Linux Forensic
Linux Forensic
Philip Polstra
Contents
Acknowledgements
Author Biography
Foreword
Scripts, Videos, Teaching Aids, Community Forums and more
Book website
Scripts and Supporting Files
Community Forums
Videos
Teaching Aids
Introduction
What this book is about
Intended audience
How this book is organized
Chapter 1: First Steps
Chapter 3: Live Analysis
Chapter 4: Creating Images
Chapter 5: Mounting Images
Chapter 6: Analyzing Mounted Images
Chapter 7: Extended Filesystems
Chapter 8: Memory Analysis
Chapter 9: Dealing with More Advanced Attackers
Chapter 10: Malware
Chapter 11: The Road Ahead
Conclusion
1 First Steps
TYPES OF FORENSICS
GENERAL PRINCIPLES
Maintaining Integrity
Chain of Custody
Standard Practices
Documentation
PHASES OF INVESTIGATION
Evidence Preservation and Collection
Evidence Searching
Determining If There Was an Incident
CONFIRMATION BIAS IN ACTION
OPENING A CASE
TALKING TO USERS
DOCUMENTATION
MOUNTING KNOWN-GOOD BINARIES
MINIMIZING DISTURBANCE TO THE SUBJECT SYSTEM
Using a USB drive to store data
Using Netcat
Sending data from the subject system
Sending files
USING SCRIPTING TO AUTOMATE THE PROCESS
Scripting the server
Scripting the client
NOT JUST FOR SCRIPTS
3 Live Analysis
FIGURE 3.1
GETTING FILE METADATA
USING A SPREADSHEET PROGRAM TO BUILD A TIMELINE
EXAMINING USER COMMAND HISTORY
GETTING LOG FILES
DUMPING RAM
COLLECTING FILE HASHES
RAM acquisition methods
Using LiME to dump RAM
Building LiME
SUMMARY
4 Creating Images
SHUTTING DOWN THE SYSTEM
Normal shutdown
Pulling the plug
IMAGE FORMATS
Raw format
Proprietary format with embedded metadata
USING DD
Raw format with hashes stored in a separate file
USING DCFLDD
HARDWARE WRITE BLOCKING
SOFTWARE WRITE BLOCKING
Udev rules
Live Linux distributions
Proprietary format with metadata in a separate file
CREATING AN IMAGE FROM A VIRTUAL MACHINE
CREATING AN IMAGE FROM A PHYSICAL DRIVE
SUMMARY
5 Mounting Images
PARTITION BASICS
MASTER BOOT RECORD PARTITIONS
GUID PARTITIONS
MOUNTING PARTITIONS FROM AN IMAGE FILE ON LINUX
EXTENDED PARTITIONS
USING PYTHON TO AUTOMATE THE MOUNTING PROCESS
Scripting or Programming Language
MBR-based primary partitions
MBR-based extended partitions
GPT partitions
SUMMARY
6 Analyzing Mounted Images
GETTING MODIFICATION, ACCESS, AND CREATION TIMESTAMPS
IMPORTING INFORMATION INTO LIBREOFFICE
IMPORTING DATA INTO MySQL
YOU CAN’T GET THERE FROM HERE
SUPERBLOCKS
EXTENDED FILESYSTEM BASICS
7 Extended Filesystems
Compatible Features
Incompatible features
EXTENDED FILESYSTEM FEATURES
USING PYTHON
Reading the superblock
Read-only compatible features
Reading block group descriptors
Combining superblock and group descriptor information
FINDING THINGS THAT ARE OUT OF PLACE
INODES
Reading inodes with Python
Inode extensions and details
Going from an inode to a file
Extents
Directory entries
Extended attributes
JOURNALING
SUMMARY
8 Memory Analysis
VOLATILITY
CREATING A VOLATILITY PROFILE
GETTING PROCESS INFORMATION
PROCESS MAPS AND DUMPS
GETTING BASH HISTORIES
VOLATILITY CHECK COMMANDS
GETTING NETWORKING INFORMATION
GETTING FILESYSTEM INFORMATION
MISCELLANEOUS VOLATILITY COMMANDS
SUMMARY
Dealing With More Advanced Attackers
SUMMARY OF THE PFE ATTACK
THE SCENARIO
INITIAL LIVE RESPONSE
MEMORY ANALYSIS
LEVERAGING MYSQL
FILESYSTEM ANALYSIS
MISCELLANEOUS FINDINGS
SUMMARY OF FINDINGS AND NEXT STEPS
SUMMARY
10 Malware
Using strings
The file command
Listing symbol information with nm
Listing shared libraries with ldd
I THINK IT IS MALWARE
Getting the big picture with readelf
Using objdump to disassemble code
DYNAMIC ANALYSIS
Tracing system calls
Tracing library calls
Using the GNU Debugger for reverse engineering
OBFUSCATION
SUMMARY
11 The Road Ahead
COMMUNITIES
LEARNING MORE
CONGREGATE
CERTIFY
SUMMARY
Powered by
GitBook
Linux Forensic
Linux Forensic
Linux Forensics
Linux Forensics
results matching "
"
No results matching "
"