Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
KIT-CERT
Linux-Forensic-Checklist
Commits
074f8051
Commit
074f8051
authored
Sep 24, 2015
by
Heiko Reese
Browse files
…
parent
befcd4a1
Changes
1
Hide whitespace changes
Inline
Side-by-side
Linux-Forensics-Checklist.md
View file @
074f8051
...
...
@@ -374,9 +374,8 @@ mount -o remount,noatime …
Use this python program (written by Leif Nixon
<TODO:
email
>
) to create a human
readable timeline:
```
sh
# timeline-decorator.py
#!/usr/bin/python
# timeline-decorator.py
import sys,
time
...
...
@@ -417,7 +416,21 @@ If applicable, compare checksums of package management with actual files:
*
`debsums`
(Debian-based distributions)
*
`rpm -Va`
(Redhat-based distributions)
TODO: logfiles, /etc, journald, …
### Gather potentially interesting data before shutdown
Copy (or
`[dd|tar -cf -] … | …`
) things that might be of interest later. There
are no hard rules here, just some general ideas:
*
`/etc`
*
`/root`
*
`/tmp`
*
`/usr/local`
*
`/var/log`
*
`/home/*/.ssh/authorized_keys`
*
sshd binary on disk and in memory (
`/proc/$(pidof -s sshd)/exe`
)
*
anything the tools in the previous step found
TODO: journald, …
## Power down system
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment