GETTING FILE METADATA
At this point in the investigation you should have a rough idea of approximately when an incident may have occurred. It is not unusual to start with some system directories and then go back to examine other areas based on what you find. It is the nature of investigations that you will find little bits of evidence that lead you to other little bits of evidence and so on.
A good place to start the live analysis is to collect file metadata which includes timestamps, permissions, file owners, and file sizes. Keep in mind that a sophisticated attacker might alter this information. In the dead analysis section of this book we will discuss ways of detecting this and how to recover some metadata that is not easily altered without specialized tools.
As always, we will leverage scripting to make this task easier and minimize the chances for mistakes. The following script builds on shell scripts from Chapter 2 in order to send file metadata to the forensics workstation. The data is sent in semicolon delimited format to make it easier to import into a spreadsheet for analysis.
send-fileinfo.sh
# Simple script to collect file information as part of # initial live incident response.
Warning: This script might take a long time to run! # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com.
usage () { echo “usage: $0
echo “Simple script to send file information to a log listener” exit 1
} if [ $# -lt 1 ] ; then usage fi # semicolon delimited file which makes import to spreadsheet easier
printf is access date, access time, modify date, modify time,
create date, create time, permissions, user id, user name,
group id, group name, file size, filename and then line feed # if you want nice column labels in your spreadsheet, paste the following
line (minus #) at start of your CSV file
Access Date;Access Time;Modify Date;Modify Time;Create Date;Create Time;Permissions;UID;Username;GID;Groupname;Size;File send-log.sh find $1 -printf “%Ax;%AT;%Tx;%TT;%Cx;%CT;%m;%U;%u;%G;%g;%s;%p\n”
The script takes a starting directory because you probably want to limit the scope of this command as it takes a while to run. All of the real work in this script is in the very last line. Many readers have likely used the find utility in its simplest form which prints out the names of found files. The find command is capable of so much more as we will see later in this chapter. Here the printf option has been used which allows found file attributes to be printed in a specified format. Consult the find man page (accessible by typing man find in a terminal) for the complete list of format codes if you want to customize this script.
A portion of what is received by the forensics workstation when this script is run on the subject system is shown in Figure 3.2. The highlighted line is for /bin/false. According to this information it was modified on March 9th, the date of the suspected compromise. Looking five lines above this entry reveals that false is exactly the same size as bash which makes no sense for a program that only exists to return a value. The false program is four times the size of the true program which also exists only to return a value.
FIGURE 3.2
Partial results from running send-fileinfo.sh on /bin directory. The highlighted line indicates that /bin/false was modified about the time of the compromise. Also suspicious is the fact that the file size matches that of /bin/bash five lines above it.