response to a live linux machine

8/11/2019 Response to a Live Linux Machine

1/13

Made By

Ms.Niranjana.S.Karandikar

Under the guidance of

Mr.Kishor Dahiwadkar

RESPONSE TO A LIVE LINUX

MACHINE


2/13

What is Linux?

OS

Open Source

Various Distros

Eg: RedHat, Ubuntu, Fedora , Debian ,Backtrack, Kali Linux, etc


3/13

Objective

Create and test tools for responding to a liveLinux machine


4/13

Need for creating own tools

A suspect machine is never to be trusted

When a program is executed, it normally uses

shared libraries for routine system commands

This changes those common files access times. Timeline gets disturbed

Also the tools should give output specific

information

Statically Linked vs Dynamically linked tools


5/13

Types of Data Found

Volatile Data: Any data stored in system memory

that will be lost when the machine loses power or

is shut down.

Non Volatile Data: Persistent data resides in the

system's hard drives or other nonvolatile storage

devices and is typically not lost when the machine

is shut down or rebooted.


6/13

Collection Of Volatile Data

System Information

Network Information


7/13

Collection of System Information cat , unameSystem Profile date Current system Date & Time

history command history

uptime- gives the system uptime

w - show who is logged on and what they aredoing

ps -gives a snapshot of the current processes.

top - provides an ongoing look at processoractivity in real time

Lslists the access controls and MAC times ofthe files on the machine


8/13

Contd.

chkconfig - gives a list of startup services

who- lists the name of each user currently logged

in with their terminal, the time they logged on, and

the name of the host from which they have

logged in.

lastlog -displays the last login times for system

accounts.


9/13

Collection of Network Information

netstat- displays information on active sockets,routing tables, interfaces, masquerade

connections, and multicast memberships

ifconfig - displays the current configuration for a

network interface. Displayed information includes

IP address, gateway, DNS servers, and

promiscuous mode detection.

arpa displays route entries for the suspicious

computer


10/13

Collection of Persistant Data

dd- dd if=/dev/sda of=/dev/sdb -Disk Imaging

Md5sum- calculate the hash value


11/13

Conclusion

The source code of the above tools was procuredand studied for malicious activities.

They were devoid of such malicious codes hence

were compiled using gcc compiler.

The above tools were tested on Ubuntu and

Backtrack.


12/13

References

First Responders Guide to Computer Forensics-CERT Training and Education

http://www.velocityreviews.com/forums/t728782-

linux-console-command-line-history.html

http://www.thegeekstuff.com/2010/02/get-source-

code-for-any-linux-command/

http://www.linuxquestions.org/questions/linux-

general-1/source-code-for-free-command-774270/


13/13

Thank You

response to a live linux machine

Documents