Scribd
Upload
13 views

Command List Irth

Uploaded by

Soham Mukherjee
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
13 views

Command List Irth

Uploaded by

Soham Mukherjee
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

mtime = ls -l

atime = ls -lu
ctime = ls -lc

>> ctime always more recent than mtime or equal

open ports = netstat -at | more


open ports with applications = netstat -atp | more
list running processes = ps aux | more
record steps taken = [script file.txt] / [history file.txt]

>> live response commands -


open and read wtmp file = last -f /var/log/wtmp
open and check currently logged in users = last -f /var/run/utmp
create utmp dump = [utmpdump /var/run/utmp] / [utmpdump /var/log/wtmp]
check list of all log files = cat /etc/syslog.conf
check web access logs = cat /var/log/httpd/access_log
check xferlog (ftp log) = cat /var/log/xferlog
review Proc File System = ls -l /proc
dumping system RAM = [cp /proc/kcore] / [cp /proc/kmem] files from the target
system to investigation storage media

>> tools that create qualified forensic duplicate output files:


1.SafeBack
2.EnCase
3.FTK Imager

>> primary types of forensic images:


complete disk
partition
logical

>> Forensic Duplicate of a Hard Drive

using data dump (dd) = dd if=/dev/sdb of=sdb_image.img bs=65536 conv=noerror,sync

Explanation of the parameters:


• if => input file
• /dev/sdb => source /suspect drive (whole disk)
• of => output file
• sdb_image.img => name of the image file
• bs => block size (default is 512)
• 65536 => 64k
• conv => conversion noerror => will continue even with read errors
• sync => if there is an error, null fill the rest of the block.

using dcfldd = sudo apt-get install dcfldd (to install it first)


dcfldd if=/dev/sdb of=sdb_image.img

Explanation of the parameters:


• if => input file
• /dev/sdb => source /suspect drive (whole disk)
• of => output file
• sdb_image.img => name of the image file

using dc3dd = sudo apt-get install dc3dd (to install it first)


dc3dd if=/dev/sdb of=sdb_image.img bs=4k hash=md5 log=dc3dd.log progress=on
split=2G splitformat=000
Explanation of the parameters:
• if => input file
• /dev/sdb => source /suspect drive (whole disk)
• of => output file
• sdb_image.img => name of the image file
• bs => blocksize of 4 kb
• hash => Definition of hash algorithms
• log => Path of the log file
• progress => on; see progress of acquisition
• split => Split image file in chunks of 2 GB
• splitformat => Will append a number or letter at the end of the image file name

>> Full Content Monitoring using tcpdump


tcpdump -n -i eth0 -s 1514 –w var/log/tcpdump/capture.pcap &

-i – interface
-n – name resolution
-s - by default tcpdump only captures the first 96bytes of a packet.To
capture full packet -s option used with size like -s 65535 or -s0.
-w - save all the output to a specified file.
& - for send process to background.

tcp dump of a given network (12.44.56.0/24) = tcpdump -n -i eth0 -s 1514 -w


/var/log/tcpdump/capture.pcap net 12.44.56.0 &
tcp dump of a given host (172.16.1.7) = tcpdump -n -i dc0 -s 1514 -w
/var/log/tcpdump/capture.pcap host 172.16.1.7 &

You might also like