Cheatsheet: Linux Forensics Analysis - root@fareed:~#
Linux Forensic in a nutshell: Validate compromised Interviewing client/user/administrator (what, why, how, when, where, who?) Live response co...
fareedfauzi.github.io
• Первая задача в цифровой криминалистике — это сбор информации. В данной шпаргалке описан последовательный процесс поиска и сбора артефактов на заведомо взломанной тачке с ОС Linux! Содержание следующее:
• Validate compromised:
- Interviewing client/user/administrator.
• Live response and triage script:
- Linux-CatScale
- UAC
- Fennec
- Other tools in the list
• Live response commands:
- General information
- Logon activities
- Review processes
- Recover deleted process’s binary
- Review network
- Review activities
- Hunting unusual files
- Installed programs
- File investigation
- Persistent mechanisms
- Unusual system resources
• Compromised assestment scanning:
- THOR Lite
• Hunting rootkit:
- To hunt via 3rd party software
- Hunting and check files, processes
- Investigate loaded kernel modules
• Collect evidences:
- Disk imaging using dd
• Memory acquisition:
- AVML
- LIME
• Investigation and analysis:
- Live response and triage script analysis
- Memory analysis with Volatility
• Disk analysis:
- Directories and Files Analysis
- Log analysis
- Privilege escalation hunting ideas
- File recovery
- Generate Timeline analysis
