Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Linux-Forensic-Checklist
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
6
Issues
6
List
Boards
Labels
Service Desk
Milestones
Merge Requests
1
Merge Requests
1
Operations
Operations
Incidents
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
KIT-CERT
Linux-Forensic-Checklist
Commits
4f0c8912
Commit
4f0c8912
authored
Sep 22, 2015
by
Heiko Reese
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
…
parent
3ded9eba
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
58 additions
and
1 deletion
+58
-1
Linux-Forensics-Checklist.md
Linux-Forensics-Checklist.md
+58
-1
No files found.
Linux-Forensics-Checklist.md
View file @
4f0c8912
# KIT-CERT's Checklist for Linux Forensics
Authors:
*
Heiko Reese
<heiko.reese@kit.edu>
## Preliminary Considerations
Forensic investigations of computer hardware is usually divided in two phases:
...
...
@@ -80,9 +83,63 @@ mount /dev/sdx1 /mnt
## Collecting evidence
Collect evidence by saving potentielly interesting parts of the system state. Start with the most volatile and work your way down:
Collect evidence by saving potentielly interesting parts of the system state.
Start with the most volatile and work your way down:
1.
network and connection state
1.
process state
1.
users
1.
system configuration
The following commands assume that you are writing your findings to a local
storage and that your current working directory is set accordingly.
Some programs have rather unstable commandline parameters, please adjust
accordingly (if possible, use
`--help`
instead of the manpage to find out). You
can find the long version (if applicable) as comment above every command,
### Network state
Get state of existing connections and open sockets:
```
sh
# --verbose --wide --extend --timers --program --numeric (--listening)
netstat
-v
-W
-e
-o
-p
-n
>
netstat_vWeopn.txt
netstat
-v
-W
-e
-o
-p
-n
-l
>
netstat_vWeopnl.txt
# same without --numeric
netstat
-v
-W
-e
-o
-p
>
netstat_vWeop.txt
netstat
-v
-W
-e
-o
-p
-l
>
netstat_vWeop.txt
```
Redo using
`ss`
if it is installed:
```
sh
# --options --extended --processes --info --numeric (--listening )
ss
-o
-e
-p
-i
-n
>
ss_oepin.txt
ss
-o
-e
-p
-i
-n
-l
>
ss_oepinl.txt
# same without --numeric
ss
-o
-e
-p
-i
>
ss_oepi.txt
ss
-o
-e
-p
-i
-l
>
ss_oepil.txt
```
Dump arp cache:
```
sh
arp
-n
>
arp_n.txt
ip neigh show
>
ip_neigh_show.txt
```
Get routing-related stuff:
```
sh
for
i
in
link
addr route rule neigh ntable tunnel tuntap maddr mroute mrule
;
do
ip
$i
list
>
ip_
${
i
}
_l.txt
;
done
```
Capture iptable's state:
```
sh
# --verbose --numeric --exact --list --table
for
t
in
filter nat mangle raw
;
do
iptables
-v
-n
-x
-L
-t
>
iptables_vnxL_t
${
t
}
.txt
;
done
for
table
in
filter mangle raw
;
do
ip6tables
-n
-t
${
table
}
-L
-v
-x
>
ip6tables_nt_
${
table
}
.txt
;
done
for
table
in
filter nat broute
;
do
ebtables
-L
--Lmac2
--Lc
-t
${
table
}
>
ebtables_L_Lmac_Lc_t_
${
table
}
.txt
;
done
```
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
