Tuesday, August 27, 2019

E-crime investigation. Security breach on a Linux Operation System Assignment

E-crime investigation. Security breach on a Linux Operation System - Assignment Example If we elaborate these further, the first time stamp named as ‘modify’ or the ‘mtime’ is updated when there is some change or modification. Likewise, in case of a directory, the time stamp is updated when there are changes / modifications or deletion occurs within the file in that particular directory. The second time stamp known as the ‘atime’ is updated for a file when it is executed or accessed. The third time stamp Change that is called as ‘ctime’ is updated when the data structure enclosing metadata of a file is accessed by the file system to define information of a file including owner, group name, access rights etc. are modified. However, during a forensic investigation, MAC times can provide a comprehensive clues if remains unchanged. Likewise, it illustrates the changes that occurred on the file system. Andy will use the TCT mactime program that is a part of the TCT tool kit for printing the MACtimes for a series of files to get an in depth view of what actually happened and how the hacker has compromised the system. Likewise, the mactime program develops a database of time stamps linked with the files of the system (Nemeth, Snyder et al. 2007). It was detected that on September 20 i.e. few days after the initial compromise of the system, the hacker entered in the system via a telnet command and started manipulating file system and server. The command below demonstrates evidence: Sep 20 00 15:46:05 31376 .a. -rwxr-xr-x root root/mount/usr/sbin/in.telnetd Sep 20 00 15:46:39 20452 .c -rwxr-xr-x root root/mount/bin/login ... -rwxr-xr-x root root/mount/usr/sbin/in.telnetd Sep 20 00 15:46:39 20452 .c -rwxr-xr-x root root/mount/bin/login After one hour of the system being compromised, a directory was established named as /dev/ttypq/ on the file system and soon a distrustful and unknown file starts appearing and modified on the file system. The most suspicious files were named as ipv6.0, rpc.status and rc.local. Sep 20 00 16:49:47 949 ..c -rwxr-xr-x root root /mount/etc/rc.d/rc.local 209 ..c -rwx------ root root /mount/usr/sbin/initd Sep 20 00 16:50:11 4096 .a. drwxr-xr-x operator 11 /mount/dev/ttypq/... Sep 20 00 16:52:12 7704 .a. -rw-r--r-- root root /mount/lib/modules/2.2.16-3/net/ipv6.o 209 .a. -rwx------ root root /mount/usr/sbin/initd 222068 .a. -rwxr-xr-x root root /mount/usr/sbin/rpc.status Andy’s investigation addressed the ipv6.0 file that was a modular visible string related to the suspected sockets of the network i.e. TCP port 32411 and TCP port 3457, more than one user account names, ille gitimate use of the Ethernet interface to relay all the traffic visible on the network. prover# strings ipv6.o check_logfilter kernel_version=2.2.16-3 my_atoi :32411 my_find_task :3457 is_invisible :6667 is_secret :6664 iget :6663 iput :6662 hide_process :6661 hide_file :irc __mark_inode_dirty :6660 unhide_file :6668 n_getdents nobody o_getdents telnet n_fork operator o_fork Proxy n_clone proxy o_clone undernet.org n_kill Undernet.org o_kill netstat n_ioctl syslogd dev_get klogd boot_cpu_data promiscuous mode __verify_write . . . o_ioctl adore.c n_write gcc2_compiled. o_write __module_kernel_version n_setuid we_did_promisc cleanup_module netfilter_table o_setuid check_netfilter init_module strstr __this_module logfilter_table sys_call_table In the above strings, a string named as adore.c

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.