YobiWiki - User contributions [en]

Forensics on Incident 2

2007-05-15T09:20:48Z

213.219.144.246:

==Breach in j.b.i. @ y.i==
===Analysis===
Initial report: one defaced page http://vserverX/eshare/catalog redirecting to http: // www . test . we-create . org
<pre>
Note that if redirection works apparently with IE it didn't work with iceweasel, I could just see the attempt of redirection in the source of the page:
<script> window.location=\"http: // www . test . we-create . org/\"; </script>

# On host:
apt-get install tct sleuthkit

# Isolate the vserverX
iptables -I INPUT -d <ip_of_vserverX> -j DROP

# Grep mactimes before touching the system
grave-robber -o LINUX2 -c /path/to/vserverX/ -b ./vserverX -m
# mactime from one week ago till now
mactime -b vserverX -p /path/to/vserverX/etc/passwd mm/dd/yyyy |tee vserverX.mactime
# apparently mactime could work directly on live system with -d ...

# Search string we-create in /var/www and /var/lib/mysql:
/var/lib/mysql/oscommerce/configuration.MYD

# Extract corresponding sql table:
vserverX:/# mysqldump -uuserX -p --opt oscommerce > oscommerce.sql

# Analyse sql dump:
INSERT INTO `configuration` VALUES (1,'Store Name','STORE_NAME','<script> window.location=\"http: // www . test . we-create . org/\"; </script>','The name of my store',1,1,'2007-05-11 21:04:30','2006-12-22 09:32:15',NULL,NULL)...

# This is the modification apparent on the defaced page, done at '2007-05-11 21:04:30'
# note that there were other defacing attempts here:
INSERT INTO `categories_description` VALUES (...
,(25,4,'<script> window.location=\"http:/')
,(25,2,'<script> window.location=\"http:/')

# extract infos around that time from mactime dump:
May 11 07 21:04:30 25168 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/configuration.MYD
# this is the defacing itself
May 11 07 21:12:15 3480 m.c drwxrwxrwx root root /path/to/vserverX/var/www/eshop/catalog/images
4396 mac -rwxrwxrwx www-data www-data /path/to/vserverX/var/www/eshop/catalog/images/images.jpg
# upload of a "we hacked you" image
1164 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/categories.MYD
2508 m.c -rw-rw---- mysql munin /path/to/vserverX/var/lib/mysql/oscommerce/categories_description.MYD
# this is the second attempt of defacing of the categories

# extract infos around that time from apache logs (logs cleaned from .js and .gif urls)
# hacker client: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
85.105.88.202 - - [11/May/2007:20:55:14 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=40&sa=N&filter=0"
85.105.88.202 - - [11/May/2007:20:55:58 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2 HTTP/1.1" 200 10648 "http://vserverX/eshop/catalog/admin/backup.php?action=restorelocal"
85.105.88.202 - - [11/May/2007:21:04:07 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=5340c42e400b2a4aa53923c19fa5ede2"
85.105.88.202 - - [11/May/2007:21:04:11 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php"
85.105.88.202 - - [11/May/2007:21:04:13 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php"
85.105.88.202 - - [11/May/2007:21:04:16 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22252 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french"
85.105.88.202 - - [11/May/2007:21:04:22 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit HTTP/1.1" 200 22550 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration"
85.105.88.202 - - [11/May/2007:21:04:29 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "POST /eshop/catalog/admin/configuration.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:30 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&cID=1 HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/configuration.php?gID=1&cID=1&action=edit"
85.105.88.202 - - [11/May/2007:21:04:47 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-"
85.105.88.202 - - [11/May/2007:21:05:05 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-"
85.105.88.202 - - [11/May/2007:21:05:28 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-"
85.105.88.202 - - [11/May/2007:21:05:29 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 17760 "-"
85.105.88.202 - - [11/May/2007:21:05:40 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools&osCAdminID=7f009d2bed82fc3c7c9da8f616307e6a HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/"
85.105.88.202 - - [11/May/2007:21:05:46 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-"
85.105.88.202 - - [11/May/2007:21:05:49 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php"
85.105.88.202 - - [11/May/2007:21:05:52 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=edit"
85.105.88.202 - - [11/May/2007:21:05:55 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=new_file HTTP/1.1" 200 110032 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php"
85.105.88.202 - - [11/May/2007:21:11:49 +0200] "GET /eshop/catalog/admin/categories.php?selected_box=catalog HTTP/1.1" 200 14826 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php&action=new_file"
85.105.88.202 - - [11/May/2007:21:11:51 +0200] "GET /eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category HTTP/1.1" 200 15717 "http://vserverX/eshop/catalog/admin/categories.php?selected_box=catalog"
85.105.88.202 - - [11/May/2007:21:11:52 +0200] "GET /eshop/catalog/images/homepic4.jpg HTTP/1.1" 404 354 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category"
[Fri May 11 21:11:52 2007] [error] [client 85.105.88.202] File does not exist: /var/www/eshop/catalog/images/homepic4.jpg, referer: http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category
85.105.88.202 - - [11/May/2007:21:12:15 +0200] "POST /eshop/catalog/admin/categories.php?action=update_category&cPath= HTTP/1.1" 200 1872 "http://vserverX/eshop/catalog/admin/categories.php?cPath=&cID=25&action=edit_category"
85.105.88.202 - - [11/May/2007:21:12:32 +0200] "GET /eshop/catalog HTTP/1.1" 301 369 "-"
85.105.88.202 - - [11/May/2007:21:12:37 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "-"
85.105.88.202 - - [11/May/2007:21:12:53 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-"

85.105.88.202 - - [12/May/2007:21:42:13 +0200] "GET /eshop/catalog/admin/backup.php?action=restorelocal HTTP/1.1" 200 13939 "http://www.google.com.tr/search?q=inurl:catalog/admin/backup.php&hl=tr&start=30&sa=N&filter=0"
85.105.88.202 - - [12/May/2007:21:42:45 +0200] "GET /eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2 HTTP/1.1" 200 10648 "-"
85.105.88.202 - - [12/May/2007:21:42:47 +0200] "GET /eshop/catalog/admin/define_language.php HTTP/1.1" 200 18713 "http://vserverX/eshop/catalog/admin/backup.php?selected_box=tools&osCAdminID=06f47581056b54ad6735566d29bdd3f2"
85.105.88.202 - - [12/May/2007:21:42:51 +0200] "GET /eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php HTTP/1.1" 200 15345 "http://vserverX/eshop/catalog/admin/define_language.php"
85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 22329 "http://vserverX/eshop/catalog/admin/define_language.php?lngdir=french&filename=index.php"
85.105.88.202 - - [12/May/2007:21:42:53 +0200] "GET /eshop/catalog/admin/configuration.php?gID=1&selected_box=configuration HTTP/1.1" 200 8152 "-"
85.105.88.202 - - [12/May/2007:21:43:06 +0200] "GET /eshop/ HTTP/1.1" 200 2268 "-"
85.105.88.202 - - [12/May/2007:21:43:09 +0200] "GET /eshop/catalog/ HTTP/1.1" 200 22419 "http://vserverX/eshop/"
85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin HTTP/1.1" 301 375 "-"
85.105.88.202 - - [12/May/2007:21:43:17 +0200] "GET /eshop/catalog/admin/ HTTP/1.1" 200 16044 "-"
85.105.88.202 - - [12/May/2007:21:43:20 +0200] "GET /eshop/catalog/admin/file_manager.php?selected_box=tools HTTP/1.1" 200 109384 "http://vserverX/eshop/catalog/admin/"
85.105.88.202 - - [12/May/2007:21:43:37 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php HTTP/1.1" 200 109692 "-"
85.105.88.202 - - [12/May/2007:21:43:45 +0200] "GET /eshop/catalog/admin/file_manager.php?info=index.php&action=edit HTTP/1.1" 200 33371 "http://vserverX/eshop/catalog/admin/file_manager.php?info=index.php"
85.105.88.202 - - [12/May/2007:21:43:57 +0200] "GET /admin HTTP/1.1" 404 326 "-"
[Sat May 12 21:43:57 2007] [error] [client 85.105.88.202] File does not exist: /var/www/admin

</pre>

===Conclusions===
* Initial breach
** attack came from 85.105.88.202 = dsl.static.85-105-22730.ttnet.net.tr (Turkish ADSL)
** this site was found initially by a simple google search (Google Turkey!) for "catalog/admin/backup.php"<br>easy was to find unprotected oscommerce websites...<br>I visit another one from the Google list: http: // oscommerce . uksz . net/catalog/admin/<br>and surprise, Store Name = window.location="http: // www . test . we-create . org/";<br>no comment!
** eshare was defaced via eshop, simply both were sharing the same DB
* Counter-measures
** Protect access to catalog/admin<br>This was done but only for https, default conf with Apache was still AllowOverride None for http connections

2007-05-15T08:43:09Z

213.219.144.246: /* Security */

Note that I still have many pages to import from my [http://wiki.teuwen.org/TriPages old wiki]
==Security==
* [[Security Resources]]
* [[Forensics]]
** [[Forensics on Incident 1]]
** [[Forensics on Incident 2]]
* [[Network security tools]]
* [[Wi-Fi Protected Setup]]
* [[Bypass Proxy]]
** [[Bypass Proxy reference]]
* [[MiscCrypto]]
** [[Encfs]]
** [[LoopCrypt]]
* [[Belgian eGov]]
* [[MetaSploit Framework]]
* Specific attacks
** [[Reverse Cross-Site Request (RCSR) vulnerability]]
** [[Code Red]]
* [[Fuzzing]]

==Hobbies==
* [[Photo]]
* [[Linux Certification]]
* [[Diving]]

==Hardware==
* [[bttv]]
* [[Canon EOS]]
* [[Kiss 450]]
* [[Laptop Asus]]
* [[Laptop Dell Latitude D600]]
* [[Laptop Dell Latitude D610]]
* [[Photo Frame]]
* [[Philips Webcam]]
* [[Sony Handycam]]
* [[Amd64]]
* [[Tux Droid]]
* [[NSLU2]]

==Software==
===Server side===
* [[Syslog]]
* [[Munin]]
* [[Apache]]
* [[AWFFull]]
* [[GeoIP]]
* [[Mysql]]
* [[Oracle]]
* [[CVS and Subversion]]
* [[MediaWiki]]
* [[Gallery]]
* [[PhpMyAdmin]]
* [[Webcalendar]]
* [[Avimanager]]
* [[Distributed Library Project]]
* [[Zope]]
* [[Plone]]
* [[Alert notifications]]
* [[Serial Login]]
* [[Virtual Private Networks]]
* [[BackupPc]]
====Mail services====
* [[qmail & ezmlm]]
* [[Exim]]
* [[Courier]]
* [[Procmail]]
* [[Imapproxy]]
* [[Squirrelmail]]
* [[Spamassassin]]
* [[Fetchmail]]
* [[Anti-Virus]]
====Syslog services====
* [[Syslog]]
* [[Logcheck]]
* [[Php-Syslog-ng]]
====Jabber====
* [[Jabberd]]
* [[Jabberd-Addons]]
* [[Jabberd-Conference]]
* [[Jabberd-Jud]]
* [[Jabberd-AIM]]
* [[Jabberd-Icq]]
* [[Jabberd-Irc]]
* [[Jabberd-MSN]]
* [[Jabberd-Yahoo]]
* [[RSS2Jabber]]

====vserver====
* [[Vserver administration]]
* [[Vserver watchdogs]]
* [[Vserver tools]]

====misc====
* [[Search engines]]

===Desktop side===
* [[Dict Applications]]
* [[Screen Tips]]
* [[Firefox Tips]]
* [[Bash Tips]]
* [[Mail Tips]]
* [[Offlineimap]]
* [[IceWM]]
* [[CD & DVD Burning]]
* [[VoIP]]
====[[Jabber]]====
* [[Jabber Clients]]
* [[Jabber Send Message]]
* [[Jabber Utils]]

===Debian===
* [[Debian Documentation]]
* [[Debian Commands]]
* [[DebTags]]
* [[Debian Alsa]]
* [[Debian Kernel]]
* [[Debian Soft Raid]]
* [[Debian on Amd64]]
* [[My Debian Bugreports]]
* [[Debian Tricks]]

===Development===
* [[oprofile]]
* [[Customizing Knoppix]]
* [[Multi-CD USB stick]]
* [[Online PDF Viewer]]
* [[Wi-Fi Protected Setup]]
* [[USB]]
* [[WeekEndBootstrappers]]

==Lifeware==
* [[whoami]]
* [[Généalogie]]
* [[Bébé]]
* [[Chassis Couronne]]
* [[Prêts et emprunts]]
* [[Brevets]]
* [[Site de prêts]]
* [[Vacances]]

==Misc==
* [[External links]]
* [[Telephony]]

Forensics

2007-05-15T08:41:25Z

213.219.144.246: /* Generic forensic tools */

== Books ==
* [http://www.porcupine.org/forensics/forensic-discovery/ Forensics Discovery]
== Links ==

* http://www.d-fence.be and http://www.lnx4n6.be
** Among others the excellent FCCU GNU/Linux Forensic Boot CD, based on Knoppix
* [http://www.foo.be/gt/forensic/ Présentation d'adulau]
* http://cve.mitre.org
* http://www.porcupine.org (Wieste Venema/TCT)
* [http://public.afosi.amc.af.mil U.S AirForce Office of Special Investigations]
* http://www.forensicswiki.org

== Lists ==

* http://groups.yahoo.com/group/linux_forensics/

== Tools ==

=== Generic forensic tools ===
* '''[http://www.porcupine.org/forensics/tct.html The Coroner Toolkit]'''
** apt-get install tct
** '''grave-robber''': collecte d'infos et empreinte -> /var/cache/tct/data
** '''lazarus''': reconstitue les fichiers présents dans les clusters non référencés
** '''mactime''': liste les fichiers dont le mactime a été modifié depuis une certaine date
* '''[http://sleuthkit.sourceforge.net/sleuthkit/index.php Sleuthkit]''' & '''Autopsy''' (GUI)
** apt-get install sleuthkit
** apt-get install autopsy
** [http://sleuthkit.sourceforge.net/sleuthkit/tools.php A lot] of tools
** Some [http://sleuthkit.sourceforge.net/informer/ very nice articles] online to learn how to use them.

=== On live systems ===
* '''[http://staff.washington.edu/dittrich/talks/blackhat/blackhat/cryogenic.c Cryogenic.c]'''
** Captures process information stored in Linux's Proc_fs on a best effort basis
*'''[http://www.chrootkit.org Chkrootkit]'''
** Checks for signs of rootkits on the local system
** apt-get install chkrootkit
** '''chkdirs''': détecte les anomalies entre le nombre de liens d'un répertoire père et le nombre de sous-répertoires de ce dernier
** '''chkprocs''': compare le contenu du répertoire /proc avec la sortie de la commande ps
* '''Kstat'''
** Détecte le détournement d'appels systèmes
** wget http://s0ftpj.org/tools/kstat24_v1.1-2.tgz
* Less intrusive: mem dump via '''Firewire'''
** Presentation by A. Boileau: [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf Hit by a Bus: Physical Access Attacks with Firewire (PDF)]
** [http://www.storm.net.nz/projects/16 More on his page]

=== Dumping data supports ===
* '''[http://www.gnu.org/software/ddrescue/ddrescue.html ddrescue]'''
** apt-get install gddrescue
** Seems to work better than the next one (not to be confounded with...)
* '''[http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue]'''
** apt-get install ddrescue
* '''[http://www.ferzkopp.net/Software/CloneIt/CloneIt.html CloneIt]'''
** Networked Harddisk Replication System
** cf also netcat on [[Network security tools]]
* '''[http://www.heise.de/ct/05/16/links/078.shtml H2cdimage]'''
** To recover badly damaged CD/DVDs

=== Guessing the filesystem used ===
* testdisk
** apt-get install testdisk
* gpart
** apt-get install gpart
* disktype
** apt-get install disktype

=== Recovering files from filesystems ===
==== From ISO9660 ====
* '''[http://www.heise.de/ct/05/16/links/078.shtml dares]'''
** Description: rescue files from damaged CDs and DVDs (ncurses-interface)<br>Dares scans a CD/DVD image or a CD/DVD for files. This also works when the filesystem (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.
** apt-get install dares
** Note that it helps recovering a ''logically'' damaged image, if the disk is physically damaged, first use sth like gddrescue to cope with IO errors.
==== From ext2 ====
* e2undel
** apt-get install e2undel
* recover (and gtkrecover)
** apt-get install recover
Agnostic (any fs)
* '''[http://foremost.sourceforge.net/ foremost]'''
** Description: a forensics application to recover data<br>foremost is a console program to recover files based on their headers and footers for forensics purposes.<br> foremost can work on disk image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers are specified by a configuration file, so you can pick and choose which headers you want to look for.
** apt-get install foremost
** Very good, nice progression report
** Example:<br>foremost -t avi -t mpg -t wmv -t mov -q -v -i /dev/hda -o /path/recovered
* '''[http://jbj.rapanden.dk/magicrescue/ Magic Rescue]'''
** very same purpose than foremost, very fast (but I didn't have yet the chance to compare it to foremost), no false positive, but less formats supported
** Comes with '''dupemap''', a very handy tool to delete duplicates in recovered files (can work also against a backup to keep only new recovered files).<br>Example: dupemap delete,report /path/recovered
** To compile correctly dupemap, install libgdbm-dev
* '''[http://www.rfc1149.net/devel/recoverjpeg recoverjpeg]'''
** Idem but focuses on jpeg only
** apt-get install recoverjpeg
* photorec
** This one comes with testdisk, promises a lot of different formats (pdf, raw images, zip, wma etc etc) but seems to create a lot of false positive (at least experienced with mpg)
** apt-get install testdisk

===Recovering information from files===
* '''[http://www.workshare.com/products/trace/ Trace!]''' by Workshare
** Windows-based tool for showing all Microsoft Office documents meta-information
** Quite heavy and requires Microsoft .NET to be installed

==Anti-forensic resources==
* wipe: secure file deletion
** To wipe a max of the unallocated space of e.g. hda1, just create a big file and wipe it: (this doesn't wipe slack space!)
** dd if=/dev/zero of=/bigfile bs=512 count=$((2*$(df |gawk '/hda1/{print $4}')))
* secure-delete: tools to wipe files, free disk space, swap and memory
* [http://dban.sourceforge.net Darik's Boot and Nuke (dban)]: secure harddrive deletion
* [http://www.sysinternals.com/Utilities/SDelete.html SDelete] from Sysinternals
* [http://www.phrack.org/phrack/59/p59-0x06.txt Defeating Forensic Analysis on Unix]
* [http://hack.lu/images/8/80/Venema.ppt Software Engineering Security (PPT)] by Wietse Venema at Hack.lu 2006
* [http://www.iusmentis.com/security/filewiping/realdelete/ Article at Ius Mentis]

==Old stuff...==

===Récupération des données volatiles===
====Identification====
*Nom du système et version
**uname -a
*Date et heure
**date
* Paramètres réseau
**ifconfig | grep "inet addr"
====Configuration====
* Uptime
**uptime
* Applications installées
**rpm -qa OU dpkg --get-selections
* Configuration réseau
** ifconfig -a
* Table de routage
**netstat -arn
* Stratégie de mots de passe
** cat /etc/pam.d/passwd -> /etc/pam.d/other -> /etc/pam.d/common-password
* Comptes utilisateurs
** cat /etc/passwd
* Groupes
** cat /etc/groups
====Activité====
* Utilisateurs connectés
** w (who)
* Processus en exécution
**ps auwx
* Sockets ouvertes & processus propriétaires
** netstat -anptuw
** s'aider éventuellement de /etc/services
* Table ARP
** arp -a
====Historique====
* Connexions locales & distantes
**last -f /var/log/wtmp (et autres wtmp.N...)
* Echecs de connexion
** cf syslog
* Derniers fichiers accédés
**ls -alRu
* Dernière connexion de chaque utilisateur
**lastlog (lastlog|grep -v "\*\*.*\*\*")
* Dernières commandes passées
**history (à faire pour chaque user ou cat ~/.bash_history ou cat ~/.history)
====Sniffers====
*ifconfig -a|grep PROMISC
*Processus ayant ouvert un fichier
*lsof...
*Processus ayant ouvert une socket
**for fd in $(find /proc -name fd); do echo $fd; ls -al $fd|grep socket;done;
====Dump de la RAM====
* copier /proc/kcore
===Récupération des données persistantes===
* dd
* dd_rescue (apt-get install ddrescue), see also gddrescue
** error-tolerant version of dd for rescuing data
* strings
* file
* md5sum

==See also==
* [[Forensics on Incidents]]
* [[Network Security]]

YobiWiki - User contributions [en]

Forensics on Incident 2

Table of contents

Forensics