Lab (Week 11): Knoppix STD Activities - NetworkSims.com

Download PDF
33 downloads 161 Views 480KB Size Report
Comment
Author: J.Graves. 1. Lab (Week 11): Knoppix STD. Details. Aim: This tutorial will guide you through the basic procedures to forensically inspect a computer's hard  ...
Lab (Week 11):

Knoppix STD

Details Aim:

This tutorial will guide you through the basic procedures to forensically inspect a computer's hard disk. It will also introduce Knoppix as a security platform.

Activities 1.

Exploring Knoppix STD. This is a bootable Linux distribution that specializes in providing security, forensics, and other tools. It is an excellent forensic and security Tools.

ª http://s-t-d.org/ Before you start this tutorial, it is important that you log on to the machine in front of you using your own username or password, or the generic winter username and password. You should then open up Internet Explorer and browse the web for a while to generate some cookie traffic. Once this is done, please insert the Knoppix CD into the drive and reboot the machine. Look at the boot sequence carefully, and hit 'enter' when the prompt appears with the word 'boot'. Take a look at the boot sequence after this and have a think about the information displayed. Initial Boot-up and Disk mount Boot up from Knoppix STD disk. The desktop should appear, the menu can be accessed by right clicking on the desktop. By right clicking, you can access all of the potential tools that Knoppix has at its disposal. For a more comprehensive list of tools, visit the website descriptor, outlined above. Open a shell. All of the tools that will be used in this tutorial are command line based. A shell therefore needs to be opened up. Right click on the desktop, move the mouse over XShells, and choose the Aterm shell. You can choose any shell you wish, as they all effectively do the same. This one is pretty good as it allows easy scrolling and access to data. Find Disks. When Knoppix boots up, it will attempt to detect the drives that are present on the system. This is useful, as it will determine how many drives are present, and what sort of file system is available for analysis. Since the machines in C27 are dual boot, Knoppix will find both Windows and Linux partitions. The first stage of determining whether there are mounted disks is to use the df –h command. This will list the drives mounted. See Figure 1: #:df -h

Author: J.Graves

1

Figure 1

As you can see, only the system partitions are mounted, along with the CDROM drive. In order to determine whether the system picked up the NTFS (windows) drive, we must consult the /etc/fstab file. Enter the following command: #: cat /etc/fstab Figure 2 should give you a good outline of what the fstab file looks like. The fstab file should list the discovered drives, and what formatting is present on them.

Figure 2

Mount Disks. Once we’ve determined the detected drives, it’s just a case of mounting them to a directory to be accessed. You must be root in order to do this. Before carrying out any of these commands, ensure you enter permanent root by typing su, or before each command place sudo. Mounting the drive in read only access format, is achieved by the following command: #:su #:mount /dev/hda1 /mnt/hda1. Navigate to the directory that drive has been mounted in /mnt/hda1, and list the contents of the directory to ensure that it has been properly mounted. Remember, you must be root to do this. If you can see files and directories, such as the windows dir, you’ve managed to mount the drive properly

Author: J.Graves

2

What is the format of the disks discovered by Knoppix?

Why is it important to have read-only access to a disk when performing a forensic analysis?

How does using this form of operating system benefit the forensic investigator?

Open up Mozzila web browser – perform this action by right-clicking on the desktop, and choosing from the internet menu ‘Mozilla Firebird’. Mozzila will open up. This will give you access to the internet, if Knoppix has properly detected and configured your specific network card. The first page that comes up is a list of all the tools that are included with Knoppix. Browse through these and make a note of any that take your interest. When using these tools, the Internet is your friend. If you don’t know how to use them, or where to find the files they act upon, there will generally be a web page describing how to use it. Google is great for searching for these. If the Internet does not yield any results, the Knoppix operating system supplies man pages. These give details on how to use any particular tool. Man can be accessed with: #: man Examining cookie information with Galleta: Navigate to the appropriate directory. Navigate to the directory where the files have been mounted. This will be under the /mnt/hda1 directory. Have a look through the files. The cookies for each user account are stored under the particular username that was used in conjunction with IE. In windows XP, these accounts are kept in: #:/Documents and Settings//Cookies Navigate to the documents and settings directory, and choose your own username. Once you have done this, navigate into the cookies directory. Run Galleta. Galleta is a simple cookie analysis tool. From the command line type Galleta. It should output the options needed. Run: #:galleta Each cookie file will now be displayed.

Author: J.Graves

3

Take a note of the information kept in each cookie file:

Examining the index.dat file: Internet Explorer keeps a record of every site ever visited. This is in the index.dat file. Remain in the Cookie directory, and do a directory listing. Notice the index.dat file in amongst the cookie files. Try and view the contents of this file by issuing the following command: #:cat index.dat You should get a stream of junk. If you want to try and examine this junk in closer detail, try and open the file with vi, and take a look around. As you can see, there's not much in the way of information, and it's hard to figure out whether this stuff means anything. Luckily, a tool called pasco has been developed to make searching through this a lot easier. This file can be queried using the pasco tool, which will allow you to inspect the contents of this file. Type: #:pasco index.dat A list of all visited pages using IE will be displayed. What is the information displayed?

What does each field mean?

Author: J.Graves

4

Knoppix STD as a security Tool: Knoppix also contains very useful and widely used security/vulnerability scanning tools. Go back to the list of tools you first queried in the browser window, and scroll down to the section entitled 'vulnerability assessment'. Have a look at these tools. In this tutorial, we're going to use two port scanning tools: nessus and nmap. Pair up for this Section, one of you should be running Knoppix, from where the nmap and nessus scan will originate, and the other should run windows, with ethereal running for the final part of this section. Remember – only scan the machine of your neighbour! Nmap Nmap can be run from the command line by typing: #:nmap This will show all of the different scan options available. Make sure you have a good look as these can be very useful to remember if you need to scan a network or host in a particular manner. In this tutorial, we're only going to be scanning a host, not a network. Perform this operation: #:sudo nmap -sT -O Figure 3 shows the type of information that should be returned by nmap.

Figure 3

Author: J.Graves

5

What do each of the options you just used, mean?

What type of information does Nmap return?

Why is this tool useful?

Nessus Nessus is a slightly more sophisticated vulnerability scanner. Run nessus by typing: #:nessus When the box appears (see Fig 4), ensure that the username and password is 'knoppix'. Click on the log in button. Accept the certificates that are displayed.

Figure 4

Author: J.Graves

6

Click on the Plugins tab, and scroll through the different options (Fig 5). What are the Different Options? What are they used for?

Make sure they're all selected, and click on the 'Target Selection' tab. Type in the IP address of the machine to scan in the Targets filed. Click on the 'Start the scan' button. Figure 6 shows the type of screen that should appear:

Figure 5

Author: J.Graves

7

Figure 6

Once the scan has completed, the results of the scan are displayed, it should look something like this:

Figure 7

Get your neighbour to run ethereal while you’re performing a scan from both nessus and nmap on their machine. Take a look at the trace of the scan – what do you notice about the trace?

If you have time, please complete the following challenge: Additional Challenge You have been tasked with forensically examining the contents of the hard disk on a machine in c27. The first technical task is to make a safe, accurate copy of the disks contents, to analyse in a safer environment. Outline the tools and techniques you would use in order to complete this task. Document it in a format that will allow another individual to follow the steps.

Author: J.Graves

8