basic commands for forensic analysis. [compromised data]

Posted by

Normally when it is necessary to perform a forensic analysis on any disk image that is compromised in some way [hack, lost data, etc.], we seek to know certain data that is of vital importance when generating conclusions in each case/scenario.

Note: It is important to use a tool that is specialized in performing these types of analysis, in order not to affect the behavior of the OS, hard drive etc. to analyze.

Analysis

Description: Current time and date.

securitytweak@ siftworkstation: ~ $ date
Wed Jul 5 13:07:03 PDT 2017

Description: Last system restart.

securitytweak@ siftworkstation: ~ $ uptime -p
up 1 hour, 27 minutes

Description: System information.

securitytweak@ siftworkstation: ~ $ uname -a
Linux siftworkstation 3.13.0-24-generic # 47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU / Linux

Description: Active interfaces and IP addressing.

securitytweak@siftworkstation:~$ ifconfig
eth0 Link encap:Ethernet HWaddr XX:0d:29:78:01:22
inet addr:192.168.0.XX Bcast:192.XX.0.255 Mask:XX.255.255.0
inet6 addr: XC::20c:29ff:fe78:1X2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:947 errors:0 dropped:0 overruns:0 frame:0
TX packets:200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:97151 (97.1 KB) TX bytes:29174 (29.1 KB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:161 errors:0 dropped:0 overruns:0 frame:0
TX packets:161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15579 (15.5 KB) TX bytes:15579 (15.5 KB)

Description: Verification of suspicious processes and services.

securitytweak@ siftworkstation: ~ $ ps -eaf
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 11:39? 00:00:07 / sbin / init
root 2 0 0 11:39? 00:00:00 [kthreadd]
root 3 2 0 11:39? 00:00:00 [ksoftirqd / 0]
root 5 2 0 11:39? 00:00:00 [kworker / 0: 0H]
root 7 2 0 11:39? 00:00:02 [rcu_sched]
root 8 2 0 11:39? 00:00:01 [rcuos / 0]

etc…

Description: Network connections.

securitytweak@ siftworkstation: ~ $ netstat
Active Internet connections (w / o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 1 0 ip6-localhost: 53600 ip6-localhost: ipp CLOSE_WAIT
Activate UNIX domain sockets (w / o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [] DGRAM 14460 /var/lib/samba/private/msg.sock/1929
unix 2 [] DGRAM 14469 /var/lib/samba/private/msg.sock/2002
unix 2 [] DGRAM 14497 /var/lib/samba/private/msg.sock/2011
unix 27 [] DGRAM 9839 / dev / log
etc…

Description: Users currently connected.

Option1

securitytweak@ siftworkstation: ~ $ w

13:11:50 up 1:31, 2 users, load average: 0.04, 0.08, 0.07
USER TTY FROM LOGIN @ IDLE JCPU PCPU WHAT
securitytweak: 0: 0 11:41? xdm? 3:37 0.77s init –user
securitytweak pts / 9: 0 11:41 6.00s 0.31s 0.03s w

Option2

securitytweak@ siftworkstation: ~ $ who
securitytweak: 0 2017-07-05 11:41 (: 0)
securitytweak pts / 9 2017-07-05 11:41 (: 0)

Option3

securitytweak@ siftworkstation: ~ $ users
daunknownsource securitytweak

Description: Obtaining activity logs in general.

securitytweak@ siftworkstation: ~ $ tail -f / var / log / messages

Description: Storage disk free space.

securitytweak@ siftworkstation: ~ $ df
Filesystem 1K-blocks Used Available Use% Mounted on
udev 1002244 4 1002240 1% / dev
tmpfs 203528 1264 202264 1% / run
/ dev / sda1 204229432 7204924 186627224 4% /
none 4 0 4 0% / sys / fs / cgroup
none 5120 0 5120 0% / run / lock
none 1017632 152 1017480 1% / run / shm
none 102400 44 102356 1% / run / user

Description: Use of swap memory in the system, (Free / In Use)

securitytweak@ siftworkstation: ~ $ free
total used free shared buffers cached
Mem: 2035268 1682360 352908 14788 91452 837860
– / + buffers / cache: 753048 1282220
Swap: 2094076 0 2094076

Description: Files belonging to the “root” user.

securitytweak@ siftworkstation: ~ $ find / -uid 0 -perm -4000 -print

These are some of the commands necessary to perform a correct and complete analysis in some case where information has been compromised and it is necessary to know the background of what happened with the devices and the information treated.

This example is based for Linux distributions, however the same information points can be taken in case it is some other platform. [OS]

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s