Skip to content

Latest commit

 

History

History
388 lines (281 loc) · 9.5 KB

linux-dfir-commands.md

File metadata and controls

388 lines (281 loc) · 9.5 KB

Linux DFIR Commands

Dumping Memory 

dd if=/dev/kmem of=/root/kmem
dd if=/dev/mem of=/root/mem

LiME

sudo insmod ./lime.ko "path=./Linmen.mem format=raw"

LinPMem

./linpmem -o memory.aff4
./linpmem memory.aff4 -e PhysicalMemory -o memory.raw

Taking Image 

fdisk -l
dd if=/dev/sda1 of=/[outputlocation]

Misc Useful Tools

FastIR

python ./fastIR_collector_linux.py

LinEnum

./linenum.sh
./linenum.sh -t

Live Triage

System Information 

date
uname –a
hostname
cat /proc/version
lsmod

Account Information 

cat /etc/passwd
cat /etc/shadow
cat /etc/sudoers
cat /etc/sudoers.d/*
cut -d: -f1 /etc/passwd
getent passwd | cut -d: -f1
compgen -u

Current user 

whoami
who

Last logged on users 

last
lastb
cat /var/log/auth.log

Initialization Files 

cat /etc/bash.bashrc
cat ~/.bash_profile 
cat ~/.bashrc

Environment and Startup Programs 

cat /etc/profile
ls /etc/profile.d/
cat /etc/profile.d/*

Scheduled Tasks 

ls /etc/cron.*
ls /etc/cron.*/*
cat /etc/cron.*/*
cat /etc/crontab

SSH Keys and Authorized Users 

cat /etc/ssh/sshd_config

Note: This specifies where the SSH daemon will look for keys. Generally this will be as below.

ls /home/*/.ssh/*
cat /home/*/.ssh/id_rsa.pub
cat /home/*/.ssh/authorized_keys

Sudoers File (who who can run commands as a different user) 

cat /etc/sudoers

Configuration Information 

ls /etc/*.d
cat /etc/*.d/*

Network Connections / Socket Stats 

netstat
netstat -apetul
netstat -plan
netstat -plant
ss
ss -l
ss -ta
ss -tp

IP Table Information 

ls /etc/iptables
cat /etc/iptables/*.v4
cat /etc/iptables/*.v6
iptables -L

Network Configuration 

ifconfig -a

Browser Plugin Information 

ls -la ~/.mozilla/plugins
ls -la /usr/lib/mozilla/plugins
ls -la /usr/lib64/mozilla/plugins
ls -la ~/.config/google-chrome/Default/Extensions/

Kernel Modules and Extensions/ 

ls -la /lib/modules/*/kernel/*

Process Information 

ps -s
ps -l
ps -o
ps -t
ps -m
ps -a
top

Search files recursively in directory for keyword 

grep -H -i -r "password" /

Process Tree 

ps -auxwf

Open Files and space usage 

lsof
du

Pluggable Authentication Modules (PAM) 

cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/

Disk / Partition Information 

fdisk -l

System Calls / Network Traffic 

strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;
strace -f -e trace=network -s 10000 -p <PID>;

Note: Below material with thanks to Craig Rowland - Sandfly Security

Detailed Process Information 

ls -al /proc/[PID]

Note:

  • CWD = Current Working Directory of Malware
  • EXE = Binary location and whether it has been deleted
  • Most Common Timestamp = When process was created

Recover deleted binary which is currently running 

cp /proc/[PID]/exe /[destination]/[binaryname]

Capture Binary Data for Review 

cp /proc/[PID]/ /[destination]/[PID]/

Binary hash information 

sha1sum /[destination]/[binaryname]
md5sum /[destination]/[binaryname]

Process Command Line Information 

cat /proc/[PID]/cmdline
cat /proc/[PID]/comm

Note:

  • Significant differences in the above 2 outputs and the specified binary name under /proc/[PID]/exe can be indicative of malicious software attempting to remain undetected.

Process Environment Variables (incl user who ran binary) 

strings /proc/[PID]/environ
cat /proc/[PID]/environ

Process file descriptors/maps (what the process is ‘accessing’ or using) 

ls -al /proc/[PID]/fd
cat /proc/[PID]/maps

Process stack/status information (may reveal useful elements) 

cat /proc/[PID]/stack
cat /proc/[PID]/status

Deleted binaries which are still running 

ls -alr /proc/*/exe 2> /dev/null |  grep deleted

Process Working Directories (including common targeted directories) 

ls -alr /proc/*/cwd
ls -alr /proc/*/cwd 2> /dev/null | grep tmp
ls -alr /proc/*/cwd 2> /dev/null | grep dev
ls -alr /proc/*/cwd 2> /dev/null | grep var
ls -alr /proc/*/cwd 2> /dev/null | grep home

Hidden Directories and Files 

find / -type d -name ".*"

Immutable Files and Directories (Often Suspicious) 

lsattr / -R 2> /dev/null | grep "\----i"

SUID/SGID and Sticky Bit Special Permissions 

find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;

File and Directories with no user/group name 

find / \( -nouser -o -nogroup \) -exec ls -lg  {} \;

File types in current directory 

file * -p

Executables on file system 

find / -type f -exec file -p '{}' \; |  grep ELF

Hidden Executables on file system 

find / -name ".*" -exec file -p '{}' \; | grep ELF

Files modified within the past day 

find / -mtime -1

Persistent Areas of Interest 

/etc/rc.local
/etc/initd
/etc/rc*.d
/etc/modules
/etc/cron*
/var/spool/cron/*
/usr/lib/cron/
/usr/lib/cron/tabs

Audit Logs 

ls -al /var/log/*
ls -al /var/log/*tmp
utmpdump /var/log/btmp
utmpdump /var/run/utmp
utmpdump /var/log/wtmp

Installed Software Packages 

ls /usr/bin/
ls /usr/local/bin/