-

White Papers

Linux Forensics - Week 3

April 2, 2004

This is the third in a series of Agile Risk Management LLC Linux Forensics articles. We plan on trying to release one brief article each week over the next month. Each article will outline linux forensics techniques, tools, and procedures. We welcome your suggestions and comments, and hope you enjoy the material.

Linux Anti-Virus Tools and Techniques for Forensic Investigation

Data integrity is a critical component of any computer forensics investigation. As an investigator, you take the extra time to obtain MD5 hashes of evidentiary data, record "DD" flags, and follow explicit Chain of Custody procedures. However, it is just as important to consider the impact of malware and mobile malicious code to your investigation, in the form of Viruses, Trojan horses, and worms. The existence and possible usage of these programs on a suspect hard drive may change the entire course of the investigation. Were the activities performed on the computer possibly the result of a Trojan Horse application? Did the suspect plant the application there to cover their tracks and provide a convenient alibi?

In this article we will provide an overview of malware, cover two useful Linux Antivirus packages with specific recommendations for preserving evidence quality during the Antivirus probe, and pose important questions to consider during a forensics investigation with Trojan horse malware present.

Malware (Viruses, Trojan Horses, and Worms) - Overview

Malware, or programs developed specifically to cause harm, come in multiple forms and have the potential to cause considerable problems for both the user and the forensics investigator. Scanning for malware increases importance when your suspect hard drive is running a Windows operating system. One of the prevailing theories as to the reason for the abundance of Windows malware is the combination of the relative ease of executing application code with higher than needed privileges. In addition, the overall prevalence of the Windows operating system may play a large role in its infection rate as well.

Viruses

A computer virus is a mobile application usually disguised as something else that causes some unexpected and usually undesirable event. A computer virus is often designed similar to their organic counterpart, which rely on user interaction to propagate. They are most often come in the form of native Windows system executables, or scripting code.

Trojan Horse applications

 In computers, Trojan horse applications are programs in which malicious or harmful code is contained inside apparently harmless programming or data. It functions in such a way that when executed, it gains control of key system functions and installs backdoor access for external attackers.

Worms

 A worm is a self-replicating application that typically resides in active memory and duplicates itself without user intervention. Worms typically replicate quickly, and are often invisible to the user.

In summary there are many different forms of malware, all of which can be detrimental to a forensics investigation. Therefore it is vitally important to understand possibility of contamination of your suspect drive.

Linux Anti-Virus - Tools

In recent years the number of Linux based Antivirus tools have grown considerably. As Linux begins to fill the role of file server and mail gateway in the backoffice, the need for Linux based Antivirus scanning products have grown. For our examples today we chose two native Linux Antivirus tools, F-Prot Antivirus and Vexira Antivirus. Both tools are value priced at the Workstation end, $29 and $34.95 USD respectively. In addition, F-Prot offers the workstation version free to home users. In our example we use the "trial" versions of both F-Prot and Vexira, both of which are readily available for download.

F-Prot Antivirus

F-Prot Antivirus is developed and distributed by FRISK Software International, an Icelandic software company. F-Prot Antivirus is a command line driven AV scanning tool with both signature and heuristic based algorithms. F-Prot Antivirus, available here, is a full featured Antivirus package capable of addressing many specific forensics concerns, including maintaining image integrity. In our example we performed MD5 hashing of the target partition image, both before and after the Antivirus scanning to verify no modifications were made to the suspect hard drive. While we recommend a hardware write blocker for these types of operations, it is possible to avoid spoiling evidentiary data if the proper command flags are used.

[root@forensic0 mshannon]# md5sum /dev/sdb1
082bf383ad1b85d470c1baeb6db092db /dev/sdb1
[root@forensic0 mnt]# mount /dev/sdb1 /mnt/fwro -o ro
[root@forensic0 mshannon]# mount
/dev/hda2 on / type ext3 (rw)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hda1 on /boot type ext2 (rw)
none on /dev/shm type tmpfs (rw)
/dev/sdb1 on /mnt/fwro type vfat (ro)
[root@forensic0 mnt]# cd /mnt/fwro
[root@forensic0 fwro]# ls
386spart.par config.sys escd.rf msdos.sys nav30 sound144
aol20 cserve faxworks msinput pbtools weppb
autoexec.bat dblspace.bin fmedia msmoney plugplay wina20.386
books diskimag io.sys mspub prodigy windows
command.com dos mcontrol msworks provideo windrvs
[root@forensic0 fwro]# cd ..
[root@forensic0 mnt]# exit
exit
[mshannon@forensic0 mshannon]$ f-prot -h
Usage: f-prot [drive, file or directory] [options]


-ai Enable neural-network virus detection.
-append Append to existing report file.
-archive Scan inside .ZIP and .ARJ files.
-auto Automatic virus removal.
-collect Scan a virus collection.
-delete Delete infected files.
-disinf Disinfect whenever possible.
-dumb Do a "dumb" scan of all files.
-ext Scan only files with default extensions.
-follow Follow symbolic links.
-help Display this list.
-list List all files checked.
-nobreak Do not abort scan if ESC is pressed.
-noheur Disable heuristics.
-nosub Do not scan subdirectories.
-old Do not complain when using outdated DEF files.
-onlyheur Only use heuristics, not "normal" scanning.
-packed Unpack compressed executables.
-page Pause after each page.
-rename Rename infected COM/EXE files to VOM/VXE.


Press to continue to view the command-line options.


-report= Send the output to a file.
-server Activate mail filter heuristics.
-silent Do not generate any screen output.
-type Select files by type. (default)
-verno Show version information.
-virlist List the known viruses.
-virno Count the known viruses.
-wrap Wrap text so the report fits in 78 columns.


Special macro virus options:


-nomacro Do not scan for macro viruses.
-onlymacro Only scan for macro viruses.
-removeall Remove all macros from all documents.
-removenew Remove new variants of macro viruses by
removing all macros from infected documents.
-saferemove Remove all macros from documents, if a known
virus is found.


[mshannon@forensic0 mshannon]$ f-prot /mnt/fwro -report=/home/mshannon/f-prot-rpt.txt
Virus scanning report - 29 March 2004 @ 10:02


F-PROT ANTIVIRUS
Program version: 4.4.1
Engine version: 3.14.11


VIRUS SIGNATURE FILES
SIGN.DEF created 28 March 2004
SIGN2.DEF created 28 March 2004
MACRO.DEF created 24 March 2004



Search: /mnt/fwro
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -REPORT=/home/mshannon/f-prot-rpt.txt -SERVER



/mnt/fwro/books/qswin_en.vti->11-2.BMP Not scanned (encrypted)
/mnt/fwro/books/qswin_en.vti->1-2.BMP Not scanned (encrypted)
... /mnt/fwro/books/msworks3.vti->I28-13.BMP Not scanned (encrypted)
/mnt/fwro/books/msworks3.vti->I28-14.BMP Not scanned (encrypted)


Results of virus scanning:


Files: 3395
MBRs: 0
Boot sectors: 0
Objects scanned: 3252


Time: 1:37
No viruses or suspicious files/boot sectors were found.
[mshannon@forensic0 mshannon]$ su
Password:
[root@forensic0 mshannon]# umount /mnt/fwro
[root@forensic0 mshannon]# md5sum /dev/sdb1
082bf383ad1b85d470c1baeb6db092db /dev/sdb1
 The above commands will produce a complete report which can then be attached to the standard forensic investigation log.

Vexira Antivirus

 Vexira Antivirus is developed and distributed by Central Command Inc., a US based software company. Vexira Antivirus is a command line driven Antivirus scanning tool with a signature based scanning algorithm. Vexira Antivirus, available here, provides a heavily limited trial version. We were instructed that we would be unable to update signatures, scan compressed files, or even receive reports in any format other than syslog. However, Vexira does provide VaGuard, based largely on Dazuko, a opensource Linux kernel module that intercepts read/write system calls and analyzes the data for potential viruses and malware. More information on Dazuko is available at here.

Just as before, in our example we performed MD5 hashing on the target partition image, both before and after the Antivirus scanning to verify no modifications were made to the suspect hard drive. While we recommend a hardware write blocker for these types of operations, it is possible to avoid spoiling evidentiary data if the proper command flags are used.

[root@forensic0 mshannon]# md5sum /dev/sdb1
082bf383ad1b85d470c1baeb6db092db /dev/sdb1
[root@forensic0 mnt]# mount /dev/sdb1 /mnt/fwro -o ro
[root@forensic0 mshannon]# mount
/dev/hda2 on / type ext3 (rw)
none on /proc type proc (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/dev/hda1 on /boot type ext2 (rw)
none on /dev/shm type tmpfs (rw)
/dev/sdb1 on /mnt/fwro type vfat (ro)
[root@forensic0 mnt]# cd /mnt/fwro
[root@forensic0 fwro]# ls
386spart.par config.sys escd.rf msdos.sys nav30 sound144
aol20 cserve faxworks msinput pbtools weppb
autoexec.bat dblspace.bin fmedia msmoney plugplay wina20.386
books diskimag io.sys mspub prodigy windows
command.com dos mcontrol msworks provideo windrvs
[root@forensic0 fwro]# cd ..
[root@forensic0 mnt]# exit
exit
[mshannon@forensic0 vexira-workstation-2.2.0]# vexira -h
Vexira Antivirus / Linux Version 2.2.0-5
Copyright (C) 2002-2004 Central Command, Inc. and/or its suppliers.
Portions copyright (C) 1996-2004 H+BEDV Datentechnik GmbH.
All rights reserved.


Usage is: vexira [options] [path[\*.ext]] [*.ext]
where options are:
--help .......... display this help text
--allfiles ...... scan all files (not just program files)
--version ....... show version information
--info .......... show list of recognized forms
--update ........ update Vexira Antivirus
--check ......... used with --update to check for updates
--temp=
.... specify the directory for temporary files
--home-dir=
location of executable, VDF and key files
-C ... name of configuration file (default /etc/vexira.conf)
-s .............. scan subdirectories
-z .............. files in archives will be extracted and scanned
--scan-in-archive synonymous for -z (scan files in archives, too)
--scan-in-mbox .. scan mailbox folders, too (might be time consuming!)
-nolnk .......... do not follow symbolic links
-onefs .......... do not cross file systems while following links
-noboot ......... do not check any boot records
-nombr .......... do not check any master boot records
-nobreak ........ disable Ctl-C and Ctrl-Break
-nodef ......... do only check the given file types (eg. *.DOC)
-cf ... activate CRC check and name the database
-cv ............. calculate CRC over the whole file length (default 16k)
-cn ............. insert new files into the database
-cu ............. recalculate CRC values and update the database
-v .............. scan files completely (slower with possible false alerts)
-nopack ......... do not scan inside packed files (PKLite+LZExe)
-e [-del | -ren] repair concerning files if possible
[-del] non-repairable files will be deleted
[-ren] non-repairable files will be renamed
-ren ............ rename concerning files (*.COM->*.XXX,...)
-del ............ delete concerning files
-dmdel .......... delete OLE documents containing suspicious macros
-dmds ........... delete suspicious macros
-dmda ........... delete all macros
-dmdas .......... delete all macros if one appears to be suspicious
-dmcnv .......... convert templates to documents
-dmpack ......... pack (compress) template data tables
-dmtl .... set trigger value to specified token length
-dmse ........... set exit code to 101 if any macro was found
-r1 ............. just log infections and warnings
-r2 ............. log all scanned paths in addition
-r3 ............. log all scanned files
-r4 ............. select verbose log mode
-rs ............. select single-line alert messages
-rf ... name of log file
%d = day, %m = month, %y = year (two digits each)
-ra ............. append new log data to existing file
-ro ............. overwrite existing log file
-q .............. quiet mode
-lang[:|=]DE .... use German texts
-lang[:|=]EN .... use English texts
-once ........... run only once a day
-if .. Vexira Antivirus uses the given ini file
-kf ... Vexira Antivirus uses the given license file
--with- ... detect other (non-virus but unwanted) software, too;
type may be "dialer", "joke", "game", "pms"
--alltypes ...... combination of all known --with-type options
--warnings-as-alerts exit with a return code as if a concerning file
had been found when warnings have been issued
--exclude= exclude files or directories from scan
--log-email= send out scan report by email, too
@ ...... read parameters from the file rspfile
with each option in a separate line


list of return codes:
0: Normal program termination, nothing found, no error
1: Found concerning file or boot sector
2: A signature was found in memory
100: Vexira Antivirus only has displayed this help text
101: A macro was found in a document file
102: The option -once was gven and Vexira Antivirus already ran today
200: Program aborted, not enough memory available
201: The given response file could not be found
202: Within a response file another @rsp directive was found
203: Invalid option
204: Invalid (non-existent) directory given at command line
205: The log file could not be created
210: Vexira Antivirus could not find a necessary dll file
211: Programm aborted, because the self check failed
212: The file vexira.vdf could not be read
213: An error occured during initialisation
214: License key not found
[root@forensic0 vexira-workstation-2.2.0]# vexira --update
Warning: the file "vexira.vdf" is more than 14 days old


Sorry, --update is not available in DEMO mode. [mshannon@forensic0 vexira-workstation-2.2.0]$ vexira -r1 -rf/home/mshannon/vexira-test -s --allfiles /mnt/fwrw/
Vexira Antivirus / Linux Version 2.2.0-5
Copyright (C) 2002-2004 Central Command, Inc. and/or its suppliers.
Portions copyright (C) 1996-2004 H+BEDV Datentechnik GmbH.
All rights reserved.


Loading /usr/lib/Vexira/vexira.vdf ...

Warning: The file "vexira.vdf" is more than 14 days old.


Vexira Antivirus is running in DEMO mode.
VDF version: 6.24.0.6 created 17 Feb 2004


checking drive/path (list): /mnt/fwrw/

----- scan results -----
directories: 156
files: 3395
alerts: 0
scan time: 00:01:26
------------------------ Thank you for using Vexira Antivirus!
[mshannon@forensic0 vexira-workstation-2.2.0]$su
[root@forensic0 mshannon]# md5sum /dev/sdb1
082bf383ad1b85d470c1baeb6db092db /dev/sdb1
 The above commands on a licensed version of Vexira will produce a complete report which can then be included to the standard forensic investigation log.

Trojan Horse Applications - Forensic Review

The Trojan Horse received its name from the ill fated Trojans who mistakenly accepted the Greek's Wooden Horse as a gesture of submission. In Homer's tale, the mighty Trojans wheeled the large horse into the city, only to be attacked in their sleep as Greek warriors slipped out of the false bottom of the horse and opened the main gates. This allusion could not more accurately describe the purpose and usage of that specific form of malware. Typically Trojan Horse applications arrive as some sort of benign gift, in the form of a clever dancing frog or mildly addictive game of "Whack-a-Mole". However, the true intent could not be more deviant. Once executed, the Trojan wires itself into the system, installing Windows Registry entries, creating cleverly worded system binaries, and opening unprotected TCP or UDP ports for external attackers. At this point the computer is now a easy mark and most often is used as a file parking location. Malicious attackers set up share points and FTP sites on the computer containing anything from illicit imagery to illegal software.

For the Forensics practitioner this represents a considerable concern, how do we separate actual user activity from activity perpetrated by a malicious attacker? While the answer to that question is different for each situation, and is subject to interpretation by the investigator, the following is a list of common questions that may assist in determining the possible intent and usage of a Trojan on a suspect workstation.

How did the Trojan get there?

Did it come via email? Check the email message files, check the Internet History for Hotmail/MSN web based email. Was it downloaded via the Internet? Check the Internet History files for locations of known Trojan websites.

When did the Trojan arrive?

Based on information obtained above, when did the Trojan infect the system? Compare activity times with the Trojan's arrival.

Does the user activity match the files and information discovered?

Are there image files that were not viewed with image tools, such as Internet Explorer?Are there files that are unusable on the system, such as Real Player Videos without a player application.

The above information, tools, and recommendations can be used as part of sound Linux Forensics investigation of a Windows based computer for potential malware and it's impact on your investigation.

Look for additional Agile Linux Forensics Weekly articles in the Research section of our website.

About the Author:
Matthew Shannon has over five years of professional information security experience in private industry, including KPMG LLP, ExxonMobil, and United Technologies. Mr. Shannon has been the lead investigator on numerous computer forensics engagements, including intellectual property theft and employment law. Mr. Shannon graduated cum laude from The University of Florida in Decision and Information Sciences (BSBA) in 1999. He is an accomplished speaker having presented at the DEFCON 11 Information Security Conference in Las Vegas, Nevada. He is a member in good standing of ISSA. In addition, Matthew holds numerous professional information technology certifications, and has been a contributor to multiple open source information security projects including "The Sleuthkit" and "The Honeynet Project".

About Agile Risk Management LLC: Agile Risk Management, LLC is a premium provider of information security consulting services, committed to providing business value with uncompromised integrity. Agile specializes in delivering consulting services not motivated or influenced by vendor products or relationships. Agile provides services that afford reasonable protection for the information assets of our clients in accordance with their business needs.

Agile service offerings include:

  • Digital Forensics and Litigation Support
  • Security Assessments
  • Security Program Development
  • Crisis Management
  • Business Continuity Planning