response to a live linux machine
TRANSCRIPT
-
8/11/2019 Response to a Live Linux Machine
1/13
Made By
Ms.Niranjana.S.Karandikar
Under the guidance of
Mr.Kishor Dahiwadkar
RESPONSE TO A LIVE LINUX
MACHINE
-
8/11/2019 Response to a Live Linux Machine
2/13
What is Linux?
OS
Open Source
Various Distros
Eg: RedHat, Ubuntu, Fedora , Debian ,Backtrack, Kali Linux, etc
-
8/11/2019 Response to a Live Linux Machine
3/13
Objective
Create and test tools for responding to a liveLinux machine
-
8/11/2019 Response to a Live Linux Machine
4/13
Need for creating own tools
A suspect machine is never to be trusted
When a program is executed, it normally uses
shared libraries for routine system commands
This changes those common files access times. Timeline gets disturbed
Also the tools should give output specific
information
Statically Linked vs Dynamically linked tools
-
8/11/2019 Response to a Live Linux Machine
5/13
Types of Data Found
Volatile Data: Any data stored in system memory
that will be lost when the machine loses power or
is shut down.
Non Volatile Data: Persistent data resides in the
system's hard drives or other nonvolatile storage
devices and is typically not lost when the machine
is shut down or rebooted.
-
8/11/2019 Response to a Live Linux Machine
6/13
Collection Of Volatile Data
System Information
Network Information
-
8/11/2019 Response to a Live Linux Machine
7/13
Collection of System Information cat , unameSystem Profile date Current system Date & Time
history command history
uptime- gives the system uptime
w - show who is logged on and what they aredoing
ps -gives a snapshot of the current processes.
top - provides an ongoing look at processoractivity in real time
Lslists the access controls and MAC times ofthe files on the machine
-
8/11/2019 Response to a Live Linux Machine
8/13
Contd.
chkconfig - gives a list of startup services
who- lists the name of each user currently logged
in with their terminal, the time they logged on, and
the name of the host from which they have
logged in.
lastlog -displays the last login times for system
accounts.
-
8/11/2019 Response to a Live Linux Machine
9/13
Collection of Network Information
netstat- displays information on active sockets,routing tables, interfaces, masquerade
connections, and multicast memberships
ifconfig - displays the current configuration for a
network interface. Displayed information includes
IP address, gateway, DNS servers, and
promiscuous mode detection.
arpa displays route entries for the suspicious
computer
-
8/11/2019 Response to a Live Linux Machine
10/13
Collection of Persistant Data
dd- dd if=/dev/sda of=/dev/sdb -Disk Imaging
Md5sum- calculate the hash value
-
8/11/2019 Response to a Live Linux Machine
11/13
Conclusion
The source code of the above tools was procuredand studied for malicious activities.
They were devoid of such malicious codes hence
were compiled using gcc compiler.
The above tools were tested on Ubuntu and
Backtrack.
-
8/11/2019 Response to a Live Linux Machine
12/13
References
First Responders Guide to Computer Forensics-CERT Training and Education
http://www.velocityreviews.com/forums/t728782-
linux-console-command-line-history.html
http://www.thegeekstuff.com/2010/02/get-source-
code-for-any-linux-command/
http://www.linuxquestions.org/questions/linux-
general-1/source-code-for-free-command-774270/
-
8/11/2019 Response to a Live Linux Machine
13/13
Thank You