Contents
Acknowledgements
Author Biography
Foreword
Scripts, Videos, Teaching Aids, Community Forums and more
Introduction
CHAPTER 1 First Steps
INFORMATION IN THIS CHAPTER:
WHAT IS FORENSICS?
TYPES OF FORENSICS
WHY LINUX FORENSICS?
GENERAL PRINCIPLES
Maintaining Integrity
Chain of Custody
Standard Practices
Documentation
PHASES OF INVESTIGATION
Evidence Preservation and Collection
Evidence Searching
Reconstruction of Events
HIGH-LEVEL PROCESS
Every Child is Perfect, Just Ask The Parents
BUILDING A TOOLKIT
Hardware
Software
Running live Linux in a virtual machine
SUMMARY
CHAPTER 2 Determining If There Was an Incident
INFORMATION IN THIS CHAPTER:
OPENING A CASE
TALKING TO USERS
DOCUMENTATION
If you are using a virtual machine, older may be better
MOUNTING KNOWN-GOOD BINARIES
MINIMIZING DISTURBANCE TO THE SUBJECT SYSTEM
Using a USB drive to store data
Using Netcat
Sending data from the subject system
Sending files
USING SCRIPTING TO AUTOMATE THE PROCESS
Scripting the server
Scripting the client
Short circuiting is useful in many places
INTRODUCING OUR FIRST SUBJECT SYSTEM
COLLECTING VOLATILE DATA
Date and time information
Operating system version
Network interfaces
Network connections
Open ports
Programs associated with various ports
Open Files
Running Processes
Routing Tables
Mounted filesystems
Loaded kernel modules
Users past and present
Putting it together with scripting
SUMMARY
CHAPTER 3 Live Analysis
INFORMATION IN THIS CHAPTER:
THERE WAS AN INCIDENT: NOW WHAT?
GETTING FILE METADATA
USING A SPREADSHEET PROGRAM TO BUILD A TIMELINE
EXAMINING USER COMMAND HISTORY
GETTING LOG FILES
COLLECTING FILE HASHES
DUMPING RAM
RAM acquisition methods
Building LiME
Using LiME to dump RAM
SUMMARY
CHAPTER 4 Creating Images
INFORMATION IN THIS CHAPTER:
SHUTTING DOWN THE SYSTEM
Normal shutdown
Pulling the plug
IMAGE FORMATS
Raw format
Proprietary format with embedded metadata
Proprietary format with metadata in a separate file
Raw format with hashes stored in a separate file
USING DD
USING DCFLDD
HARDWARE WRITE BLOCKING
SOFTWARE WRITE BLOCKING
Udev rules
Live Linux distributions
CREATING AN IMAGE FROM A VIRTUAL MACHINE
CREATING AN IMAGE FROM A PHYSICAL DRIVE
SUMMARY
CHAPTER 5 Mounting Images
INFORMATION IN THIS CHAPTER:
PARTITION BASICS
MASTER BOOT RECORD PARTITIONS
EXTENDED PARTITIONS
GUID PARTITIONS
MOUNTING PARTITIONS FROM AN IMAGE FILE ON LINUX
USING PYTHON TO AUTOMATE THE MOUNTING PROCESS
MBR-based primary partitions
Scripting or Programming Language
MBR-based extended partitions
GPT partitions
SUMMARY
CHAPTER 6 Analyzing Mounted Images
INFORMATION IN THIS CHAPTER:
GETTING MODIFICATION, ACCESS, AND CREATION TIMESTAMPS
IMPORTING INFORMATION INTO LIBREOFFICE
IMPORTING DATA INTO MySQL
When tools fail you
CREATING A TIMELINE
EXAMINING BASH HISTORIES
EXAMINING SYSTEM LOGS
EXAMINING LOGINS AND LOGIN ATTEMPTS
OPTIONAL – GETTING ALL THE LOGS
SUMMARY
CHAPTER 7 Extended Filesystems
INFORMATION IN THIS CHAPTER:
EXTENDED FILESYSTEM BASICS
SUPERBLOCKS
EXTENDED FILESYSTEM FEATURES
Compatible Features
Incompatible features
Read-only compatible features
USING PYTHON
Reading the superblock
Reading block group descriptors
Combining superblock and group descriptor information
FINDING THINGS THAT ARE OUT OF PLACE
INODES
Reading inodes with Python Inode extensions and details
Going from an inode to a file
Extents
Directory entries
Extended attributes
JOURNALING
SUMMARY
CHAPTER 8 Memory Analysis
INFORMATION IN THIS CHAPTER:
VOLATILITY
CREATING A VOLATILITY PROFILE
GETTING PROCESS INFORMATION
PROCESS MAPS AND DUMPS
GETTING BASH HISTORIES
VOLATILITY CHECK COMMANDS
GETTING NETWORKING INFORMATION
GETTING FILESYSTEM INFORMATION
MISCELLANEOUS VOLATILITY COMMANDS
SUMMARY
CHAPTER 9 Dealing with More Advanced Attackers
INFORMATION IN THIS CHAPTER:
SUMMARY OF THE PFE ATTACK
THE SCENARIO
INITIAL LIVE RESPONSE
MEMORY ANALYSIS
FILESYSTEM ANALYSIS
LEVERAGING MYSQL
MISCELLANEOUS FINDINGS
SUMMARY OF FINDINGS AND NEXT STEPS
SUMMARY
CHAPTER 10 Malware
INFORMATION IN THIS CHAPTER:
IS IT MALWARE?
The file command
Is it a known-bad file?
Using strings
Listing symbol information with nm
Listing shared libraries with ldd
I THINK IT IS MALWARE
Getting the big picture with readelf
Using objdump to disassemble code
DYNAMIC ANALYSIS
Tracing system calls
Tracing library calls
Using the GNU Debugger for reverse engineering
OBFUSCATION
SUMMARY
CHAPTER 11 The Road Ahead
INFORMATION IN THIS CHAPTER:
NOW WHAT?
COMMUNITIES
LEARNING MORE
CONGREGATE
CERTIFY
SUMMARY