-
Show system files which were changed after installation. dpkg --verify Check various security related issues: checksecurity Tools
-
Note: See many, many commands from the Linux privesc post. Analyze logs On systems: Browse through the /var/log files. On newer systems with systemd: Note: If you have an image, you can also analyze logs from a mounted image like journalctl --root /mnt/hdd23 -t ssh ... Analyze startup services On SysVinit: Browse through /etc/init.d/ On…
-
Windows Detecting PE/DLL injection:
-
Goal: See on a system if some specific executeable was executed.
-
Registry Windows Event Logging File system analysis See the NTFS article about logging.
-
Dissect is a forensic tool for file system images,
-
Use cases Tools Standard unix tools like awk can also been used with a cat of a flow file. nfdump SiLK argus
-
CAINE can be used as a live system to perform forensic studies of a system (e.g. after a Incident).
-
General tools Imaging tools dd, of course. Note that it makes sense to set the proper block size (sometimes 4k, but most hard drives are using 512), so that, when an error occued, the exact sector is shown which can afterwards be skipped. dd if=/dev/sda of=/external/file.md5 bs=512 ewfacquire sudo ewfacquire /dev/sda Advantages: aff4 advanced forensic…
-
Afterwards: See Analyzing memory Linux Prozess memory dump Find out which memory segments are used by an application via its PID: cat /proc/<pid>/maps Dump the used memory from an application: (credit) #!/bin/bash grep rw-p /proc/$1/maps \ | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | while read start stop; do \ gdb --batch --pid $1 -ex \…