Case Study: rootkit
To find out how robust deleted file information can be, I set up a disposable RedHat 5.2 Linux machine and downloaded Version 4 of the Linux rootkit source distribution. The rootkit software produces a network password sniffer program and replaces over a dozen system utilities with modified versions that either reveal intruder activity or provide intruder backdoors. I compiled, installed, and removed the rootkit software, just like an intruder.
Then I did just about the worst possible thing. I downloaded the Coroner's Toolkit source distribution, unpacked it in the same directory as used by the "intruder," compiled it, and ran the software. (To avoid data destruction as described here, we intend to make ready-to-run CD-ROM images available.)
Using the Coroner's Toolkit in this manner, I knowingly destroyed large amounts of information by overwriting deleted files and obliterating file access time information for compiler-related files and for other files.
Even after all that destruction, the Coroner's Toolkit still found useful information. Access time patterns of deleted files revealed that at least 460 files and directories were created and deleted within a relatively short amount of time. At least 300 of those files had practically identical last modification times on November 23, 1998, the apparent time when Linux rootkit Version 4 was prepared for distribution.
The signatures from deleted file attributes were so strong because intruder software suffers from bloat just like any other software. Linux rootkit Version 4 has a rather large footprint of approximately 780 files and directories, including compiler output files. A footprint that large is hard to overlook, even in deleted file access time patterns.
-- W.V.
