Triathlon Linux Forensics

01 on-Site forensics and computer forensics

A static one dynamic

Offline forensics equipment on-site forensics-Hard disk copy machine (mirror the hard disk, copy and then forensics, forensics process is not allowed on the original hard disk operation)

ENcase

Ftk

Forensics Master

Forensic analysis of disk-stone media

Memory Forensics Technology

Virtual memory File/hibernation file/memory dump/dma/cold start

Chip forensics

Operating system Forensics

Windows system

Unallocated space actually has the data

File residue area filestack (disk fragmentation)

Logical size + File residue = physical size

File residue is not deleted and it is possible to recover previous files

How to hide Files

• Change the file name extension
• File content Encryption
• Virtual Disk
• Information steganography
• Hard disk Encryption
• 。。。

Historical record (under Linux)

• IE history
• IIS Access logs
• Operating system logs
• Firewall log (determine if attack)
• 。。。

Temporary files

• Office temp File
• C:\windows\temp\*.tmp
• C:\Documents and Settings\username\Local Settings\Temporary Internet Files

Linux system Forensics

#xwd-display Localhost:0–root >screen.xwd

Memory information

Network connection

Port/process ...

Process information

You need to do the mirroring and then the mirroring operation

File system

Log file #大部分时候会提供日志文件

Last year's question

SSH log inside l login log log/secure

There could be an attacker's explosion.

Example analysis

FK didn't say it sooner.

Cat VAR/LOG/DMESG

Make profile-"go to Google to find Debian 5.0 profiles under

Python vol.y–info See Help

Note Version x86 is also x64

Strange process. #老师说

Then look at the network situation

This IP is not easy.

SCP replication

Check the Mail log.

Triathlon Linux Forensics