Linux DFIR Commands
Dumping Memory
Taking Image
Misc Useful Tools
Live Triage
System Information
Account Information
Current user
Last logged on users
Initialization Files
Environment and Startup Programs
Scheduled Tasks
SSH Keys and Authorized Users
Note: This specifies where the SSH daemon will look for keys. Generally this will be as below.
Sudoers File (who who can run commands as a different user)
Configuration Information
Network Connections / Socket Stats
IP Table Information
Network Configuration
Browser Plugin Information
Kernel Modules and Extensions/
Process Information
Search files recursively in directory for keyword
Process Tree
Open Files and space usage
Pluggable Authentication Modules (PAM)
Disk / Partition Information
Note: Below material with thanks to Craig Rowland - Sandfly Security
Detailed Process Information
Note:
CWD = Current Working Directory of Malware
EXE = Binary location and whether it has been deleted
Most Common Timestamp = When process was created
Recover deleted binary which is currently running
Capture Binary Data for Review
Binary hash information
Process Command Line Information
Note:
Significant differences in the above 2 outputs and the specified binary name under /proc/[PID]/exe can be indicative of malicious software attempting to remain undetected.
Process Environment Variables (incl user who ran binary)
Process file descriptors/maps (what the process is ‘accessing’ or using)
Process stack/status information (may reveal useful elements)
Deleted binaries which are still running
Process Working Directories (including common targeted directories)
Hidden Directories and Files
Immutable Files and Directories (Often Suspicious)
SUID/SGID and Sticky Bit Special Permissions
File and Directories with no user/group name
File types in current directory
Executables on file system
Hidden Executables on file system
Files modified within the past day
Persistent Areas of Interest
Audit Logs
Installed Software Packages
Last updated