Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
31 views2 pages

Command List Irth

Uploaded by

Soham Mukherjee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
31 views2 pages

Command List Irth

Uploaded by

Soham Mukherjee
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

mtime = ls -l

atime = ls -lu
ctime = ls -lc

>> ctime always more recent than mtime or equal

open ports = netstat -at | more


open ports with applications = netstat -atp | more
list running processes = ps aux | more
record steps taken = [script file.txt] / [history file.txt]

>> live response commands -


open and read wtmp file = last -f /var/log/wtmp
open and check currently logged in users = last -f /var/run/utmp
create utmp dump = [utmpdump /var/run/utmp] / [utmpdump /var/log/wtmp]
check list of all log files = cat /etc/syslog.conf
check web access logs = cat /var/log/httpd/access_log
check xferlog (ftp log) = cat /var/log/xferlog
review Proc File System = ls -l /proc
dumping system RAM = [cp /proc/kcore] / [cp /proc/kmem] files from the target
system to investigation storage media

>> tools that create qualified forensic duplicate output files:


1.SafeBack
2.EnCase
3.FTK Imager

>> primary types of forensic images:


complete disk
partition
logical

>> Forensic Duplicate of a Hard Drive

using data dump (dd) = dd if=/dev/sdb of=sdb_image.img bs=65536 conv=noerror,sync

Explanation of the parameters:


• if => input file
• /dev/sdb => source /suspect drive (whole disk)
• of => output file
• sdb_image.img => name of the image file
• bs => block size (default is 512)
• 65536 => 64k
• conv => conversion noerror => will continue even with read errors
• sync => if there is an error, null fill the rest of the block.

using dcfldd = sudo apt-get install dcfldd (to install it first)


dcfldd if=/dev/sdb of=sdb_image.img

Explanation of the parameters:


• if => input file
• /dev/sdb => source /suspect drive (whole disk)
• of => output file
• sdb_image.img => name of the image file

using dc3dd = sudo apt-get install dc3dd (to install it first)


dc3dd if=/dev/sdb of=sdb_image.img bs=4k hash=md5 log=dc3dd.log progress=on
split=2G splitformat=000
Explanation of the parameters:
• if => input file
• /dev/sdb => source /suspect drive (whole disk)
• of => output file
• sdb_image.img => name of the image file
• bs => blocksize of 4 kb
• hash => Definition of hash algorithms
• log => Path of the log file
• progress => on; see progress of acquisition
• split => Split image file in chunks of 2 GB
• splitformat => Will append a number or letter at the end of the image file name

>> Full Content Monitoring using tcpdump


tcpdump -n -i eth0 -s 1514 –w var/log/tcpdump/capture.pcap &

-i – interface
-n – name resolution
-s - by default tcpdump only captures the first 96bytes of a packet.To
capture full packet -s option used with size like -s 65535 or -s0.
-w - save all the output to a specified file.
& - for send process to background.

tcp dump of a given network (12.44.56.0/24) = tcpdump -n -i eth0 -s 1514 -w


/var/log/tcpdump/capture.pcap net 12.44.56.0 &
tcp dump of a given host (172.16.1.7) = tcpdump -n -i dc0 -s 1514 -w
/var/log/tcpdump/capture.pcap host 172.16.1.7 &

You might also like