Classnotes | UNIX03 | RecentChanges | Preferences If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a 'post mortem' of a system. tct allows the user to collect information about deleted files, running processes and more.
Forensics analysis should be done always on the backup copy of the data, never on the data itself since it might be tampered through this analysis (and lost). From the tct documentation:
What to do
The first 3 basic steps to handling a "situation" are:
Secure and isolate the scene
Record the scene
Conduct a systematic search for evidence
And while speed is of the essence, attempt to stay calm and don't panic.
And do *NOT* touch the keyboard or the computer yet unless you absolutely
have to.
We repeat. Do *NOT* touch the keyboard or the computer yet.
Did you hear us? STAY AWAY FROM THE COMPUTER! Anything you do will
destroy evidence, so simply don't touch it for now, or do as little as
possible and don't start looking for damage yet.
And while you might get lucky and find all the damage and evidence and
perpetrator immediately, don't get your hopes up too much, this is still
not an exact science, and almost every case has more than its share of
disappointments.
Secure & Isolate
If possible, a good first step is to simply disconnect the system from
the network. Pull out the network cable, turn off the wireless NIC,
whatever. Unless you're the one breaking into your own system there's
usually not much an intruder will or can do to harm you when your system
can't talk to anyone. A poor substitute for this is to disable as many
network services as you can (inetd, sendmail, httpd, etc.) This all
serves to isolate the scene of the crime.
Record
Next, pull out a notebook (you know, those old paper things, not a laptop!)
and take stock of the situation. What system is being affected? Note
the time, date, who discovered the problem and how you were made aware of
it. From now on every time you do something try to make a note of the
situation describing what actions were taken, what results were found, and
when & where it all took place.
Evidence
The systematic search for evidence is where the TCT comes into play.
Ideally it would be on a CDROM or other immutable media, ready
for action, or perhaps built and ready to go on another, duplicate,
system clone ready for NFS mounting, or at least close facsimile to the
affected system, or perhaps even on a spare disk lying around somewhere.
Failing all that, having it already precompiled on the system is barely
acceptable; while the intruder could have messed with your toolkit, they
would have had ample opportunity to do a lot more than that prior to your
running it. At the very least know how to get it, drag it down from the
network and get it ready (preferably on a different system than the
affected one!)