As an assignment for my class, we were instructed to do a tutorial of sorts on doing a forensic analysis. My partner and I chose to do a basic analysis of an infected host/packet capture of network traffic to do a network analysis. Hopefully it is helpful for beginners. Feel free to add any tools you have found especially useful when doing a forensic analysis.
The goal of this post is to capture data from a live linux machine while it is running in order to do a forensic report. The following is a list of data that is important to capture while on the machine.
System Date and Time
Current Network Connections
Open TCP and UDP Ports
Executables connected to active connections
Users Logged on
Internal Routing Table
Local and Remote Open Files
Live Packet Capture Data
We are working under the assumption that the machine is a Virtual Machine. But most steps would be the same for a physical machine.
This very first thing you will want to do is to take a snapshot of your machine. While the goal is to have minimal changes it is important to have an unaltered copy just in case something goes wrong.
For this capture to work you need to bridge your VM to the Host.
Because you are working on an infected machine, native tools cannot be trusted. As such, it is necessary to take the tools from a clean system and move them to the infected one.From a clean copy of a similar version of Linux copy and store the bin, sbin, and usrbin folders. Then mount them to your vm to run commands.
To start the forensic capture on the host system open cmd.exe and navigate to your downloaded Netcat folder. Start a Netcat listener by running the following command:
nc -l -p [port] >> [output.txt]
Choose what port you want it to listen on and give a name for the output text. A good standard for naming is to name the text file what command you ran on the client machine. You will have to run this command on the host each time you run a new command on the client.
Find Netcat in the terminal on the VM in the bin folder on the tools you mounted on the client. The format for the command will be:
[command] | nc [host ip address] [port]
The command will be what you want to output such as ifconfig or tcpdump. Then you add the IP of the host and the port you specified on the host machine.
The following is the data you want to collect with the corresponding commands to get the data.
System Date and Time = DATE
Current Network Connections = NETSTAT
Open TCP and UDP Ports = NETSTAT -NAULTP
Executables connected to active connections = NETSTAT -NAULTP
Users Logged on = W
Internal Routing Table = IP ROUTE
Running Processes = PS -AUX
Running Services = SERVICE --status-all
Scheduled Jobs = CRONTAB -L, SUDO ./ATQ
Local and Remote Open Files = PS AEF
Kernel Modules = LSMOD
Live Packet Capture Data = Done on host machine with Wireshark (shown hereafter)
For wireshark to work the VM must be bridged. On your host machine, start Wireshark. After Wireshark is started find your IP address and use that to filter traffic on Wireshark.
Right Click a TCP packet and go to follow then TCP Stream. This is useful for showing all of the data from the TCP packets. The following picture shows all the commands sent from the attacking host to the infected host, and the response from the infected host.