File Searches with find in Software

Drawing PDF417 in Software File Searches with find

Another useful command for string searches is find You can use the find command to find any filename that matches a regular expression Here is an example of searching the entire file system for a file or directory named :

[root@aplinux /]# find / -name "\\\" print /home/mugge/MDAc/temp//root/

The first forward slash (/) indicates that the find operation will search the entire file system The -name option specifies that the attribute to be searched on is the name of the file The backslash (\) preceding each dot () is necessary to escape the special meaning of the dot, because, by default, this character is a wildcard for regular expressions Notice that two matches were found If the command were executed without the three backslashes, the results would be any file or directory that had three characters in its name The find command is helpful for many searches It can search a file system for files that match a wide variety of characteristics, including modification or access time, owner of file, string inside a file, string in the name of the file, and so on You can also use find in combination with other commands, such as strings or grep, using the powerful exec feature Consult the manual page on find for more details

It is a near certainty that many files will harbor evidence related to any given incident However, your success in identifying all of the relevant files is much less certain! We use a few techniques to help identify which files are likely to be relevant to any given inci-

13:

dent These techniques include identifying relevant files by their time/date stamps and by the information gained during the initial response to Unix We also search configuration and system files commonly abused by attackers

In order to search for files and directories that were accessed, modified, or created around the time of a suspected incident, you must first know the time of the suspected incident The timeframe may be very specific, such as when a network IDS discovered and logged the attack as it happened On the other hand, the timeframe may be general, such as in the case where a system administrator connected the system to the Internet two weeks ago and evidence of compromise was found today If you have a good record from an outside source (such as network IDS) of when the attack occurred, the first step is to make sure that the system time on the IDS matches that of the victim system The goal in reviewing time/date stamps is to follow up on the relevant time windows that you have already determined All of the files or directories accessed, modified, or created during this time are likely candidates as relevant items As noted in 6, the Unix file system saves three different timestamps for each file or directory: M I L The atime, or access time, is the last time that a file or directory was accessed This includes even read access (such as cat filename) The mtime, or modification time, records the last time a file was modified The ctime, is similar to the mtime, but it records the last time the inode value was changed This value can change with events such as changing permissions or ownership

If you did not save the time/date stamps during the initial response, now is a good time to do so To save the time/date stamps for Unix, use the ls commands to obtain the atime, mtime, and ctime, as described in 6 Save the output of these commands to the forensic workstation or magnetic media, not (of course) to the evidence media