BackTrack Forensics

8 min read

(For more resources related to this topic, see here.)

Intrusion detection and log analysis

Intrusion detection is a method used to monitor malicious activity on a computer network or system. It’s generally referred to as an intrusion detection system (IDS) because it’s the system that actually performs the task of monitoring activity based upon a set of predefined rules. An IDS adds an additional layer of security to a network by analyzing information from various points and determining if an actual or possible security breach has occurred, or to locate if a vulnerability is present that will allow for a possible breach.

In this recipe, we will examine the Snort tool for the purposes of intrusion detection and log analysis. Snort was developed by Sourcefire, and is an open source tool that has the capabilities of acting as both an intrusion detection system and an intrusion prevention system. One of the advantages of Snort is that it allows you to analyze network traffic in real time, and make faster responses should security breaches occur.

Remember, running Snort on our network and utilizing it for intrusion detection does not stop exploits from occurring. It just gives us the ability to see what is going on in our network.

Getting ready

A connection to the Internet or intranet is required to complete this task.

It is assumed that you have visited and downloaded the Sourcefire Vulnerability Research Team (VRT) Certified Rules. A valid ruleset must be maintained in order to use Snort for detection. If you do not have an account already, you may sign up at

How to do it…

Let’s begin by starting Snort:

  1. Start the Snort service:

  2. Now that the Snort service has been initiated, we will start the application from a terminal window. We are going to pass a few options that are described as follows:

    • -q: This option tells Snort to run in inline mode.

    • -v: This command allows us to view a printout of TCP/IP headers on the screen. This is also called the “sniffer mode” setting.

    • -c: This option allows us to select our configuration file. In this case, its location is /etc/snort/snort.conf.

    • -i: This option allows you to specify your interface.

    Using these options, let’s execute the following command:

    snort -q -v -i eth1 -c /etc/snort/snort.conf

  3. To stop Snort from monitoring, press Ctrl + X.

How it works…

In this recipe, we started the Snort service and launched Snort in order to view the log data.

There’s more…

Before we can adequately use Snort for our purposes, we need to make alterations to its configuration file.

  1. Open a terminal window and locate the Snort configuration file:

    locate snort.conf

  2. Now we will edit the configuration file using nano:

    nano /etc/snort/snort.conf

  3. Look for the line that reads var HOME_NET any. We would like to change this to our internal network (the devices we would like to have monitored). Each situation is going to be unique. You may want to only monitor one device and you can do so simply by entering its IP address (var HOME_NET You may also want to monitor an IP range (var HOME_NET, or you may want to specify multiple ranges (var HOME_NET, In our case, we will look at just our local network:

    var HOME_NET

  4. Likewise, we need to specify what is considered the external network. For most purposes, we want any IP address that is not a part of our specified home network to be considered as external. So we will place a comment on the line that reads var EXTERNAL_NET any and uncomment the line that says var EXTERNAL_NET !$HOME_NET:

    #var EXTERNAL_NET any var External_NET !$HOME_NET

    The screenshot represents the two lines that you need to alter to match the changes mentioned in this step.

  5. To view an extended list of Snort commands, please visit the Snort Users Manual at snort_manual.pdf.

Recursive directory encryption/decryption

Encryption is a method of transforming data into a format that cannot be read by other users. Decryption is the method of transforming data back into a format that is readable. The benefit of encrypting your data is that even if the data is stolen, without the correct decryptor, it’s unusable by the stealing party. You have the ability, depending on the program that you use, to encrypt individual files, folders, or entire hard drives.

In this recipe, we will use gpgdir to perform recursive directory encryption and decryption. An advantage of using gpgdir is that it has the ability to not only encrypt a folder, but also all subfolders and files contained within our main folder. This will save you a lot of time and effort!

Getting ready

To complete this recipe, you must have gpgdir installed on your BackTrack version.

How to do it…

In order to use gpgdir, you must have it installed. If you have not installed it before, use the following instructions to install it:

  1. Open a terminal window and make a new directory under the root filesystem:

    mkdir /sourcecode

  2. Change your directory to the sourcecode directory:

    cd /sourcecode

  3. Next, we will use Wget to download the gpgdir application and its public key:

    wget 1.9.5.tar.bz2

  4. Next we download the signature file:

    wget 1.9.5.tar.bz2.asc

  5. Next we download the public key file:

  6. Now we need to verify the package:

    gpg --import public_key gpg --verify gpgdir-1.9.5.tar.bz2.asc

  7. Next we untar gpgdir, switch to its directory, and complete the installation:

    tar xfj gpgdir-1.9.5.tar.bz2 cd gpgdir-1.9.5 ./

  8. The first time you run gpgdir, a new file will be created in your root directory (assuming root is the user you are using under BackTrack). The file is called ./ gpgdirrc. To start the creation of the file, type the following command:


  9. Finally, we need to edit the gpgdirrc file and remove the comments from the default_key variable:

    vi /root/.gpgdirrc

Now that you have gpgdir installed, let’s use it to perform recursive directory encryption and decryption:

  1. Open a terminal window and create a directory for us to encrypt:

    mkdir /encrypted_directory

  2. Add files to the directory. You can add as many files as you would like using the Linux copy command cp.

  3. Now, we will use gpgdir to encrypt the directory:

    gpgdir -e /encrypted_directory

  4. At the prompt, enter your password. This is the password associated with your key file.

  5. To decrypt the directory with gpgdir, type the following command:

    gpgdir -d /encrypted_directory

How it works…

In this recipe, we used gpgdir to recursively encrypt a directory and to subsequently decrypt it. We began the recipe by installing gpgdir and editing its configuration file. Once gpgdir has been installed, we have the ability to encrypt and decrypt directories.

For more information on gpgdir, please visit its documentation website at

Scanning for signs of rootkits

A rootkit is a malicious program designed to hide suspicious processes from detection and allow continued, often remote, access to a computer system. Rootkits can be installed using various methods including hiding executable code within web page links, downloaded software programs, or on media files and documents. In this recipe, we will utilize chkrootkit to search for rootkits on our Windows or Linux system.

Getting ready

In order to scan for a rootkit, you can either use your BackTrack installation, log in to a compromised virtual machine remotely, or mount the BackTrack 5 R3 DVD on a computer system to which you have physical access.

How to do it…

Let’s begin exploring chkrootkit by navigating to it from the BackTrack menu:

  1. Navigate to Applications | BackTrack | Forensics | Anti-Virus Forensics Tools | chkrootkit:

  2. Alternatively, you can enter the following commands to run chkrootkit:

    cd /pentest/forensics/chkrootkit ./chkrootkit

    chkrootkit will begin execution immediately, and you will be provided with an output on your screen as the checks are processed:

How it works…

In this recipe, we used chkrootkit to check for malware, Trojans, and rootkits on our localhost. chkrookit is a very effective scanner that can be used to determine if our system has been attacked. It’s also useful when BackTrack is loaded as a live DVD and used to scan a computer you think is infected by rootkits.

There’s more…

Alternatively, you can run Rootkit Hunter (rkhunter) to find rootkits on your system:

  1. Open a terminal window and run the following command to launch rkhunter:

    rkhunter --check

  2. At the end of the process, you will receive a summary listing the checks performed and their statistics:

Useful alternative command options for chkrootkit

The following is a list of useful commands to select when running chkrootkit:

  • -h: Displays the help file

  • -V: Displays the current running version of chkrootkit

  • -l: Displays a list of available tests

Useful alternative command options for rkhunter

The following is a list of useful commands to select when running rkhunter:

  • update: Allows you to update the rkhunter database

    rkhunter --update

  • list: Displays a list of Perl modules, rootkits available for checking, and tests that will be performed

    rkhunter --list

  • sk: Allows you to skip pressing the Enter key after each test runs

    rkhunter --check --sk

  • Entering rkhunter at a terminal window will display the help file:



Please enter your comment!
Please enter your name here