Forensics For System Administrators

The word forensic analysis conjures up images of Sherlock Holmes, or scientists adorned with lab-coats, hunched over corpses. But in this article, I will lead you through steps that you can take to analyse compromised computer systems. While forensics carries with it legal connotations, requirements for evidence collection, and analysis at a level unattainable by most system administrators, my focus is what you can do without years of experience. In this article, we will walk through a pair of real, recent intrusion examples to help assist non-professional analysts with accomplishing common forensic goals. Forensic science, regardless of being in the physical world or the computer world, is hard. Tools used by most experienced UNIX system administrators for forensic analysis are not designed for forensics, or any kind of security for that matter. System logs are often the first place forensic analysts look for suspicious information, yet as Eric Allman, the author of UNIX syslog has pointed out, syslog was not designed for forensics at all, but as a way of consolidating debugging output from all of the software that he was developing [All05]. System logs are essential, but vastly insufficient, and cryptic for most novice analysts. The problem is that even if the right information was contained in the mountain of syslogged information, that is far from being guaranteed, even a veteran forensic analyst often has no idea what they are looking for. Most analysts simply must hope to recognize what they are looking for when they see it. A novice has little chance for success with this method. Nor are non-professionals likely to pore through Tripwire (www.tripwire.org) data on a daily basis or attempt to reconstruct data from swap space with Sleuth Kit. We are not likely to download, configure, and install the Basic Security Module (BSM) (http://www.sun.com/software/security/audit/) on our Linux boxes. Given the strictly-managed IT environments most of us are constrained to work within, we are never going to start hacking the kernel on all of our machines to capture custom data. The reality is that even using all of the available “forensic” software does not bring professional forensic analysts very close to the ultimate goals of being able to understand any events that have previously happened on a computer system. But there are some aspects of computer forensic analysis that are not very hard, that non-professional analysts can do. This low-hanging fruit is likely to be the most beneficial prescription for non-professionals desiring to understand what has happened previously on a computer system. I also attempt to bring awareness of forensic procedures. Finally, though I am using the term forensics in this article, I will not address legal aspects, for which there are many excellent resources, such as that by Smith and Bace [SB03].