Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Linux-Forensic-Checklist
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
6
Issues
6
List
Boards
Labels
Service Desk
Milestones
Merge Requests
1
Merge Requests
1
Operations
Operations
Incidents
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
KIT-CERT
Linux-Forensic-Checklist
Commits
4f0c8912
Commit
4f0c8912
authored
Sep 22, 2015
by
Heiko Reese
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
…
parent
3ded9eba
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
58 additions
and
1 deletion
+58
-1
Linux-Forensics-Checklist.md
Linux-Forensics-Checklist.md
+58
-1
No files found.
Linux-Forensics-Checklist.md
View file @
4f0c8912
# KIT-CERT's Checklist for Linux Forensics
# KIT-CERT's Checklist for Linux Forensics
Authors:
*
Heiko Reese
<heiko.reese@kit.edu>
## Preliminary Considerations
## Preliminary Considerations
Forensic investigations of computer hardware is usually divided in two phases:
Forensic investigations of computer hardware is usually divided in two phases:
...
@@ -80,9 +83,63 @@ mount /dev/sdx1 /mnt
...
@@ -80,9 +83,63 @@ mount /dev/sdx1 /mnt
## Collecting evidence
## Collecting evidence
Collect evidence by saving potentielly interesting parts of the system state. Start with the most volatile and work your way down:
Collect evidence by saving potentielly interesting parts of the system state.
Start with the most volatile and work your way down:
1.
network and connection state
1.
network and connection state
1.
process state
1.
process state
1.
users
1.
users
1.
system configuration
1.
system configuration
The following commands assume that you are writing your findings to a local
storage and that your current working directory is set accordingly.
Some programs have rather unstable commandline parameters, please adjust
accordingly (if possible, use
`--help`
instead of the manpage to find out). You
can find the long version (if applicable) as comment above every command,
### Network state
Get state of existing connections and open sockets:
```
sh
# --verbose --wide --extend --timers --program --numeric (--listening)
netstat
-v
-W
-e
-o
-p
-n
>
netstat_vWeopn.txt
netstat
-v
-W
-e
-o
-p
-n
-l
>
netstat_vWeopnl.txt
# same without --numeric
netstat
-v
-W
-e
-o
-p
>
netstat_vWeop.txt
netstat
-v
-W
-e
-o
-p
-l
>
netstat_vWeop.txt
```
Redo using
`ss`
if it is installed:
```
sh
# --options --extended --processes --info --numeric (--listening )
ss
-o
-e
-p
-i
-n
>
ss_oepin.txt
ss
-o
-e
-p
-i
-n
-l
>
ss_oepinl.txt
# same without --numeric
ss
-o
-e
-p
-i
>
ss_oepi.txt
ss
-o
-e
-p
-i
-l
>
ss_oepil.txt
```
Dump arp cache:
```
sh
arp
-n
>
arp_n.txt
ip neigh show
>
ip_neigh_show.txt
```
Get routing-related stuff:
```
sh
for
i
in
link
addr route rule neigh ntable tunnel tuntap maddr mroute mrule
;
do
ip
$i
list
>
ip_
${
i
}
_l.txt
;
done
```
Capture iptable's state:
```
sh
# --verbose --numeric --exact --list --table
for
t
in
filter nat mangle raw
;
do
iptables
-v
-n
-x
-L
-t
>
iptables_vnxL_t
${
t
}
.txt
;
done
for
table
in
filter mangle raw
;
do
ip6tables
-n
-t
${
table
}
-L
-v
-x
>
ip6tables_nt_
${
table
}
.txt
;
done
for
table
in
filter nat broute
;
do
ebtables
-L
--Lmac2
--Lc
-t
${
table
}
>
ebtables_L_Lmac_Lc_t_
${
table
}
.txt
;
done
```
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
