Linux DFIR Commands

Dumping Memory

1
dd if=/dev/kmem of=/root/kmem
2
dd if=/dev/mem of=/root/mem
Copied!
โ€‹LiMEโ€‹
1
sudo insmod ./lime.ko "path=./Linmen.mem format=raw"
Copied!
โ€‹LinPMemโ€‹
1
./linpmem -o memory.aff4
2
./linpmem memory.aff4 -e PhysicalMemory -o memory.raw
Copied!

Taking Image

1
fdisk -l
2
dd if=/dev/sda1 of=/[outputlocation]
Copied!

Misc Useful Tools

โ€‹FastIRโ€‹
1
python ./fastIR_collector_linux.py
Copied!
โ€‹LinEnumโ€‹
1
./linenum.sh
2
./linenum.sh -t
Copied!

Live Triage

System Information

1
date
2
uname โ€“a
3
hostname
4
cat /proc/version
5
lsmod
Copied!

Account Information

1
cat /etc/passwd
2
cat /etc/shadow
3
cat /etc/sudoers
4
cat /etc/sudoers.d/*
5
cut -d: -f1 /etc/passwd
6
getent passwd | cut -d: -f1
7
compgen -u
Copied!

Current user

1
whoami
2
who
Copied!

Last logged on users

1
last
2
lastb
3
cat /var/log/auth.log
Copied!

Initialization Files

1
cat /etc/bash.bashrc
2
cat ~/.bash_profile
3
cat ~/.bashrc
Copied!

Environment and Startup Programs

1
cat /etc/profile
2
ls /etc/profile.d/
3
cat /etc/profile.d/*
Copied!

Scheduled Tasks

1
ls /etc/cron.*
2
ls /etc/cron.*/*
3
cat /etc/cron.*/*
4
cat /etc/crontab
Copied!

SSH Keys and Authorized Users

1
cat /etc/ssh/sshd_config
Copied!
Note: This specifies where the SSH daemon will look for keys. Generally this will be as below.
1
ls /home/*/.ssh/*
2
cat /home/*/.ssh/id_rsa.pub
3
cat /home/*/.ssh/authorized_keys
Copied!

Sudoers File (who who can run commands as a different user)

1
cat /etc/sudoers
Copied!

Configuration Information

1
ls /etc/*.d
2
cat /etc/*.d/*
Copied!

Network Connections / Socket Stats

1
netstat
2
netstat -apetul
3
netstat -plan
4
netstat -plant
5
ss
6
ss -l
7
ss -ta
8
ss -tp
Copied!

IP Table Information

1
ls /etc/iptables
2
cat /etc/iptables/*.v4
3
cat /etc/iptables/*.v6
4
iptables -L
Copied!

Network Configuration

1
ifconfig -a
Copied!

Browser Plugin Information

1
ls -la ~/.mozilla/plugins
2
ls -la /usr/lib/mozilla/plugins
3
ls -la /usr/lib64/mozilla/plugins
4
ls -la ~/.config/google-chrome/Default/Extensions/
Copied!

Kernel Modules and Extensions/

1
ls -la /lib/modules/*/kernel/*
Copied!

Process Information

1
ps -s
2
ps -l
3
ps -o
4
ps -t
5
ps -m
6
ps -a
7
top
Copied!

Search files recursively in directory for keyword

1
grep -H -i -r "password" /
Copied!

Process Tree

1
ps -auxwf
Copied!

Open Files and space usage

1
lsof
2
du
Copied!

Pluggable Authentication Modules (PAM)

1
cat /etc/pam.d/sudo
2
cat /etc/pam.conf
3
ls /etc/pam.d/
Copied!

Disk / Partition Information

1
fdisk -l
Copied!
1
strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;
2
strace -f -e trace=network -s 10000 -p <PID>;
Copied!
Note: Below material with thanks to Craig Rowland - Sandfly Securityโ€‹

Detailed Process Information

1
ls -al /proc/[PID]
Copied!
Note:
  • CWD = Current Working Directory of Malware
  • EXE = Binary location and whether it has been deleted
  • Most Common Timestamp = When process was created

Recover deleted binary which is currently running

1
cp /proc/[PID]/exe /[destination]/[binaryname]
Copied!

Capture Binary Data for Review

1
cp /proc/[PID]/ /[destination]/[PID]/
Copied!

Binary hash information

1
sha1sum /[destination]/[binaryname]
2
md5sum /[destination]/[binaryname]
Copied!

Process Command Line Information

1
cat /proc/[PID]/cmdline
2
cat /proc/[PID]/comm
Copied!
Note:
  • Significant differences in the above 2 outputs and the specified binary name under /proc/[PID]/exe can be indicative of malicious software attempting to remain undetected.

Process Environment Variables (incl user who ran binary)

1
strings /proc/[PID]/environ
2
cat /proc/[PID]/environ
Copied!

Process file descriptors/maps (what the process is โ€˜accessingโ€™ or using)

1
ls -al /proc/[PID]/fd
2
cat /proc/[PID]/maps
Copied!

Process stack/status information (may reveal useful elements)

1
cat /proc/[PID]/stack
2
cat /proc/[PID]/status
Copied!

Deleted binaries which are still running

1
ls -alr /proc/*/exe 2> /dev/null | grep deleted
Copied!

Process Working Directories (including common targeted directories)

1
ls -alr /proc/*/cwd
2
ls -alr /proc/*/cwd 2> /dev/null | grep tmp
3
ls -alr /proc/*/cwd 2> /dev/null | grep dev
4
ls -alr /proc/*/cwd 2> /dev/null | grep var
5
ls -alr /proc/*/cwd 2> /dev/null | grep home
Copied!

Hidden Directories and Files

1
find / -type d -name ".*"
Copied!

Immutable Files and Directories (Often Suspicious)

1
lsattr / -R 2> /dev/null | grep "\----i"
Copied!

SUID/SGID and Sticky Bit Special Permissions

1
find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
Copied!

File and Directories with no user/group name

1
find / \( -nouser -o -nogroup \) -exec ls -lg {} \;
Copied!

File types in current directory

1
file * -p
Copied!

Executables on file system

1
find / -type f -exec file -p '{}' \; | grep ELF
Copied!

Hidden Executables on file system

1
find / -name ".*" -exec file -p '{}' \; | grep ELF
Copied!

Files modified within the past day

1
find / -mtime -1
Copied!

Persistent Areas of Interest

1
/etc/rc.local
2
/etc/initd
3
/etc/rc*.d
4
/etc/modules
5
/etc/cron*
6
/var/spool/cron/*
7
/usr/lib/cron/
8
/usr/lib/cron/tabs
Copied!

Audit Logs

1
ls -al /var/log/*
2
ls -al /var/log/*tmp
3
utmpdump /var/log/btmp
4
utmpdump /var/run/utmp
5
utmpdump /var/log/wtmp
Copied!

Installed Software Packages

1
ls /usr/bin/
2
ls /usr/local/bin/
Copied!