Linux-Forensics-Checklist.md 4.69 KB
Newer Older
Heiko Reese's avatar
Heiko Reese committed
1
2
# KIT-CERT's Checklist for Linux Forensics

Heiko Reese's avatar
   
Heiko Reese committed
3
4
5
Authors:
 * Heiko Reese <heiko.reese@kit.edu>

Heiko Reese's avatar
Heiko Reese committed
6
7
8
9
10
11
## Preliminary Considerations

Forensic investigations of computer hardware is usually divided in two phases:
online forensics (analysis of the running system) and offline forensics
(examination of the permanent storage).

Heiko Reese's avatar
   
Heiko Reese committed
12
13
This document's primary focus is the first phase (online forensics). We assume
that the reader has root access to the compromised machine.
Heiko Reese's avatar
Heiko Reese committed
14

heiko.reese's avatar
   
heiko.reese committed
15
## Find a proper place to store your findings
Heiko Reese's avatar
Heiko Reese committed
16
17
18
19

Every action that interacts with the storage subsystem can potentially destroy
evidence (both data and metadata). Mounting external storage changes the
contents of `/etc/mtab` and the timestamps of the containing directory `/etc`.
heiko.reese's avatar
   
heiko.reese committed
20
21
22
23
24
25
26
27
28
Merely looking at the file (`cat /etc/mtab`) changes the access time of `/etc`.

### Pushing data onto the network

You may push your findings directly onto the network, thus preventing/minimizing
changes to the local filesystems. This only works if the compromized machine is
still able to connect to your server.

Open a listener on your server:
Heiko Reese's avatar
   
Heiko Reese committed
29
```sh
heiko.reese's avatar
   
heiko.reese committed
30
31
32
33
nc -l 6789 >> logfilename.txt
```

To send the standard output of a command, simply add this
Heiko Reese's avatar
   
Heiko Reese committed
34
```sh
heiko.reese's avatar
   
heiko.reese committed
35
36
37
 | nc -w 2 name_or_ip_of_server 6789
```

Heiko Reese's avatar
   
Heiko Reese committed
38
Encrypt all data in transition to prevent eavesdropping. Simply insert
Heiko Reese's avatar
   
Heiko Reese committed
39
[`openssl`](https://openssl.org/) into the toolchain:
Heiko Reese's avatar
   
Heiko Reese committed
40
```sh
Heiko Reese's avatar
   
Heiko Reese committed
41
42
nc -l 6789 | openssl enc -aes128 -d -k supersecretpw >> log.txt
```
Heiko Reese's avatar
   
Heiko Reese committed
43
```sh
Heiko Reese's avatar
   
Heiko Reese committed
44
45
46
47
48
 | openssl enc -aes128 -e -k supersecretpw | nc -w 2 name_or_ip_of_server 6789
```

Use [cryptcat](http://cryptcat.sourceforge.net) if it's already available on
the target machine.
heiko.reese's avatar
   
heiko.reese committed
49

Heiko Reese's avatar
   
Heiko Reese committed
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
To copy files, use `cat`:

```
cat /usr/bin/rootkit_0.1 | nc …
```

Use `dd` to  transfer whole blockdevices:
```
dd if=/dev/sdx23 | nc…
```

### Collecting data on local storage

If you decide to collect your findings locally, please refrain from using
existing storage of the compromised system. There are two viable options:
external storage like USB-sticks or memory-backed filesystem aka `tmpfs`.
Please save a listing of all mounts in all namespaces before mounting anything.

Check all the different mounts:
```
md5sum /proc/mounts /proc/*/mounts | sort | uniq -d -w 32
```

Get creative to solve this chicken-egg-problem! If you have copy/paste on your
console, simply `cat`the files and copy the aferwards. Don't use screen/tmux,
the touch lots of files. Check for empty pre-existing `tmpfs`-filesystems.

Find a proper location for the mountpoint and Mount your device:
```
mount -t tmpfs none /mnt
# or
mount /dev/sdx1 /mnt
```

Heiko Reese's avatar
   
Heiko Reese committed
84
85
## Collecting evidence

Heiko Reese's avatar
   
Heiko Reese committed
86
87
Collect evidence by saving potentielly interesting parts of the system state.
Start with the most volatile and work your way down:
Heiko Reese's avatar
   
Heiko Reese committed
88
89
90
91
92

1. network and connection state
1. process state
1. users
1. system configuration
Heiko Reese's avatar
   
Heiko Reese committed
93
94
95
96
97
98

The following commands assume that you are writing your findings to a local
storage and that your current working directory is set accordingly.

Some programs have rather unstable commandline parameters, please adjust
accordingly (if possible, use `--help` instead of the manpage to find out). You
Heiko Reese's avatar
   
Heiko Reese committed
99
100
101
102
103
104
105
can find the long versions (if applicable) as comments above every command.

Some modern Linux systems have SELinux enabled. Run `getenforce` to find out if
SELinux is enforcing, permissive, or disabled. If the state is enforcing, we
need to get selinux information when applicable. Most tools provide a switch
`-Z` for that. Such commands are marked with a special comment like
`# SELinux: add "-Z"`.
Heiko Reese's avatar
   
Heiko Reese committed
106
107
108
109
110
111
112
113
114
115
116
117
118

### Network state

Get state of existing connections and open sockets:
```sh
# --verbose --wide --extend --timers --program --numeric (--listening)
netstat -v -W -e -o -p -n     > netstat_vWeopn.txt
netstat -v -W -e -o -p -n -l  > netstat_vWeopnl.txt
# same without --numeric
netstat -v -W -e -o -p        > netstat_vWeop.txt
netstat -v -W -e -o -p -l  > netstat_vWeop.txt
```

Heiko Reese's avatar
   
Heiko Reese committed
119
Redo using `ss` if available:
Heiko Reese's avatar
   
Heiko Reese committed
120
121

```sh
Heiko Reese's avatar
   
Heiko Reese committed
122
# SELinux: add "-Z"
Heiko Reese's avatar
   
Heiko Reese committed
123
124
125
126
# --options --extended --processes --info --numeric (--listening )
ss -o -e -p -i -n    > ss_oepin.txt
ss -o -e -p -i -n -l > ss_oepinl.txt
# same without --numeric
Heiko Reese's avatar
   
Heiko Reese committed
127
128
ss -o -e -p -i       > ss_oepi.txt
ss -o -e -p -i -l    > ss_oepil.txt
Heiko Reese's avatar
   
Heiko Reese committed
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
```

Dump arp cache:
```sh
arp -n > arp_n.txt
ip neigh show > ip_neigh_show.txt
```

Get routing-related stuff:
```sh
for i in link addr route rule neigh ntable tunnel tuntap maddr mroute mrule; do
    ip $i list > ip_${i}_l.txt;
done
```

Capture iptable's state:
```sh
# --verbose --numeric --exact --list --table
for t in filter nat mangle raw; do iptables -v -n -x -L -t > iptables_vnxL_t${t}.txt; done
for table in filter mangle raw; do ip6tables -n -t ${table} -L -v -x > ip6tables_nt_${table}.txt; done
for table in filter nat broute; do ebtables -L --Lmac2 --Lc -t ${table} > ebtables_L_Lmac_Lc_t_${table}.txt; done
```