Unix Administration Firewall Intrusion Detection Network Security Hacking MORE HOME

Forensic Analysis

Grab all the ssh passwords

 strace -o /tmp/sshd.strace -f -e write -p 'sshd pid' 
cat /tmp/sshd.strace | perl -ne 'print "$1\n" if m|^\d+\s+write\(\d+,\s+"\\0\\0\\0\\10(.*)"|'

Forensic Image

Here it is important to capture everything. So do the following: On the forensic image:

nc -p 6666 -l > file

On the to be investigated machine:

cat data | nc -w 3 to 6666

Then capture more with:

dd < /dev/kmem > output dd < /dev/mem > output dd < /dev/rswap > output netstat -an > output netstat -rn > output arp -a > output lsof > output lastlog lastcomm ps auxeww ps -ealf ils device inode unallocated and /orrefcount=0 list removed files ils -o device inode allocated refcount=0 list removed open files ils -l device inode allocated/unallocated existing and removed files ils device inode specific inode bin/mactime finds all files accessed in a certain time window

Make sure you analyze the important logfiles and also safe a stat
of the important files! This all can be done via the TCT, using grave-robber (start: bin/grave-robber).

Analysis of Processes

stop process first: kill -STOP PID

create core of running proc: gcore PID

recover deleted or running file icat /dev/hdc1 12345 > 12345.out

dump memory of a process pcat > pcat.1234

strings core

strace -p pid -a with child processes -e trace=read,write only read/write calls -e read=6 show everything from ch. 6

analyze program with

    nm
    strings
    file

Rootkit?

Checking for a rootkit? Go here.

CopyLeft (l) 2003 by Raffael Marty