From b7dc8e1fdd15ae703f784e113145e9dba1f3ba8e Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Tue, 27 Nov 2018 14:23:19 +0000 Subject: [PATCH] lab updates --- .../dead_analysis_v2/dead_analysis_v2.pp | 1 - .../dead_analysis_v2/manifests/install.pp | 14 -------------- .../dead_analysis_v2/templates/intro.md.erb | 8 +++----- 3 files changed, 3 insertions(+), 20 deletions(-) delete mode 100644 modules/generators/structured_content/hackerbot_config/dead_analysis_v2/manifests/install.pp diff --git a/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/dead_analysis_v2.pp b/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/dead_analysis_v2.pp index edcf81cdc..e69de29bb 100644 --- a/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/dead_analysis_v2.pp +++ b/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/dead_analysis_v2.pp @@ -1 +0,0 @@ -include dead_analysis_v2::install diff --git a/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/manifests/install.pp b/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/manifests/install.pp deleted file mode 100644 index 4ff644c48..000000000 --- a/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/manifests/install.pp +++ /dev/null @@ -1,14 +0,0 @@ -class dead_analysis_v2::install { - - $url_path = "http//:z.cliffe.schreuders.org/files/6543367533" - # This file is just too big and binary to make sense to include in the git repo - file { - "/root/hda1.img": - source => "$url_path/hda1.img" - } - file { - "/root/md5s": - source => "$url_path/md5s" - } - -} diff --git a/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/templates/intro.md.erb b/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/templates/intro.md.erb index accfb6280..bd6b9abb5 100644 --- a/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/templates/intro.md.erb +++ b/modules/generators/structured_content/hackerbot_config/dead_analysis_v2/templates/intro.md.erb @@ -39,8 +39,6 @@ mkdir /mnt/compromised mount -O ro -o loop evidence/hda1.img /mnt/compromised ``` -> Troubleshooting: If you used a VMware VM in the live analysis lab, you may need to replace hda1.img with sda1.img - Confirm that you can now see the files that were on the compromised system: ```bash @@ -49,7 +47,7 @@ ls /mnt/compromised ## Preparing for analysis of the integrity of files -Fortunately the "system administrator" of the Red Hat server had run a file integrity tool to generate hashes before the system was compromised. Start by saving a copy of the hashes recorded of the system when it was in a clean state... +Fortunately the system administrator of the Red Hat server had run a file integrity tool to generate hashes before the system was compromised. Start by saving a copy of the hashes recorded of the system when it was in a clean state... Click here to download the md5 hashes of the system before it was compromised @@ -148,10 +146,10 @@ Next, we investigate what sslstop.tar.gz is used for. A quick Google brings up a --- -Refer to your previously collected evidence to ==identify whether any of the new executables were those with open ports== when live information was collected. Two of these have particularly interesting file names: `/usr/bin/smbd -D` and `/usr/bin/(swapd)`. These names are designed to be deceptive: for example, the inclusion of ` -D` is designed to trick system administrators into thinking that any processes were started with the "-D" command line argument flag. +Two of these have particularly interesting file names: `/usr/bin/smbd -D` and `/usr/bin/(swapd)`. These names are designed to be deceptive: for example, the inclusion of ` -D` is designed to trick system administrators into thinking that any processes were started with the "-D" command line argument flag. Note that /lib/.x/ contains a number of new executables, including one called "hide". These are likely part of a rootkit. -> **Hint:** to view these files you will have to look in /mnt/compromised/lib/.x. The .x folder is a hidden folder (all folders and file in Linux that begin with a "." ar hidden files). Therefore, you will have to use the -a switch when using the ls command in a terminal or tell the graphical file manager to display hidden files ( View > Show Hidden Files or Ctrl+H). +> **Hint:** to view these files you will have to look in /mnt/compromised/lib/.x. The .x folder is a hidden folder (all folders and file in Linux that begin with a "." ar hidden files). Therefore, you will have to use the -a switch when using the ls command in a terminal or tell the graphical file manager to display hidden files ( View / Show Hidden Files or Ctrl+H). ==Using Autopsy "File Analysis" mode, browse to "/lib/.x/"==. **Explicit language warning: if you are easily offended, then skip this next step.** View the contents of "install.log". > **Hint:** you will have to click **../** to move up the directory tree until you can see the lib directory in the root directory /.