Project 5: Forensics
- This project is due at 11:59pm on Friday, Apr 2, 2021. It will be auto-graded.
Description and Deliverables
In this project, you will play the role of digital forensic analyst using the topics we discussed in lectures 15, 16, 17. You will be given access to a server that may have been hacked and infected with malware. Your job is to trace the attacker’s footsteps from the origin of the breach, all the way to their ultimate payload.
To receive full credit for this project, you will need to
- commit a file named
project5/forensics.txt
to your GitHub repository that has been signed with your Github key - submit your assignment via GitHub to gradescope.
Brief Introduction to Digital Forensics
Digital forensics are techniques to investigate computer systems to identify and isolate evidence. Forensics has applications to law enforcement as well as compromise triage more generally. In the former case, law enforcement officers must follow strict protocols governing electronic evidence to maintain the “chain of custody” of any evidence that is obtained so that it is admissable in court. This often involves the use of specialized digital forensics equipment that has been certified for use in law enforcement contexts. In the latter case, the goal of triage is typically to determine how an attacker broke into a system, what they did while they had access, determining whether the attacker still has access (e.g. did they plant a backdoor or rootkit?), and ultimately disinfecting the system so that the attacker no longer poses a threat. You will engage in this latter task, i.e. triaging a compromised system.
Getting Started
In this project, you will play the role of a digital security expert who has been asked to forensically analyze a server that was owned and maintained by an employee of Happy Funtime Plastic Co. This server hosted a simple website that allowed people to upload and view images. However, the owner of the server began to notice strange behavior on the server, so they shut it down, and created an account on the server for you to analyze. To get access to this image, you should run the following
$ ssh <your github username>@p5.neucrypt.org
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 4.19.0-12-cloud-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Tue Nov 17 07:09:04 2020 from 172.17.0.1
<your github username>@db0588389425:~$
Note that access has been granted using the ssh keys that you registered in GitHub. You should therefore run this command from the same machine/VM on which you have your github ssh keys. The login should be automatic, so if you are asked for a password, it means that you might not have a Github key, or you uploaded a key after we setup this machine.
You can test the application by using curl
on the local machine:
<your github username>@db0588389425:~$ curl http://localhost/
In most cases, digital forensic analysts would use tools that statically analyze a disk image, i.e. the analyst would analyze the files in the image without actually booting into the image’s operating system, as this might disturb evidence. However, in this project you may simply ssh
into the image and begin your analysis.
Your account has sudo privileges to use the less
program to look at restricted files. In other words, to see a restricted file, you should use sudo less <file>
. Once you are logged in you can begin your analysis.
Note that while this assignment simulates a server that has been hacked and infected “with malware”, it is perfectly safe. Logging into this system is not a security risk to you or your host operating system.
Questions
These questions are the same as the ones in the template, but we have some extra instructions here.
-
What was the name of the malicious script uploaded to the web server?
As noted above, the primary purpose of this server was to host a photo sharing website for employees of HFPC. You can access this website by using curl (as noted above) to visit
http://localhost
. As you will see, this website allows people to upload pictures, and those pictures then appear on the site. The site is not very well engineered and it often doesn’t work.The HFPC employee with username
happy
who maintained this server believes that the attacker somehow broke into the server through this website, but is unsure how. Thus, you should begin your investigation here.The web server uses the standard Apache web server software package. The configuration files for the Apache software are located in
/etc/apache2/
, and the files that compromise the website itself are located in/var/www/html/
. Apache logs all incoming HTTP requests in the file/var/log/apache2/access.log
; any requests that generate errors are logged in/var/log/apache2/error.log
.There is enough information left in these places to piece together how the attacker was able to initially breach the server. Once you’ve figured out how the initial breach occurred, move on to the next question. Your answer should be formatted like
/var/foo/bar
. -
What date/time was the malicious script uploaded to the web server? Your answer should be formatted like
17/Mar/2021:05:49:52 -0400
-
At what date/time did the attacker first log-in to the server?
The attacker was able to do something to the server by exploiting the photo sharing website. Once this was accomplished, they were able to gain remote access to the server. There are various system logs in the
/var/log/
folder that are useful for determining when the attacker remotely accessed the server, including/var/log/auth.log
(the authentication log),/var/log/kern.log
(the operating system kernel log), and/var/log/ufw.log
(the system firewall log). Your answer should be formated likeMar 21 09:42:35
-
What critical system file was viewed/stolen by the attacker? Give the full path to this file.
In addition to the system logs that are available in
/var/log/
, most user accounts have a log of all the commands they have run in the past stored in the file~/.bash_history
. The Bash History often contains hints about what a given user account has been up to. Your answer should be formatted like/var/foo/bar
. -
What is the name of malicious process running on this machine?
The HFPC employee noticed that their server was compromised because the system firewall service, called Uncomplicated Firewall or UFW, kept shutting down. This is a telltale sign of compromise: attackers often try to disable security software running on their victims’ machines. The employee tried to manually restart the firewall service, but to no avail. Restarting the server also did not fix the issue: as soon as the operating system booted, the firewall process immediately shut down. The only logical explanation is that some process that the attacker installed on the server keeps terminating the firewall. But how did this process restart itself after the server was rebooted?
One way to schedule processes to run periodically on Linux systems is the Cron tool. Cron is like an alarm clock: it can be configured to run other programs on a schedule, i.e. once a day, once a week, or once a minute. Cron has various configuration files, all located in
/etc/
./etc/crontab
is the system-wide Cron configuration file, and there are additional, per-process configuration files in the folders/etc/cron.d/
,/etc/cron.hourly/
,/etc/cron.daily/
,/etc/cron.weekly/
, and/etc/cron.monthly/
. Your answer should be formatted as a full path like/var/foo/bar
. -
What binary was back-doored? Give the full path.
Attackers often attempt to hide their presence on compromised systems by installing rootkits or back doors. Rootkits are essentially cloaking devices: depending on their level of sophistication, they try to hide the various programs, processes, and user accounts created by the attacker. Back doors offer the attacker hidden ways to access the system or elevate their privileges, typically using methods that try to evade detection.
One way to achieve these ends is by modifying the system utilities that everyone uses to manage to their systems (e.g. programs like
ls
andps
). In this case, did the attacker attempt to back door any system utilities? One way to see if system programs have been modified is by running the debsums tool: it checks the cryptographic hash of all system files and compares them to a list of known-good hashes. debsums prints “FAILED” for any file that appears to have been modified. Your answer should be formatted as a full system path like/var/foo/bar
.
Signing Commits
Your signature key is used by others to verify that a file originates from you. In this part, we will learn how to sign our commits to GitHub. In principle, others can have greater assurance about software you have placed on GitHub if it is signed.
The first step is to add your GPG key to GitHub. Login to your account, goto “Settings” and “SSH and GPG keys” and click “New GPG Key.” Then paste your GPG public key into this window.
The second step is to setup your git
client to use your GPG key to sign commits.
From the list of GPG keys, copy the GPG key ID you’d like to use. In this example, the GPG key ID is 3AA5C34371567BD2:
$ gpg --list-secret-keys --keyid-format LONG
/Users/hubot/.gnupg/secring.gpg
------------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
uid Hubot
ssb 4096R/42B317FD4BA89E7A 2016-03-10
To set your GPG signing key in Git, paste the text below, substituting in the GPG key ID you’d like to use. In this example, the GPG key ID is 3AA5C34371567BD2:
$ git config --global user.signingkey 3AA5C34371567BD2
If you aren’t using the GPG suite, paste the text below to add the GPG key to your bash profile:
$ test -r ~/.bash_profile && echo 'export GPG_TTY=$(tty)' >> ~/.bash_profile
$ echo 'export GPG_TTY=$(tty)' >> ~/.profile
Now sign your commits:
$ git add project5/forensics.txt
$ git commit -S -m "your commit message"
$ git push
Submission
To receive full credit on this assignment, you must upload your single forensics.txt file into Gradescope. A sample file format is
/var/foo/bar
17/Mar/2021:05:49:52 -0400
Mar 21 09:42:35
/var/foo/bar
/var/foo/bar
/var/foo/bar
- Parts 1,2,3 are worth 20 points
- Part 4 is worth 10 points
- Parts 5,6 are worth 15 points
Please do not ask which part is wrong. If you did not get a perfect score from the autograder, then you should carefully check each of your answers to find the error. If you are missing 15 points, then start looking at your answer to part 6. There are often several ways to specify the same executable program because of file system “links”; be sure to provide a path to the binary that does not contain links.