Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
KIT-CERT
Linux-Forensic-Checklist
Commits
976a5733
Commit
976a5733
authored
Sep 22, 2015
by
heiko.reese
💤
Browse files
…
parent
5b6213bc
Changes
1
Hide whitespace changes
Inline
Side-by-side
Linux-Forensics-Checklist.md
View file @
976a5733
...
...
@@ -6,10 +6,29 @@ Forensic investigations of computer hardware is usually divided in two phases:
online forensics (analysis of the running system) and offline forensics
(examination of the permanent storage).
This document's primary focus s the first phase (online forensics).
This document's primary focus
i
s the first phase (online forensics).
## Find a proper place to store your finding
## Find a proper place to store your finding
s
Every action that interacts with the storage subsystem can potentially destroy
evidence (both data and metadata). Mounting external storage changes the
contents of
`/etc/mtab`
and the timestamps of the containing directory
`/etc`
.
Merely looking at the file (
`cat /etc/mtab`
) changes the access time of
`/etc`
.
### Pushing data onto the network
You may push your findings directly onto the network, thus preventing/minimizing
changes to the local filesystems. This only works if the compromized machine is
still able to connect to your server.
Open a listener on your server:
```
bash
nc
-l
6789
>>
logfilename.txt
```
To send the standard output of a command, simply add this
```
bash
| nc
-w
2 name_or_ip_of_server 6789
```
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment