Forensics HowTo
How to start?
DO NOT:
- restart the system
- kill the processes
- delete malicious files
MAKE SURE THE SYSTEM WAS HACKED:
- check system logs
- check commands history
- check login history
- check monitoring graphs for any abnormalities
- check running processes: top, ps, netstat, lsof
- If you connect to the system remotely, e.g. ssh, avoid using credentials that can be reused on other systems and consider them lost: change them as soon a possible
- Don’t store data on the harddrive:
- Set HISTFILE to /dev/null
- Store temporary files in a filesystem backed by a tmpfs (in RAM), remotely or on a USB drive.
OK, SYSTEM WAS COMPROMISED. HOW TO CONTINUE?
Isolate the system
- unplug the network cable or apply the necessary firewall rules
- if it is a virtual machine, create a snapshot
First analysis
- How did the intruder get it?
- When did that happen?
- What kind of activity was performed on the server? (what was changed, installed, what kind of processes are running)
- Inform CSIRT about your discoveries.
Acquire live data
- collect network data
- collect user logins
- check running processes
- check open files
- check mounted devices
- check loaded kernel modules
Run forensics:
- check the abnormalities in the collected data
- dump a core of the processes (use gcore or gdb)
- collect filesystem metadata
- save all open files
- copy files from the proc folder