Made By

Ms.Niranjana.S.Karandikar
Under the guidance of
Mr.Kishor Dahiwadkar
RESPONSE TO A LIVE LINUX
MACHINE
What is Linux?
OS
Open Source
Various Distros
Eg: RedHat, Ubuntu, Fedora , Debian ,
Backtrack, Kali Linux, etc
Objective
Create and test tools for responding to a live
Linux machine
Need for creating own tools
A suspect machine is never to be trusted
When a program is executed, it normally uses
shared libraries for routine system commands
This changes those common files access times.
Timeline gets disturbed
Also the tools should give output specific
information
Statically Linked vs Dynamically linked tools

Types of Data Found

Volatile Data: Any data stored in system memory
that will be lost when the machine loses power or
is shut down.
Non Volatile Data: Persistent data resides in the
system's hard drives or other nonvolatile storage
devices and is typically not lost when the machine
is shut down or rebooted.
Collection Of Volatile Data
System Information
Network Information
Collection of System Information
cat , uname System Profile
date Current system Date & Time
history command history
uptime- gives the system uptime
w - show who is logged on and what they are
doing
ps -gives a snapshot of the current processes.
top - provides an ongoing look at processor
activity in real time
Ls lists the access controls and MAC times of
the files on the machine




Contd.
chkconfig - gives a list of startup services
who- lists the name of each user currently logged
in with their terminal, the time they logged on, and
the name of the host from which they have
logged in.
lastlog -displays the last login times for system
accounts.



Collection of Network Information
netstat- displays information on active sockets,
routing tables, interfaces, masquerade
connections, and multicast memberships
ifconfig - displays the current configuration for a
network interface. Displayed information includes
IP address, gateway, DNS servers, and
promiscuous mode detection.
arp a displays route entries for the suspicious
computer


Collection of Persistant Data
dd- dd if=/dev/sda of=/dev/sdb -Disk Imaging
Md5sum- calculate the hash value

Conclusion
The source code of the above tools was procured
and studied for malicious activities.
They were devoid of such malicious codes hence
were compiled using gcc compiler.
The above tools were tested on Ubuntu and
Backtrack.
References
First Responders Guide to Computer Forensics-
CERT Training and Education
http://www.velocityreviews.com/forums/t728782-
linux-console-command-line-history.html
http://www.thegeekstuff.com/2010/02/get-source-
code-for-any-linux-command/
http://www.linuxquestions.org/questions/linux-
general-1/source-code-for-free-command-
774270/

Thank You