# 1, Forensics tools-LiME memory Acquisition tool-volatility memory analysis tool # 2, machine information collection #sysinfo 16# # View current logged on user who > who.txt# # Displays user information for the currently logged in System W > w.txt# # Display Time date > date.txt# # View CPU Information cat/proc/cpuinfo > cpuinfo.txt# # Query system version lsb_release-a > lsb_release.txt# # Current system System-related information (kernel version number, hardware architecture, hostname and OS type, etc.) uname-a > uname.txt# # Linux View current operating system version information cat/proc/version > version.txt# # Display in batch mode Process information, updated 1 times no longer updated Top-b-N 1 > top.txt# # View system load uptime > uptime.txt# # MB show current memory usage free-m > free_m.txt# # File system disk space accounted for Use case DF-LHT > df_lht.txt# # Show partition type fdisk-l > fdisk_l.txt# # Mount device case Mount > mount.txt# # Displays the environment variables that already exist in the system env > env. txt# # View Custom environment variables Cat ~/.BASHRC > bashrc.txt# # Read kernel information cat/proc/meminfo > Meminfo.txt#account Check 7# # system User Information cat/e tc/passwd > etc_passwd.txt# # redaction info cat/etc/shadow > etc_shadow.txt# # View User file status stat/etc/passwd > Etc_passwd_stat. Txtstat/etc/shadow > etc_shadow_stat.txt# # View Privileged user awk-f: ' $3==0 {print '} '/etc/passwd > etc_passwd_special_usr.t Xtgrep "0"/etc/passwd > Etc_passwd_new_user.txtawk-f: ' Length ($) ==0 {print $} '/etc/shadow > Etc_shadow_no_password_user.txt#process Check 4# # full format Show all Processes ps-elf > ps_elf.txt# # Show All processes, including other users ps aux > Ps_aux.txtps-ef | grep inted > Ps_inted.txtls/proc |sort-n|uniq > Proc.txt#file Check 11# # Find Find/-uid 0-perm-4000 based on UID, execute permissions > uid0_perm4000.txt# # based on file size Find/-size +10000k > Size10000.txtfind/-name "..." > 3point_name_file.txtfind/ -name ".." > 2point_name_file.txtfind/-name "." > 1point_name_file.txtfind/-name "> Blankspace_name_fil e.txt# # view hidden files Find/-name ". *" > Hide_file.txtfind/-name "*" > All_file.txtfind/-name ". rhosts" > Rhosts.tx Tfind/-name ". Forward" > forward.txt# # List current system Open file Lsof > lsof.txt#integrity Check * # query specifies which installation package the file is from rpm-qf/bin/ ls > rpm_ls.txtrpm-vf/bin/ls >> rpm_ls.txtrpm-qf/bin/netstat > Rpm_netstat.txtrpm-vf/bin/netstat >> ; Rpm_netstat.txtrpm-qf/bin/login > rpm_login.txtrpm -vf/bin/login >> rpm_login.txtrpm-qf/bin/find > Rpm_find.txtrpm-vf/bin/find >> rpm_find.txtrpm-qf/u Sr/bin/top > Rpm_top.txtrpm-vf/usr/bin/top >> rpm_top.txt#network Check 6# # View route table entry IP link | grep promisc > ip_promisc.txt# # Show all networked files Lsof-i > lsof_i.txt# # Show TCP, UDP transport protocol, socket program name NETSTAT-NTULPA > NETST at_ntulpa.txt# # shows the program that is using the socket Netstat-anpo > netstat_anpo.txt# # Displays all entries for the ARP buffer arp-a > arp_a.txt# # Displays all interface information Ifcon fig-a > Ifconfig_a.txt#schedule Check AA # show root crontab file contents crontab-l-U root > Root_crontab.txtcrontab-l-u Cor Email > coremail_crontab.txt# # Scheduled Tasks cat/etc/crontab > etc_crontab.txt# # List scripts for scheduled Tasks ls/etc/cron.*-a > etc_cron.t xt# # View timed Tasks ls/var/spool/cron/-a > VAR_SPOOL_CRON.TXT#RC check 4# # Startup item Order cat/etc/rc.d/rc.local > rc_local.txt# # Script files for each run level exist in this directory ls/etc/rc.d-a > rc_d.txtls/etc/rc*.d-a > rcv_d.txt# # Search Execute Permissions 4000 common type file Find/-type F-perm 400 0 > Type_f_perm_4000.txt#log Check 11# # Log Process Ps-ef | grep syslog > syslog.txt# # List log directory ls-al/var/log > var_log.txt# # List log directory status Stat/var/log/wtmp > Stat_wtmp.txtstat /var/run/utmp > Stat_utmp.txtcat/var/run/utmp > Utmp.txtcat/etc/rsyslog.conf > Rsyslog_conf.txtcat/etc/init . d/rsyslog > rsyslog.txt# # Lists user-related information on login system failure lastb > lastb.txt# #: Lists information about users who have logged in to the system last > last.txt# # Shell History Command record File Cat ~/.bash_history > History.txtls-l ~/.bash_history > Bash_history.txt#inetd Sheck # # Extended Internet Service Daemon Configuration cat/etc/x inetd.conf > Xinetd_config.txt#kernel Check # # loaded module Information lsmod > Lsmod.txtfind/-name core-exec ls-l {} \; > Core_file.txt#service Check * # View boot start service chkconfig--list > chkconfig_lists.txt# # View local RPC process rpcinfo-p > Rpcinf O.txt#files get AA # Package daemon file TAR-ZCVF xinetd.tar.gz/etc/xinetd.d/*# # package log file TAR-ZCVF log.tar.gz/var/log/*# # Package from startup script Ta R-ZCVF rcd.tar.gz/etc/rc.d/* # # Pack Scheduled Tasks TAR-ZCVF CRON.TAR.GZ/ETC/CRON.*TAR-ZCVF at.tar.gz/var/spool/at/*
Forensic analysis Linux information collection