Case 1. IP Theft Linux Investigation

Created: 20.09.2020

Nearly all IP (intellectual property) are recreated by a competitor. Investigate the development machine

Potential data exfiltration.

  1. netstat -lpeanut shows that there are two dhcp clients running, one using unusual port and user:

img

  1. ps aux | grep 40500 or ps aux | grep dhclient shows the running processes and sometimes commands used to run them. This suspicious client was run from /tmp folder:

img5

  1. ls -la /tmp/ to see the file that was launched. But nothing there. Seems that the file was deleted after being launched:

img6

  1. lsof -p 40500 to see the files the were opened by the prog with certain PID. Shows that dhclient was indeed deleted and the socket files still open (red):

img7

โ— In Linux a file can be deleted and still be run.

  1. /procfs is like a snapshot of RAM. Linux maps its memory to a temp virtual file system. Explore as it’s mapped onto the disk. cd /proc/40500/ and ls. See exe symlink in red. Run ls -l to see where the symlink points to and it points to the deleted suspicious file ๐Ÿฆนโ€โ™‚๏ธ. But despite this, one can still get the file from memory.

img8

  1. cp /proc/40500/exe /tmp/copy and cat /proc/40500/exe > /tmp/reassembled. Compare hashes md5sum and sha1sum.
  2. Find these hashes in other directories (in case it was copied) and on other machines sudo find / -type f -exec md5sum {} \; | grep <hash_from_step_5> or sudo find /bin/ -type f -exec md5sum {} \; | grep <hash>:

img9

References

[1] Magnet webinar on Linux Forensics