Incident Response t...
 
Notifications
Clear all

Incident Response toolkit for a linux machine

5 Posts
5 Users
0 Likes
624 Views
(@bsg819)
Posts: 19
Active Member
Topic starter
 

Hi all,

I am currently doing a project named "Live forensics in a linux machine" and for it I wanted some advice as in what toolkits i should use. I was thinking to use 2 toolkits but i am unable to determine which one.
Also i m a bit newbie in linux so would really appreciate if i could now how to use them if they are in command format.
I have read about few commands like netcat, etc. but i dont how do i use them in the suspects machine and get its output on my pd which has the toolkit.

Thanks in advance.
Really need some help on it.

 
Posted : 22/02/2013 6:58 pm
(@j_hizzal)
Posts: 2
New Member
 

Well, there's a number of distros available. It all depends on your personal tastes.

Linux itself is built with a number of handy tools. Just running netstat can provide a lot of info. Fport (downloaded from http//www.mcafee.com/us/downloads/free-tools/fport.aspx) can show executables attached to open ports, etc. What are you looking for? Is it mainly network connections?

For a 'toolkit' there's Helix, or Deft (http//www.deftlinux.net/).

 
Posted : 05/03/2013 11:06 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Do you have to examine the 'live' system?

Any reason why you couldn't use a live boot disc like Paladin or any of the other Linux based live distros that are out there and then conduct the examination on the drive?

Much more forensically sound than running CLI strings on a live system.

 
Posted : 05/03/2013 2:14 pm
(@montgomeryj)
Posts: 3
New Member
 

Security Onion is a linux distro that has a ton of forensic tools built into it as does Backtrack 5. A combination of those two will get you most of the standard open source tools for forensic analysis. I would recommend building your own operating system based off of one of these distros and add all of your tools that you want in addition to what comes on your base image. Once you have created your own image I would put it on a hard drive and/or use drive depending on what you are planning on doing with it.

 
Posted : 09/03/2013 9:19 am
Amumbo
(@amumbo)
Posts: 8
Active Member
 

Have a look at CAINE (Computer Aided INvestigative Environment)

 
Posted : 17/03/2013 6:21 pm
Share: