Eye Witness Report
Painting PDF-417 2d Barcode In None
Using Barcode generator for Software Control to generate, create PDF417 image in Software applications.
PDF 417 Reader In None
Using Barcode scanner for Software Control to read, scan read, scan image in Software applications.
Several years ago, I was part of a team investigating an incident in a windowless, underground, overseas, secure government facility Someone had planted trojan code via the cron facility (the facility used to schedule the future execution of programs) on a mission-critical Unix server The trojan shut down the server during a critical time period The Unix server was one of many servers that logged all syslog messages to a remote syslog server Based on already discovered evidence, we thought we had identified the perpetrator However, we could not match the suspect s logon times to other evidence After long hours of review, we realized that the system our suspect logged on to had an incorrect system time! How did we find out Syslog entries are chronological because each new entry is simply appended to the log file Our suspect s logon time said 8:15, but because it was sandwiched between dozens of other entries around 6:14 and 6:16, we knew that the system time was inaccurate on our suspect s server We were then able to place the suspect in the room, on the system, during the time the trojan was planted
PDF-417 2d Barcode Encoder In C#.NET
Using Barcode drawer for .NET framework Control to generate, create PDF-417 2d barcode image in .NET applications.
Making PDF 417 In VS .NET
Using Barcode drawer for ASP.NET Control to generate, create PDF-417 2d barcode image in ASP.NET applications.
PDF 417 Maker In .NET Framework
Using Barcode maker for VS .NET Control to generate, create PDF417 image in VS .NET applications.
Draw PDF 417 In VB.NET
Using Barcode encoder for .NET Control to generate, create PDF 417 image in .NET applications.
Investigating Unix Systems
Barcode Creation In None
Using Barcode maker for Software Control to generate, create barcode image in Software applications.
Drawing Code 128B In None
Using Barcode creation for Software Control to generate, create Code 128A image in Software applications.
TCP Wrapper Logging
Bar Code Encoder In None
Using Barcode maker for Software Control to generate, create bar code image in Software applications.
Code 3 Of 9 Generator In None
Using Barcode creator for Software Control to generate, create USS Code 39 image in Software applications.
In addition to all of the applications that take advantage of the system logging capability, another extremely valuable program that uses syslog is TCP Wrappers TCP Wrappers is a host-based access control for TCP and UDP services Any connection attempts to wrapped services are logged via syslog Here is an excerpt from the /var/log/messages file on a Red Hat Linux system:
Encode UCC - 12 In None
Using Barcode drawer for Software Control to generate, create EAN / UCC - 13 image in Software applications.
Draw EAN / UCC - 13 In None
Using Barcode generation for Software Control to generate, create EAN-13 Supplement 5 image in Software applications.
May 13 23:11:45 victim sshd: ROOT LOGIN REFUSED FROM xxxxxxedu
USD8 Creation In None
Using Barcode maker for Software Control to generate, create USD - 8 image in Software applications.
GS1 - 12 Creator In Objective-C
Using Barcode printer for iPad Control to generate, create UPC-A Supplement 5 image in iPad applications.
Notice that the log entry provides a lot of valuable information: the time and date of the attempted logon, the hostname (victim), the service (sshd), the account (root), and the IP address of the system that attempted to log on Here is another example that shows how a successful connection to a service is recorded:
Generate Bar Code In .NET Framework
Using Barcode creation for Reporting Service Control to generate, create bar code image in Reporting Service applications.
Printing EAN13 In None
Using Barcode maker for Online Control to generate, create GTIN - 13 image in Online applications.
Apr 26 20:36:59 victim intftpd: connect from 10101010
Barcode Reader In None
Using Barcode recognizer for Software Control to read, scan read, scan image in Software applications.
Create Code 128B In None
Using Barcode creator for Word Control to generate, create Code 128 Code Set A image in Microsoft Word applications.
This entry shows that the host 10101010 connected to victim s TFTP server on April 26 The correlation of connections and file-access times can be one of the investigator s most powerful techniques We ll discuss how to find files within the relevant timeframe in the Reviewing Relevant Files section later in this chapter
Generating Code-128 In VB.NET
Using Barcode encoder for .NET Control to generate, create Code 128 image in Visual Studio .NET applications.
Print Data Matrix ECC200 In Java
Using Barcode drawer for Eclipse BIRT Control to generate, create Data Matrix image in BIRT reports applications.
Other Network Logs
In addition to syslog, Unix systems can maintain other network activity logs These logs are primarily service-specific, such as the log files for web servers When in doubt, consult the service (application) documentation for specific information An example of network activity log is the xferlog file from the Washington University FTP daemon Any file transfers are recorded with useful information:
Thu May 10 18:17:05 2003 1 10111 85303 /tftpboot/rinetdzip b _ o r chris ftp 0 * c
This log entry provides the following information: M I I I I I I I I The time and date that the transfer occurred The number of seconds that the transfer took (1) The remote host (10111) The number of bytes transferred The name of the transferred file The type of file transfer (b for binary) A special action flag (_ indicates no special action) The direction of transfer (o represents outgoing; i is incoming) The access mode (r is for real, as opposed to anonymous or guest)
Incident Response & Computer Forensics
I I I I L
The username (chris) The service name (ftp) The authentication method (0 for none) The user ID (* indicates none available) The status of the transfer (c for complete)
As you can see, the xferlog file can be very useful when investigating incident response This is also true of other service-specific logs
Unix provides a variety of log files that track host operations Some of the more useful logs record su command execution, logged-on users, logon attempts, and cron job (scheduled program) execution
su Command Logs
The su command allows a user to switch to another user ID during a session Attackers sometimes use this command to attempt to gain root access to a system Unix records every attempt to execute the su command on the system The log shows the time and date of the su attempt, whether the attempt was successful, the terminal device from which the user attempted to execute su, and the user ID before and after the su attempt On some flavors of Unix, a separate su log file is stored in one of the log directories; on other flavors, su attempts are recorded in the messages or syslog file Below is an excerpt from /var/log/messages on a Red Hat Linux box
Mar 22 13:12:17 falcon PAM_pwdb: authentication failure; crose(uid=500) -> root for su service Mar 22 13:12:22 falcon PAM_pwdb: authentication failure; crose(uid=500) -> root for su service Mar 22 13:12:29 falcon PAM_pwdb: authentication failure; crose(uid=500) -> root for su service