Forensics HowTo

How to start?

DO NOT:

• restart the system
• kill the processes
• delete malicious files

MAKE SURE THE SYSTEM WAS HACKED:

• check system logs
• check commands history
• check login history
• check monitoring graphs for any abnormalities
• check running processes: top, ps, netstat, lsof
• If you connect to the system remotely, e.g. ssh, avoid using credentials that can be reused on other systems and consider them lost: change them as soon a possible
• Don’t store data on the harddrive:
  • Set HISTFILE to /dev/null
  • Store temporary files in a filesystem backed by a tmpfs (in RAM), remotely or on a USB drive.

OK, SYSTEM WAS COMPROMISED. HOW TO CONTINUE?

Isolate the system

• unplug the network cable or apply the necessary firewall rules
• if it is a virtual machine, create a snapshot

First analysis

• How did the intruder get it?
• When did that happen?
• What kind of activity was performed on the server? (what was changed, installed, what kind of processes are running)
• Inform CSIRT about your discoveries.

Acquire live data

• collect network data
• collect user logins
• check running processes
• check open files
• check mounted devices
• check loaded kernel modules

Run forensics:

• check the abnormalities in the collected data
• dump a core of the processes (use gcore or gdb)
• collect filesystem metadata
• save all open files
• copy files from the proc folder