This exercise directs the student to build and install FTimes, a system baselining and evidence collection tool. Once FTimes has been built and installed, the student will become familiar with the tool's various modes of operation.
- FreeBSD, Linux, or Solaris platform
- Root access
- file, ftimes, gcc, gzip/gunzip, hexdump (or bvi), make, perl, and tar
Read "System Baselining -- A Forensic Perspective" and the FTimes man page. When finished, answer the following:
In the context of system baselining, provide a definition for each of the following terms: baseline, snapshot, change analysis, message digest, provenance, perspective, acuity, and integrity.
List the attributes that FTimes can collect or derive for the following file systems: EXT2 and NTFS.
According to the man page, what general capabilities does FTimes provide.
According to the man page, what the operating environments does FTimes support.
List and describe each mode of operation that FTimes supports.
List all controls that apply to maplean mode.
List all controls that are required by maplean mode.
What roles does integrity play in system baselining and evidence collection?
Build and install FTimes without SSL support -- use the information provided in the README.INSTALL file as a guide. Record the commands used to perform this step.
Unpack tree.tgz in a suitable location (e.g., /tmp), and take a snapshot of the resulting directory using mapauto mode and a FieldMask of "ALL-magic". This will be your baseline. An example command-line is given here:
ftimes --mapauto all-magic -l 0 tree > baseline
What is the purpose of the "-l" argument, and what does its value mean?
Make the following changes to the tree:
Modify the contents of file-1, file-2, and file-3 -- any content change will be sufficient.
Delete dir-5 and everything below it.
Add an additional file called "extra" to dir-2.
Now map the tree again using the same FieldMask. This will be your snapshot.
ftimes --mapauto all-magic -l 0 tree > snapshotCompare the two maps using compare mode and a FieldMask of "NONE+md5". An example command-line is given here:
ftimes --compare none+md5 baseline snapshot -l 6
Do the reported changes, if any, match your expectations? If no, explain.
Now compare the two maps again using a FieldMask of "ALL".
Do the reported changes, if any, match your expectations? If no, explain.
Create a config file called dig.cfg to search the file search.bin for the following DigStrings.
%00%DA%DA
%41%41%41%41
%75%73%74%61%72%20%20%00
%90%90%90%90%90%90%90%90
%D4%1D%8C%D9%8F%00%B2%04%E9%80%09%98%EC%F8%42%7E
Luke,+may+the+force+be+with+you.
overflow
Search this file three times using diglean mode. Set MatchLimit to 1, 2, and 10 for each of the respective digs. An example command-line is given here:
ftimes --diglean dig.cfg -l 0 search.bin
List each output field and explain its meaning.
What is the function of the MatchLimit control?
How are DigStrings encoded? Describe the encoding scheme.
Could you use this search capability to identify Trojan files or viruses? Explain.
Use a hex editor/viewer (e.g., bvi or hexdump) to display the contents of search.bin. Manually locate and record the first offset of each DigString.
Do your results match those in the case where MatchLimit=1?
Based on the UNIX "file" command, what type of file is search.bin? Is this correct? Explain.
Use FTimes in maplean mode to profile your entire system (i.e., FieldMask=NONE). Set the basename to be the system's hostname minus any domain qualifiers. How long did it take to run? How many files where processed? Were there any errors? Were these errors critical? How did you determine this? Provide a listing of the config file used.
Use FTimes in maplean mode to baseline your entire system (i.e., FieldMask=All-magic). Set the basename to be the system's hostname minus any domain qualifiers. How long did it take to run? How many files where processed? Were there any errors? Were these errors critical? How did you determine this? Provide a listing of the config file used.
Cleanup your work area and remove any temporary files created during this exercise.
Write a Perl subroutine that takes a URL encoded string as input, decodes it, and returns the output string.
Create, map, modify, and remap a file containing an alternate data stream. Note that this requires the underlying file system to be NTFS.
Explain how you created the file and its alternate stream -- i.e., show the commands used.
What attributes are modified when the alternate stream is modified? How did you determine this?
What security risks are associated with alternate streams?
Sample config files are provided in the FTimes distribution.
When using hexdump, the '-C' option can be used to display output in a combined Hex/ASCII format. If that option is not supported, then the following command-line and format specification will produce similar results.
hexdump -f hexfmt file --- hexfmt --- "%08.8_Ax\n" "%08.8_ax "8/1 "%02x " " " 8/1 "%02x " " |" "%_p" "|\n" --- hexfmt ---
Running FTimes may alter atime attributes (i.e., time of last access).
Running FTimes or any tool that collects and stores data on a compromised system may destroy undeveloped evidence in free space.
Depending on the hex editor/viewer being used, your offset calculations may need to be adjusted to compensate for any byte swapping that takes place.