Metasploitable/Volatile Data Investigation
From charlesreid1
Volatile Data System Investigation
These commands are forUnix and Linux systems.
Volatile data like memory, network ports, and processes will change over time, so be careful to make these backups as soon as possible after the incident. And be careful how you gather data! You can potentially flush valuable cached network interface data in the process of trying to recover it.
More info on tools here: http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
Prepare Environment
Make available a trusted source of Linux tools in /media (a CD or USB drive).
Make a USB mount drive for volatile data collection at /mount.
You'll use removable storage, and your own tools, to make these backups.
Prepare
Invoke a trusted shell: this should be shellshock-patched and statically linked (making it invulnerable to attacks on shared libraries).
Begin Logging
Go to your working directory, and run the script command to begin logging activity on the machine. Once you exit the shell, an output file will be created.
Dump Memory
Document the date and time, for the output file:
$ date
Linux 2.4 kernel
Capture memory for Linux 2.4 kernel using memdump.
$ /media/../dc3dd if=/dev/mem > /mount/../physical_mem_out $ /media/../memdump > /mount/../physical_mem_out $ /media/../dc3dd if=/proc/kcore of=/mount/../kcore_mem_out
Linux 2.6 kernel
Capture memory for Linux 2.6 kernel. This method will use fmem, but will need to be configured to keep from modifying the system.
Alternative tools?
Collect system state
Network
We'll want to capture network activity.
$ netstat -naovp $ netstat -inet -naov
System
Run a few essential commands to list system status:
$ ifconfig $ hostname $ printenv $ whoami $ id $ logname $ uptime $ uname -a $ cat /proc/version $ cat /proc/cpuinfo $ # Record kernel boot: $ cat /proc/cmdline $ # Dump the routing table: $ netstat -nr $ # Dump the ARP cache: $ arp -a $ # Logged-on users: $ who $ w $ users $ # Process data: $ lsof -l $ ps -e $ ps -ef # Simple list $ ps aux # Temporal $ top -n 1 -b $ pstree -a $ pmap -d PID $ ps -eafww $ ps auxww $ pmap -x PID # proc mem map $ # Service config: $ # (This will change based on OS) $ $ # RedHat: $ chkconfig -list $ # General: $ service -status-all # Shows status $ service -status-all 2&>1 | grep \+ $ $ # Solaris: $ ls /etc/rc*.d $ # Solaris 10+: $ smf $ # Check loaded kernel modules: $ lsmod $ cat /proc/modules $ modinfo MODULE_NAME # from lsmod $ xclip -o $ iptables -t nat -nL $ iptables -t mangle -nL $ iptables -t filter -nL $ iptables -t raw -nL $ for type in nat mangle filter raw; do iptables -t $type -nL; done
Flags
 |
Metasploitablue: The Blue Team Metasploitable is a virtual machine with baked-in vulnerabilities, designed to teach Metasploit. This set of articles discusses the BLUE TEAM's methods for defending Metasploitable: defending against and responding to intrusions.
Hence the name, Metasploita-blue. Overview: Metasploitable/Defenses Metasploitable/Defenses/Stopping · Metasploitable/Defenses/Detecting
Metasploitable On-Machine Defenses: Linux Volatile Data System Investigation: Metasploitable/Volatile Data Investigation Linux Artifact Investigation: Metasploitable/Artifact Investigation Linux Iptables Essentials: Metasploitable/Iptables Firewall Assurance and Testing: Metasploitable/Firewall Password Assessment: Metasploitable/Password Assessment Standard Unix Ports: Unix/Ports
Netcat and Cryptcat (Blue Team): Metasploitable/Netcat and Metasploitable/Cryptcat Nmap (Blue Team): Metasploitable/Nmap Network Traffic Analysis: Metasploitable/Network Traffic Analysis Suspicious Traffic Patterns: Metasploitable/Suspicious Traffic Patterns Snort IDS: Metasploitable/Snort
|