Computer Forensics Analysis Class Handouts

On August 6th, 1999, Dan Farmer (Earthlink Network) and Wietse Venema (IBM T.J. Watson Research Center) presented a full-day free class on UNIX computer forensics analysis, sponsored by IBM. The class was attended by an audience of over 200 and was given at the IBM T.J. Watson Research Center near Yorktown Heights (NY).

At the end of the class, official gold Internet Detective badges were handed out to attendees, courtesy of Earthlink Network.

TCT

The Coroner's Toolkit (TCT), described in the class, will be made available for downloading within the next month or so. Keep an eye here for further details. Members of the class will get a preview of the package; we'll mail you with details on this.

Class Transparencies

All slides used in presenting the class are below, in postscript and PDF form (the latter require AcroRead 4.0 from adobe to read; thanks to Simson Garfinkle for creating them.) The PS files were created with MS Power Point (e.g. those done by Dan) require a PostScript level 3 printer: old printers and old GHOSTVIEW versions have problems. The files created with XFIG (e.g. those created by Wietse) are actually a concatenation of many little files. They will not display properly if your viewer expects embedded pagination information. In order to view, try, for example:

cat file.ps | ghostview -landscape -

This material amounts to 215 pages, so you can save a tree by printing double sided.

Introduction (intro.ps), (intro.pdf)
Dan gives a look ahead to the rest of the day, what the class will and won't cover, and discusses basic principles.
Basic UNIX file system (basic-files.ps), (basic-files.pdf)
Wietse presents a first case, and discusses limitations of computer forensics analysis, the triangle of trust, and the reverse Turing test.
Freezing the scene (freezing.ps), (freezing.pdf)
Dan explains what one needs to be aware of when capturing information after an intrusion, what techniques to use, and what mistakes to avoid. Central elements are the Heisenberg principle of computer forensics and the order of volatility.
Time travel (time-travel.ps), (time-travel.pdf)
Wietse reconstructs the course of events from logfiles and from other time-related information. This section is illustrated with a short post-mortem intrusion analysis that Wietse wrote up a couple years ago - PS version, PDF version.
Reconstruction of actions (command-reconstruction.ps), (command-reconstruction.pdf)
Dan has the floor. This section is illustrated with two hand-outs: what the intruder sees ( PS version, PDF version) and what file system time stamps ( PS version, PDF version) the intruder leaves behind.
Processes (processes.ps), (processes.pdf)

Wietse figures out the purpose of an unknown program that runs on the system, without disturbing it, and without giving it a chance to inflict damage to the system it runs on.
Decompilation (programs.ps), (programs.pdf)

In the middle of the graveyard shift, Wietse figures out the purpose of a program file without actually running it. In this session, Tsutomu Shimumura said: "adb is your friend". Dan replied: "no, adb is your friend!"
Networks (networks.ps), (networks.pdf)
Dan discusses what information is left behind in the network in the wake of an incident. It is impossible to erase all traces, but then it can be hard to get that data from providers, telco's, etc.
Advanced UNIX file system (advanced-files.ps), (advanced-files.pdf)
Wietse goes into the gory details of collecting information about removed files, discusses how to hide information in and in-between files and file systems, and how to erase traces from UNIX file systems.
Lazarus (lazarus.ps), (lazarus.pdf)
Dan presents of a novel tool that makes sense out of thrashed files, how it works, why it works, and what its limitations are.
Conclusion (conclusion.ps), (conclusion.pdf)

Dan ends the day with a summary of best practices: what you need at the very least in order to be prepared for an incident.