Linux Forensics

Description

In this course, you will learn:

• Live response
  • First talk to the humans
    • What do they think happened
    • Details on victim system(s)
  • Mount response kit with known good tools
    • cdrom preferred as it was not likely part of compromise
    • USB MS can be used if no CDROM
  • Using netcat to minimize contamination
  • Collecting volatile data
    • date and time
    • network interfaces 
      • funny networks
      • promiscuous mode?
    • network connections
    • open ports
    • programs associated with ports
    • running processes
    • open files
    • routing tables
    • mounted filesystems
    • loaded kernel modules
  • Collecting data to determine if dead analysis is justified
    • kernel version
    • uptime
    • filesystem datetime stamps
    • hash values for system files
    • current user logins
    • login history
    • system logs
    • user accounts
    • user history files
    • hidden files and directories
    • sending off suspicious files for further study
  • Dumping RAM
    • Making the decision to dump RAM
    • Using fmem
    • Using LiME
    • Using /proc/kcore
• Acquiring filesystem images
  • Using dd
  • Using dcfldd
  • Write blocking options
    • Forensic Linux distros
    • Udev rules based blocker
• Analyzing filesystem images
  • Mounting images
    • Files with basic system info
    • Files with suspicious user info
    • Examining logs
    • Process-related files
    • Authentication-related files 
    • Using standard Linux tools to find information
    • Strange files
      • Regular files in /dev
      • User history files
      • Hidden files
      • SUID/SGID files
      • Detecting backdated files
    • Recovering deleted files
      • Finding deleted files
      • Attempting recovery
  • Leveraging The Sleuth Kit (TSK) and Autopsy
    • mmls
    • fsstat
    • dstat
    • istat
    • fls & mactime
• Timeline Analysis
  • When was system installed, upgraded, booted, etc.
  • Newly created files (malware)
  • Changed files (trojans)
  • Files in the wrong place (exfiltration)
• Digging deeper into Linux filesystems
  • Disk editors
    • Active@ Disk Editor
    • Autopsy
  • ExtX
    • Basics
      • Superblocks
      • Directory entries
      • Inodes
      • Data blocks
    • Compatible, incompatible, and read-only compatible features
    • Experimental features may be installed
    • Boot code
    • Using sigfind to find important blocks
    • Understanding indirect block levels
    • istat, ils, ifind, icat
    • Links and mounts
    • Hash trees
    • Journaling
      • jls
      • jcat
    • Finding data with blkstat, blkls, blkfind, blkid, and blkcalc
    • Relating data found with grep to a file/application
      • Finding block size, etc.
      • Using grep with a keyword file
      • Seeing data in context
      • Associating a file with the data
    • Undeleting files
    • Searching unallocated space
• Network forensics
  • Using snort on packet captures
  • Using tcpstat
  • Seperating conversations with tcpflow
  • Tracing backdoors with tcpflow
• File forensics
  • Using file signatures
  • Searching through swap space
  • Web browsing reconstruction
    • Cookies
    • Search history
    • Browser caches
  • Unknown files
    • Comparing hashes to know values
    • File command
    • Strings command
    • Viewing symbols with nm
    • Reading ELF files 
    • objdump
    • Bringing out big guns - gdb
• Memory Forensics 
  • Volatility Profiles
  • Retrieving process information
  • Recovering command line arguments
  • Rebuilding environment variables
  • Listing open files
  • Retrieving bash information
  • Reconstructing network artifacts
  • Kernel information
  • Volatile file system information
  • Detecting user mode rootkits
  • Detecting kernel rootkits
• Reversing Linux Malware
  • Digging deeper into ELF
    • Headers
    • Sections
    • Strings
    • Symbol tables
    • Program headers
    • Program loading
    • Dynamic linking
  • Command line analysis tools
    • strings
    • strace
    • ltrace
  • Running malware (carefully)
    • Virtual machine setup
    • Capturing network traffic
    • Leveraging gdb
• Writing the reports
  • Autopsy
  • Dradis
  • OpenOffice

Syllabus:

• Forensic Basics: Introduction  
• Forensic Basics: First Steps  
• Creating a Linux Forensics USB Drive Part 1  
• Creating a Linux Forensics USB Drive Part 2  
• Starting an Investigation Part 1  
• Starting an Investigation Part 2: Netcat  
• Starting an Investigation Part 3: Server Scripts  
• Starting an Investigation Part 4: Client Scripts  
• Starting an Investigation Part 5: Running Scripts  
• Starting an Investigation Part 6: What to Collect?  
• Starting an Investigation Part 7: Collecting Initial Data  
• Starting an Investigation Part 8: Analyzing the Log  
• Live Analysis Part 1: First Steps  
• Live Analysis Part 2: Memory Acquisition Basics  
• Live Analysis Part 3: Compiling LiME  
• Live Analysis Part 4: Dumping RAM with LiME  
• Shutting down the subject system  
• Making Filesystem Images  
• Making Filesystem Images (contd.)  
• Software Write Blocking with udev Rules  
• Creating an Image from a Physical Drive
• Mounting Images: MBR Basics  
• Mounting Images: MBR Basics part 2  
• Mounting Images: Extended Partitions  
• Mounting Images: Mounting Extended Partitions with Python  
• Mounting Images: GUID Partitions  
• Mounting Images: GUID Partitions with Python  
• Mounting Images: Building a timeline as a CSV  
• Mounting Images: Building a timeline as a CSV part 2  
• Mounting Images: Creating a MySQL database with file metadata  
• Mounting Images: Importing passwd and group files into Database  
• Mounting Images: Creating a timeline in the Database  
• Mounting Images: Examining the Timeline  
• Mounting Images: Extracting user Bash History files  
• Mounting Images: Examining user Bash History Files  
• Mounting Images: Extracting System Logs  
• Mounting Images: Examining System Logs  
• Mounting Images: Extracting Login Information  
• Mounting Images: Examining Login Information  
• Filesystem Analysis: EXT Filesystem Basics  
• Filesystem Analysis: Superblocks  
• Filesystem Analysis: EXT Filesystem Compatible Features  
• Filesystem Analysis: EXT Filesystem In-Compatible Features  
• Filesystem Analysis: EXT filesystem Read-Only Compatible Features  
• Filesystem Forensics: Reading the Superblock with Python  
• Filesystem Analysis: Reading the Block Group Descriptors with Python  
• Filesystem Analysis: Combining Superblock and Group Descriptor Information  
• Filesystem Analysis: Running our Final Script  
• Inodes: Finding things that are out of place  
• Inodes: Using Python to find out of place Inodes  
• Inodes: Digging Deeper  
• Inodes: using builtin tools and the Sleuth Kit  
• Inodes: Extensions and Details  
• Inodes: From Inode to File  
• Inodes: adding support for Extents for our Python Scripts  
• Inodes: Connecting Inodes to file and directory entries  
• Extending Python code to cat files using Inode Numbers  
• Inodes: using Python to read directories from Inode numbers  
• Inodes and extended Attributes  
• Inodes: Using Python to read extended attributes from an Image  
• Memory Analysis Part 1: Building a Volatility Profile  
• Memory Analysis Part 2: Getting Process Information with Volatility  
• Memory Analysis Part 3: More about Processes 
• Memory Analysis Part 4: Process Maps and Dumps  
• Memory Analysis Part 5: Getting Base Information from Volatility  
• Memory Analysis Part 6: Using Volatility Check Plugins  
• Memory Analysis Part 7: Getting Network Information  
• Memory Analysis Part 8: Getting Filesystem Information with Volatility  
• Memory Analysis Part 9: More Filesystem Information  
• Introducing a more Advanced Attack  
• Running Scripts against our Second Subject  
• Analysis Results of running initial Scan  
• Banner Grabbing the Second Subject  
• Using Volatility Process Listing Commands on Pas2  
• Digging Deeper into Suspicious Processes  
• Using Volatility to create process maps  
• Examining Bash Histories  
• Using Volatility Check Functions  
• Using Volatility Networking Functions  
• Using Volatility Filesystem Functions  
• Filesystem Analysis Part 1: Webserver Logs  
• Filesystem Analysis Part 2: Webserver Vulnerabilities  
• Filesystem Analysis Part 3: MySQL Logs  
• Filesystem Analysis Part 4: Hidden Directories  
• Filesystem Analysis Part 5: Creating a Timeline  
• Filesystem Analysis Part 6: Web Payloads  
• Filesystem Analysis Part 7: Packet Captures  
• Filesystem Analysis Part 8: Login  
• Malware Part 1: the File Command  
• Malware Part 2: is it a known file?  
• Malware Part 3: using Strings  
• Malware Part 4: using NM  
• Malware Part 5: using LDD  
• Malware Part 6: Intro into ELF  
• Malware Part 7: More fun with Readelf  
• Malware Part 8: Looking into Program Sections and Segments  
• Malware Part 9: Setting up a Sandbox  
• Malware Part 10: Strace  
• Malware Part 11: Ltrace  
• Malware Part 12: GDB Disassembly  
• Malware Part 13: GDB Info Functions  
• Malware Part 14: Running xingyi_bindshell in GDB  
• Malware Part 15: Running xingyi_bindshell in GDB  
• Malware Part 16: Obfuscation  
• The Road Ahead