folder by running the egrip command with a proper keyword which is present in your document. But, if you don’t know what you are searching for, then use the main html file created by Lazarus to search for the data. You will find this file in the /mnt/output/unrm (to navigate the data from free disk space) and /mnt/outpot/swap (to navigate the data from the swap space) folder with the name of the image you analyzed with an html extension. Like unrm.out.html and swap.out.html. This file contains the map of the memory with the actual link to the retrieved page. The pages are grouped according to the file types.

An example of the main html file. The different characters show different file types, like t is for text file

For example, a text file will represent a ‘t’ in the map and a mail will be represented as ‘M’, you can get a color code and character code from the same location where the html file is saved. The name of the file will be something like or 

So, for example, if you want to search for mail just click on the ‘M’ characters on the map and you will be directed to the first mails recovered. From here you can proceed by clicking on the ‘Next block of the same type’ link at the top of the page and it will open the next retrieved mail.

From this you would realize how powerful the tool is and the kind of information it can extract from your system. 

Anindya Roy

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.