Lecture 12 Foundations for Unix Investigations

1
Lecture 12Foundations for Unix Investigations

CSCE 517 Forensic Computing

• Topics
• Unix File System
• Stat system call
• Deleting files
• Processes and /proc
• Argv, environment
• Logs

June 26, 2003
2
Unix File System

• /
• etc acct usr bin lib
• passwd mm bin man include ls man
  ps
• Admin Courses Research stdio.h ..
• Directories
• Paths full and relative

3
A File System in Unix

• Boot Block
• Bootstrap loader
• Super Block
• freeSpace list etc.
• Inode Table (Inode Information Node)
• Owner of the file, uid, gid
• Permissions
• Disk addresses of Blocks
• Data Blocks
• Directories contain inode of file and name
• File Systems can be mounted at particular places
  in the hierarchy with the mount command.

4
Inode information on Files

• struct o_stat
• o_dev_t st_dev //major device
  number
• o_ino_t st_ino // inode number
• o_mode_t st_mode //permissions,
  type of file,etc.
• o_nlink_t st_nlink // number of
  links
• o_uid_t st_uid
• o_gid_t st_gid
• o_dev_t st_rdev
• off32_t st_size
• time32_t st_atime
• time32_t st_mtime
• time32_t st_ctime

5
Original Unix File system Disk Block Pointers

• 10 direct pointers pointers to data blocks
• single indirect pointer pointer to block of
  pointers to data
• double indirect pointer -
• triple indirect pointer -

6
The stat system call

• int stat(const path, struct stat buf)
• get statistics on this file
• int fstat(int fd, struct stat buf)
• a version of stat for open files
• int lstat(const path, struct stat buf)
• a version of stat that does not follow symbolic
  links

7
Command Line Arguments in C

• include ltstdio.hgt
• main(int argc, char argv)
• int i
• for(i0 i lt argc i)
• printf("argvd""s""\n", i, argvi)
• N.B. This can be hidden by copying over the
  structure at run-time.

8
Accessing the Environment

• / This example shows how to access environment
  variables /
• include ltstdio.hgt
• extern char environ
• main()
• char p
• for(penviron p ! NULL p)
• fprintf(stderr,"s\n", p)

9
Use of the Stat Call

• struct stat buf
• char ptr
• for (i 1 i lt argc i)
• printf("s ", argvi)
• if (lstat(argvi, buf) lt 0)
• err_ret("lstat error")
• continue
• if (S_ISREG(buf.st_mode)) ptr
  "regular"
• ...

10
Multiple links

• The system call link(path1, path2)
• Creates a new link to the file specified by path2
• It does not create a new inode
• It creates a new directory entry and uses the
  same inode number
• It increments the nlink field in the inode
• Symbolic Links
• The file contains a path to the file
• Symbolic vs Hard links
• The unlink system call unlink(path) is used to
  delete files

11
Deleting a file

• The system call unlink(path)
• Does not really delete the file (at least
  immediately)
• The directory entry if removed (subject to
  permissions)
• It checks the nlink field in the inode
  corresponding to the file and decrements it
• Then if it is non-zero thats all the file just
  has one less link
• If it is zero and no currently running process
  has it open the the file is deleted.
• Inode is put on the free inode list
• Disk blocks put on the freespace list

12
File System Check (fsck)

• When a file system is mounted a file system
  dirty bit is set.
• This is to insure the consistency of internal
  data structures and those stored on disk.
• Power down gracefully and ungracefully
• Shutdown is run to close everything down
  gracefully
• When the system is brought back up it will run
  fsck to check the file system (if the dirty bit
  is set.)
• Some versions of fsck will save orphaned files in
  lostfound

13
Tools

• Ls
• Find
• Ps
• Dd
• Netstat
• Strings
• Netcat
• Bash
• Vi
• Ifconfig

14
Trusted tools

• On of the first things a hacker would do is
  replace these tools with special ones to hide the
  presence of the hackers files/processes
• Build a CD of trusted tools
• Executing a trusted shell

15
Who is logged on and what are they doing?

• Who, w
• Ps aef
• But what if the hacker has removed his code
  deleted the object file?

16
/proc file system

• Pseudo file system that provides an interface to
  kernel data structures
• Example on erdos or forensicrig
• Ps aux grep /root/ir/lo

17
Networking Overview

• Client-server paradigm
• TCP/IP Protocol Suite

18
Network Connections

• IP address
• Port number/ protocol
• Netstat anp
• Ifconfig I eth0

19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
Summary