Volatile Data System Investigation

These commands are forUnix and Linux systems.

Volatile data like memory, network ports, and processes will change over time, so be careful to make these backups as soon as possible after the incident. And be careful how you gather data! You can potentially flush valuable cached network interface data in the process of trying to recover it.

More info on tools here: http://www.forensicswiki.org/wiki/Tools:Memory_Imaging

Prepare Environment

Make available a trusted source of Linux tools in /media (a CD or USB drive).

Make a USB mount drive for volatile data collection at /mount.

You'll use removable storage, and your own tools, to make these backups.

Prepare

Invoke a trusted shell: this should be shellshock-patched and statically linked (making it invulnerable to attacks on shared libraries).

Begin Logging

Go to your working directory, and run the script command to begin logging activity on the machine. Once you exit the shell, an output file will be created.

Dump Memory

Document the date and time, for the output file:

$ date

Linux 2.4 kernel

Capture memory for Linux 2.4 kernel using memdump.

$ /media/../dc3dd if=/dev/mem > /mount/../physical_mem_out

$ /media/../memdump > /mount/../physical_mem_out

$ /media/../dc3dd if=/proc/kcore of=/mount/../kcore_mem_out

Linux 2.6 kernel

Capture memory for Linux 2.6 kernel. This method will use fmem, but will need to be configured to keep from modifying the system.

Alternative tools?

Collect system state

Network

We'll want to capture network activity.

$ netstat -naovp

$ netstat -inet -naov

System

Run a few essential commands to list system status:

$ ifconfig
$ hostname
$ printenv
$ whoami
$ id
$ logname
$ uptime
$ uname -a
$ cat /proc/version
$ cat /proc/cpuinfo

$ # Record kernel boot:
$ cat /proc/cmdline

$ # Dump the routing table:
$ netstat -nr

$ # Dump the ARP cache:
$ arp -a

$ # Logged-on users:
$ who
$ w 
$ users

$ # Process data
$ lsof -l
$ ps -e
$ ps -ef 
$ ps aux
$ top -n 1 -b
$ pstree -a
$ pmap -d PID
$ ps -eafww
$ ps auxww
$ pmap -x PID 

Flags

Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions. Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping  · Metasploitable/Defenses/Detecting Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports Metasploitable Networking Defenses: Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort Category:Security  · Category:Metasploit  · Category:Metasploitable  · Category:Kali Flags  · Template:MetasploitableBlueTeamFlag  · e