ACTIVITY: PRACTICING LINUX/UNIX COMMANDS
Note: This activity takes place in a Linux system environment using SANS SIFT Workstation, a collection of forensic tools. For instructions to download and set up this environment, click Virtual Workstation in the toolbar.
Time: This activity should take you approximately 60 minutes to complete.
SOFTWARE
If you are not using a Linux machine, you’ll need to download SIFT Workstation 3 for this exercise. Note that you have to create your own account for this download.
GOAL
In this activity, you will practice a set of basic Linux/Unix commands commonly used by an incident responder to identify security breaches from a live suspect system, as if you were examining a suspect machine that has not been shut down.
You may want to review my demonstration Collect Information from a Live System before beginning this activity.
INSTRUCTIONS
Launch SIFT Workstation 3. The default login username is sansforensics, and the default password is forensicsOpen a terminal and listen to the port 8888 by running: nc –l 8888 & .Use command’s man page (for example, man ifconfig) to check each command’s description and its main options before you practice the command.Practice each command to understand how you can use the result for your investigation.When you are finished, answer the Check Your Work questions.
To displayCommandcurrent system date and timedatewhen was the system rebooteduptime -psystem informationuname –awhether a network interface is running in a promiscuous modeifconfigunusual and suspicious processes and servicesps –eafnetwork connectionsnetstatlsof -iOpen in memory, but unlinked files (requested for deletion)lsof +L1files opened by the process PIDlsof –p (PID)Currently logged in users (three options)w who usersall root-owned (uid=0) SUID files.find / -uid 0 –perm -4000 –printlogged general system activitiestail –f /var/log/messagesa list of all users with last logged in (and logged out) times stored in the log file /var/log/wtmplastany regular files in /directory_path that has been modified within 1 day (24 hours)find /directory_path –type f –mtime -1 -printfree disk spacedfamount of free and used physical and swap memory in systemfree
转载于:https://www.cnblogs.com/sec875/articles/10013497.html
