Introduction to Forensics - A Report from Southwest Drupal Summit

What do you do once you realize one of your servers has been compromised? I recently had the opportunity to hear Linux Journal's own Kyle Rankin give a very impressive talk covering this situation at the Southwest Drupal Summit in Houston, Texas.

The actions you choose to take are very important and should be prepared before the fateful event. Most people will spend time on the server trying to figure out how the intruder gained access to the machine, and what they have been doing. Not only is this problematic in that the intruder has more time to do his damage, but the longer the server is up, the more likely critical forensic data will be lost.

Kyle argued that the best first step is to immediately pull the plug on the box. Do not diagnose the situation and do not shut the machine down gracefully. We use journaling file systems for a reason and the machine will probably be rebuilt from scratch, so the danger of corrupted data from killing the power is small. Once the machine is off, you should image the compromised drive with something like 'dd' and make a copy of the image to do your work on to protect you from accidentally contaminating the evidence.

The issue with poking around on the live system is that you will destroy any information you could have learned from the meta data stored on every file on the computer. Linux uses MAC times to record when certain events occurred most recently. The events that change MAC times on a file are “modification” (the data in the file was modified), “access” (some part of the file was read or executed), and “metadata change” (the file's permissions or ownership were changed). By pulling power from the server at the earliest possible moment, you decrease the likelihood that MAC times recorded by the intruder's action will have been updated by another user.

Kyle then did a live demo on a compromised image showing how to use The Sleuth Kit and Autopsy Browser to perform the investigation. These tools can be used to view log files, recover deleted files, and to order the files on the file system by MAC times. With this information, he was able to paint an interesting picture of not only how an intruder gained access to one of his machines, but what they did once they once they had access.

Kyle is a great public speaker and I highly recommend seeing him if you get the chance. His slides for the Southwest Drupal Summit presentation are available online as is his Linux Journal article Introduction to Forensics where he goes into great detail on how to use these tools.

 

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Good to also focus on prevention

Charlie B's picture

Drupal owners should also focus on prevention. Overall Drupal is pretty secure, though some modules can reduce that security.

To that end, site owners (not only drupal) should consider scanning their sites ahead of time to avoid having to do this kind of work. There are some good scanners out there for just that, including my own, Golem Technologies website security scanner https://www.golemtechnologies.com

SPAM

rednecktek's picture

Dear Editors,

I really think it's time for a SPAM button for comments.

testing. testing 123.

Anonymous's picture

testing. testing 123.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix