Download Pentester Academy - Linux Forensics Free
This course will familiarize students with all aspects of Linux forensics. By the end of this course students will be able to perform live analysis, capture volatile data, make images of media, analyze file systems, analyze network traffic, analyze files, perform memory analysis, and analyze malware all on a Linux system with readily available free and open source tools. Students will also gain an in-depth understanding of how Linux works under the covers.
A non-exhaustive list of topics to be covered includes:
Live response
- First talk to humans
- What do they think happened?
- Details on victim system(s)
- Mount reaction kit with known good tools
- cdrom preferred as it was not likely part of compromise
- USB MS can be used if there is no CDROM
- Using netcat to minimize contamination
- Collecting volatile data
- date and time
- network interfaces
- funny networks
- promiscuous mode?
- network connections
- open ports
- programs associated with ports
- running processes
- open files
- routing tables
- mounted filesystems
- loaded kernel modules
- Collecting data to determine if dead analysis is justified
- kernel version
- uptime
- filesystem datetime stamps
- hash values for system files
- current user logins
- login history
- system logs
- user accounts
- user history files
- hidden files and directories
- sending off suspicious files for further study
- RAM Dumping
- Making the decision to dump RAM
- Using fmem
- Using LiME
- Using /proc/kcore
Acquiring filesystem images
Using dd
Using dcfldd
Write blocking options
Forensic Linux distros
Udev rules-based blocker
Analyzing filesystem images
Mounting images
Files with basic system info
Files with suspicious user info
Examining logs
Process-related files
Authentication-related files
Using standard Linux tools to find information
Strange files
Recovering deleted files
Finding deleted files
Attempting recovery
Leveraging The Sleuth Kit (TSK) and Autopsy
mmls
fsstat
dstat
istat
fls & mactime
Timeline Analysis
When the system was installed, upgraded, booted, etc.
Newly created files (malware)
Changed files (trojans)
Files in the wrong place (exfiltration)
Digging deeper into Linux filesystems
Disk editors
Active@ Disk Editor
Autopsy
ExtX
Basics
Superblocks
Directory entries
Inodes
Data blocks
Compatible, incompatible, and read-only compatible features
Experimental features may be installed
Boot code
Using sigfind to find important blocks
Understanding indirect block levels
istat, ils, ifind, icat
Links and mounts
Hash trees
Journaling
Finding data with blkstat, blkls, blkfind, blkid, and blkcalc
Relating data found with grep to a file/application
Undeleting files
Searching unallocated space
Network forensics
Using snort on packet captures
Using tcpstat
Seperating conversations with tcpflow
Tracing backdoors with tcpflow
File forensics
Using file signatures
Searching through swap space
Web browsing reconstruction
Cookies
Search history
Browser caches
Unknown files
Comparing hashes to known values
File command
Strings command
Viewing symbols with nm
Reading ELF files
objdump
Bringing out big guns – gdb
Memory Forensics
Volatility Profiles
Retrieving process information
Recovering command line arguments
Rebuilding environment variables
Listing open files
Retrieving bash information
Reconstructing network artifacts
Kernel information
Volatile file system information
Detecting user mode rootkits
Detecting kernel rootkits
Reversing Linux Malware
Digging deeper into ELF
Headers
Sections
Strings
Symbol tables
Program headers
Program loading
Dynamic linking
Command line analysis tools
strings
strace
ltrace
Running malware (carefully)
Virtual machine setup
Capturing network traffic
Leveraging gdb
Writing the reports
Autopsy
Dradis
OpenOffice
