Intel's Ronler Acres Plant

Silicon Forest
If the type is too small, Ctrl+ is your friend

Friday, February 6, 2009

Portland Linux/Unix Group Meeting

Hal Polmeranz of Deer Run Associates in Eugene came up to give his presentation:

Intro to Digital Forensics
(aka Groveling Through File Systems)

This comes under the heading of what to do if your computer systems has been compromised. The typical concern is some unauthorized person gaining access to your computer system and wreaking havoc.

The fact that we are talking about it at all means that there are security holes in Linux systems. They may not be as plentiful or as well known as the ones in computer systems running Microsoft Windows, but they are there. On the other hand, he is only one in his shop of twenty odd people that works on Linux systems. All the others work on Windows systems.

While your interest no doubt lies with your computer system, where security becomes important is at the commercial internet web server farms, where there may be dozens or even hundreds of computer systems, all connected to the web, all containing data that needs to be protected from corruption and/or unauthorized access.

"Unauthorized access" can be done for any number of reasons. One of the most common is spammers trying to co-opt computers to send out more spam (unsolicited e-mail). Others may be industrial spies or just common criminals looking for useful information, disgruntled former employees looking for revenge, vandals looking to trash something, or just pranksters getting their kicks by getting past your security.

Hal started out with generalized blandishments about about not changing the state of the compromised system. Basically this means pulling the plug. The problem is that what is going on in RAM in the computer is happening much too fast for a person to follow. While you might be catch sight of some unauthorized process in the act, most attacks will write something to the disk. And anything you do while the computer is still running is going to cause data to be written to the disk, possibly overwriting evidence of tampering. Even an orderly shut-down will write some data to the disk. Pull the plug and then make a copy of disk using another machine. Do not boot from the disk from the compromised machine.

One trick that can make your life a little easier is if you have empty space on your disk that is larger than the whole compromised disk. You can copy an image of the entire disk into a file. You can then mount it as though it was a real disk. This saves you from having to buy and connect another disk to your system, though with the rapidly increasing size of disks it may a toss up as to which disk is going to be bigger, yours or the suspect target disk.

Once you have made a copy of the disk from the compromised system, then the real computer geek work begins. In case you haven't noticed, computer disks are big these days. You can buy a terabyte of storage for under a $100. So just looking around for some useful information is going to have the results of buying a lottery ticket: a waste of time. To that end there are some tools (computer programs) that can be used to locate files that have been tampered with. In order to use the tools, it helps to have some understanding about how the data is arranged, or in programmer's parlance, structured.

Computers store all data on disks as binary. A disk contains basically just a long string of ones and zeros. How you interpret that binary data determines whether you can retrieve any useful information. Binary data can be interpreted as words or numbers or code or, for our purposes, as pointers to other places on the disk. Yes, pointers are just numbers, but the are special numbers because they are key to making sense of all the rest of the data on the disk.

Most of Hal's presentation, and the most interesting part, was about the various tools and techniques used to figure out what had happened. What was changed? What was deleted? What was added? Any one of these things, if done at the right place could cause irreparable harm. This is why computer security has gotten to be such a big issue.

It was a pretty dry, technical discussion until a couple of hiccups triggered an avalanche of laughter. The hilarity threatened to snowball out of control, but somehow we got our selves under control. Geeks, I think, may in general be would a little too tight. Just a knick in our armor and we come unglued.

All this was like a trip down memory lane for me. Fifteen or twenty years ago I wrote a a couple of tools for recovering data from damaged disks. It wasn't a security issue then. Something had corrupted the data on a customer's disk, and I went in to try and recover it for them. Failure to make back up copies of their important data was the root cause of the problem, but it gave me an interesting technical challenge. In both cases (I think there were only two) I was able to retrieve some data, though in one case it left the customer with about a hundred unnamed files they were going to have to sort through to find their lost information.

The meeting was held at FAB 86-01 on the PSU campus. Out here in Hillsboro, a Fab is a monstrous factory where computer chips are fabricated. Downtown at PSU, FAB refers to the "Fourth Avenue Building". The meeting was actually next door in the "City Development Center" which has this sign in front:


Update January 2017 replaced missing image.

No comments: