Linux-Forensic-Checklist issueshttps://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues2021-08-13T14:23:29+02:00https://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues/8Update `timeline-decorator.py` to Python 32021-08-13T14:23:29+02:00ge3242heiko.reese@kit.eduUpdate `timeline-decorator.py` to Python 3Update `timeline-decorator.py` to Python 3Update `timeline-decorator.py` to Python 3ge3242heiko.reese@kit.eduge3242heiko.reese@kit.eduhttps://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues/7Collect more metadata from fs2020-06-03T04:48:23+02:00ge3242heiko.reese@kit.eduCollect more metadata from fs`stat --printf="%Y\t%X\t%Z\t%a\t%A\t%u\t%U\t%g\t%G\t%s\t%n\n" ``stat --printf="%Y\t%X\t%Z\t%a\t%A\t%u\t%U\t%g\t%G\t%s\t%n\n" `ge3242heiko.reese@kit.eduge3242heiko.reese@kit.eduhttps://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues/6Support nftables2020-06-01T22:34:00+02:00ge3242heiko.reese@kit.eduSupport nftableshttps://wiki.nftables.orghttps://wiki.nftables.orgge3242heiko.reese@kit.eduge3242heiko.reese@kit.eduhttps://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues/5Use ` -md sha256` flag for openssl2019-05-14T18:01:41+02:00sg7149Use ` -md sha256` flag for opensslBecause newer openssl versions use different hashes it would be good, if one would mention to use the same, so one avoids errors caused by this.
e.g. CentOS 7 has a different openssl version than Fedora 30 and hence one cannot use `nc` ...Because newer openssl versions use different hashes it would be good, if one would mention to use the same, so one avoids errors caused by this.
e.g. CentOS 7 has a different openssl version than Fedora 30 and hence one cannot use `nc` and `openssl` as mentioned in the checklist.https://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues/4Collect all routing tables2018-03-24T09:54:46+01:00Felix KaiserCollect all routing tables"ip route" only shows the main routing table; you may want to consider saving the other routing tables too. You can discover them with "ip rule" (whose output you already collect), and show them with "ip route show table $foo" (by defaul..."ip route" only shows the main routing table; you may want to consider saving the other routing tables too. You can discover them with "ip rule" (whose output you already collect), and show them with "ip route show table $foo" (by default it shows "main").
Maybe something like this:
```
for n in $(ip rule | egrep -o 'lookup\s\b\w+\b' | cut -d\' -f2 | sort | uniq ) ; do ip route show > "ip_route_show_table_$n.txt" ; done
```https://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues/3Add dumping journald-logs2018-03-24T09:54:46+01:00ge3242heiko.reese@kit.eduAdd dumping journald-logsge3242heiko.reese@kit.eduge3242heiko.reese@kit.eduhttps://git.scc.kit.edu/KIT-CERT/Linux-Forensics-Checklist/-/issues/2dump ipsets2018-03-24T09:54:46+01:00ge3242heiko.reese@kit.edudump ipsetsInclude ipsets which might be used by fail2ban etc.Include ipsets which might be used by fail2ban etc.ge3242heiko.reese@kit.eduge3242heiko.reese@kit.edu