Linux-Forensics-Checklist.md 2.46 KB
Newer Older
Heiko Reese's avatar
Heiko Reese committed
1
2
3
4
5
6
7
8
# KIT-CERT's Checklist for Linux Forensics

## Preliminary Considerations

Forensic investigations of computer hardware is usually divided in two phases:
online forensics (analysis of the running system) and offline forensics
(examination of the permanent storage).

Heiko Reese's avatar
   
Heiko Reese committed
9
10
This document's primary focus is the first phase (online forensics). We assume
that the reader has root access to the compromised machine.
Heiko Reese's avatar
Heiko Reese committed
11

heiko.reese's avatar
   
heiko.reese committed
12
## Find a proper place to store your findings
Heiko Reese's avatar
Heiko Reese committed
13
14
15
16

Every action that interacts with the storage subsystem can potentially destroy
evidence (both data and metadata). Mounting external storage changes the
contents of `/etc/mtab` and the timestamps of the containing directory `/etc`.
heiko.reese's avatar
   
heiko.reese committed
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Merely looking at the file (`cat /etc/mtab`) changes the access time of `/etc`.

### Pushing data onto the network

You may push your findings directly onto the network, thus preventing/minimizing
changes to the local filesystems. This only works if the compromized machine is
still able to connect to your server.

Open a listener on your server:
```bash
nc -l 6789 >> logfilename.txt
```

To send the standard output of a command, simply add this
```bash
 | nc -w 2 name_or_ip_of_server 6789
```

Heiko Reese's avatar
   
Heiko Reese committed
35
Encrypt all data in transition to prevent eavesdropping. Simply insert
Heiko Reese's avatar
   
Heiko Reese committed
36
[`openssl`](https://openssl.org/) into the toolchain:
Heiko Reese's avatar
   
Heiko Reese committed
37
38
39
40
41
42
43
44
45
```bash
nc -l 6789 | openssl enc -aes128 -d -k supersecretpw >> log.txt
```
```bash
 | openssl enc -aes128 -e -k supersecretpw | nc -w 2 name_or_ip_of_server 6789
```

Use [cryptcat](http://cryptcat.sourceforge.net) if it's already available on
the target machine.
heiko.reese's avatar
   
heiko.reese committed
46

Heiko Reese's avatar
   
Heiko Reese committed
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
To copy files, use `cat`:

```
cat /usr/bin/rootkit_0.1 | nc …
```

Use `dd` to  transfer whole blockdevices:
```
dd if=/dev/sdx23 | nc…
```

### Collecting data on local storage

If you decide to collect your findings locally, please refrain from using
existing storage of the compromised system. There are two viable options:
external storage like USB-sticks or memory-backed filesystem aka `tmpfs`.
Please save a listing of all mounts in all namespaces before mounting anything.

Check all the different mounts:
```
md5sum /proc/mounts /proc/*/mounts | sort | uniq -d -w 32
```

Get creative to solve this chicken-egg-problem! If you have copy/paste on your
console, simply `cat`the files and copy the aferwards. Don't use screen/tmux,
the touch lots of files. Check for empty pre-existing `tmpfs`-filesystems.

Find a proper location for the mountpoint and Mount your device:
```
mount -t tmpfs none /mnt
# or
mount /dev/sdx1 /mnt
```