This research develops and tests a Linux Incident Response Methodology Model used when collecting volatile data during an incident response in network intrusions based investigations. This model allows a forensics or network intrusion investigator performing an incident response to aid in volatile data collection for an investigation. The evidence collected in this methodology meets the needs of collecting pertinent information to the investigator such as operating system specific information, process related information, unlinked file information, startup related information, virtual directory information, temporary file system information, network related information, user related information, and lastly hardware related information. This model and associated program is called LinuxIR. This program and methodology is tested on a variety of Linux kernels and distributions to verify results. This methodology was created because a Linux Incident Response Methodology is needed to allow investigators to easily investigate Linux compromises, while preserving evidence and giving investigators the evidence they need to perform analysis. This in the future improve network intrusions response and increase investigative efficiency.
LinuxIR Volatile Data Gathering Overview
LinuxIR Framework Demonstration
The model developed answers the following research questions:
RQ1: Does the Linux Volatile Data Capture Model for Incident Response in gather pertinent volatile data that is relevant?
RQ2: Does this model / methodology preserves evidence, and have a minimal digital footprint?
RQ3: Is this model able to be used on a majority of Linux distributions and kernels?
RQ4: Can this model easily be deployed, with minimal interaction by the incident responder while still having the flexibility necessary?
By developing a model that answers the following questions, this study was able to improve the accuracy and response to network intrusion investigations as investigators can use this model.