Triathlon Linux Forensics

Source: Internet
Author: User
Tags iis access logs

01 on-Site forensics and computer forensics


A static one dynamic

Offline forensics equipment on-site forensics-Hard disk copy machine (mirror the hard disk, copy and then forensics, forensics process is not allowed on the original hard disk operation)

ENcase

Ftk

Forensics Master

Forensic analysis of disk-stone media


Memory Forensics Technology

Virtual memory File/hibernation file/memory dump/dma/cold start

Chip forensics

Operating system Forensics

Windows system

Unallocated space actually has the data

File residue area filestack (disk fragmentation)

Logical size + File residue = physical size

File residue is not deleted and it is possible to recover previous files


How to hide Files

    • Change the file name extension
    • File content Encryption
    • Virtual Disk
    • Information steganography
    • Hard disk Encryption
    • 。。。

Historical record (under Linux)

    • IE history
    • IIS Access logs
    • Operating system logs
    • Firewall log (determine if attack)
    • 。。。

Temporary files

    • Office temp File
    • C:\windows\temp\*.tmp
    • C:\Documents and Settings\username\Local Settings\Temporary Internet Files

Linux system Forensics

#xwd-display Localhost:0–root >screen.xwd

Memory information

Network connection

Port/process ...

Process information

You need to do the mirroring and then the mirroring operation

File system

Log file #大部分时候会提供日志文件


Last year's question

SSH log inside l login log log/secure

There could be an attacker's explosion.


Example analysis

FK didn't say it sooner.

Cat VAR/LOG/DMESG

Make profile-"go to Google to find Debian 5.0 profiles under

Python vol.y–info See Help

Note Version x86 is also x64

Strange process. #老师说

Then look at the network situation

This IP is not easy.

SCP replication

Check the Mail log.

Triathlon Linux Forensics

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.