//
Methodology

LinuxIR Methodology (Command Line Trusted Tools)

View this document on Scribd
 Linux Incident Response Cheat Sheet Copyright by MattDCS Version 1.0 – October 2012
Command Example Description

script script > /mnt/IRTOOLS/ir.txt Forensically Records all steps taken by investigator.
NOTE NOTE All programs should be statically compiled if source code is available.
which which PROGRAMNAME Tells where program is located. This determines if it’s local or on trusted toolset.
file file PROGRAMNAME Determines if trusted tool is created dynamically or not.
ldd ldd PROGRAMNAME Determines what shared libraries are being referenced.
Hashing
md5 md5sum * && md5sum .* MD5 hash of the files. This grabs not only the directory listing but all hidden files too.
 sha1sum sha1sum * && sha1sum .* SHA1 hash of the targeted files and hidden files.
O/S Specific Related Information
date date Displays the date and time of the system.
uptime uptime Displays Server Uptime.
uname uname -a Display OS related information such as version (-a all)
dmesg dmesg Grabs kernel ring buffer.
Process Related Information
ps ps -auxfe Determines list of ALL processes.(-a all processes) (without ttys)
top top -b -n1 Gives a list of list of processes (realtime). (-b to write all to file instead of window)
lsof lsof Gives a list of files open.
Grabs Unlinked Files
lsof lsof +L1 If hacker deletes file that’s still being written in background, this is the one way to grab it.
Temporary File System
fstab cat /etc/fstab > /mount/IRTOOLS Displays automated process of mounting partitions.
mount mount -n Display all mounted file systems including temporary directories.
NOTE NOTE Might want to add directories to copy!
User Related Information
who who -Ha Shows whos logged on with associated PID. (-Ha) -a All -h Heading
w w Shows who’s logged on and what they are doing.
last last -aidx Shows users last logged on. (displays system entries and run level changes and ip’s)
finger finger Shows information about users.
history history Grabs user batch history in RAM and the .bash_history file. (System can’t call BASH).
Network Related Information
netstat netstat -tan Gives a short network ip port list.
netstat netstat -nap Gives detailed PID and network protocol information table.
lsof -i lsof -i Gives list of all network related files. (-i)
arp arp -van Shows the arp address listings in the arp cache.
ip ip link Shows MACs of NICS.
ifconfig ifconfig Gives IP, MAC, and NIC information.
route route -v Shows the current routing table of the system.
Hardware Related Information
lshw lshw Shows hardware related information of entire computer system.
swapon swapon -s Shows SWAP file information.
File Changes FIRST 24 HOURS
find find . -mtime 0 Give files modified within  last 24 hours. Perfect for incident response.(CAUTION SIZE)
Grabs Startup Related Information
/etc/inittab cp -aR /etc/inittab /mount/IRTOOLS/inittab Grabs the inittab or running services. (Depends on O/S)  (REDHAT)
/etc/event.d/
/etc/init.d/ cp -aR /etc/init.d/ /mount/IRTOOLS/init.d Grabs processes that boot during normal operation.
/etc/rc*.d cp -aR /etc/rc*.d /mount/IRTOOLS/init.d Grabs all rc and init.d.
chkconfig chkconfig Gives list of configuration for run level information. (NON DEFAULT)
Virtual Directory Related Information
/dev/ cp -aR /dev/ /mount/IRTOOLS Use this command to grab /dev/ which is volatile data. NOTE: Will grab hidden files.
/proc/ cp -aR /proc/ /mount/IRTOOLS Use this command to grab /proc/ which is a virtual file system.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: