This research develops and tests a Linux Incident Response Methodology Model used when collecting volatile data during an incident response in network intrusions based investigations. This model allows a forensics or network intrusion investigator performing an incident response to aid in volatile data collection for an investigation.  The evidence collected in this methodology meets the needs of collecting pertinent information to the investigator such as operating system specific information, process related information, unlinked file information, startup related information, virtual directory information, temporary file system information, network related information, user related information, and lastly hardware related information. This model and associated program is called LinuxIR. This program and methodology is tested on a variety of Linux kernels and distributions to verify results. This methodology was created because a Linux Incident Response Methodology is needed to allow investigators to easily investigate Linux compromises, while preserving evidence and giving investigators the evidence they need to perform analysis. This in the future improve network intrusions response and increase investigative efficiency.


LinuxIR Volatile Data Gathering Overview

LinuxIR Framework Demonstration

Research Questions

The model developed answers the following research questions:

RQ1:   Does the Linux Volatile Data Capture Model for Incident Response in gather pertinent volatile data that is relevant?

RQ2:    Does this model / methodology preserves evidence, and have a minimal digital footprint?

RQ3:   Is this model able to be used on a majority of Linux distributions and kernels?

RQ4:  Can this model easily be deployed, with minimal interaction by the incident responder while still having the flexibility necessary?

By developing a model that answers the following questions, this study was able to improve the accuracy and response to network intrusion investigations as investigators can use this model.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: