ACTIVITY: PRACTICING LINUX/UNIX COMMANDS
Note: This activity takes place in a Linux system environment using SANS SIFT Workstation, a collection of forensic tools. For instructions to download and set up this environment, click Virtual Workstation in the toolbar.
Time: This activity should take you approximately 60 minutes to complete.
SOFTWARE
If you are not using a Linux machine, you’ll need to download SIFT Workstation 3 for this exercise. Note that you have to create your own account for this download.
GOAL
In this activity, you will practice a set of basic Linux/Unix commands commonly used by an incident responder to identify security breaches from a live suspect system, as if you were examining a suspect machine that has not been shut down.
You may want to review my demonstration Collect Information from a Live System before beginning this activity.
INSTRUCTIONS
- Launch SIFT Workstation 3. The default login username is sansforensics, and the default password is forensics
- Open a terminal and listen to the port 8888 by running: nc –l 8888 & .
- Use command’s man page (for example, man ifconfig) to check each command’s description and its main options before you practice the command.
- Practice each command to understand how you can use the result for your investigation.
- When you are finished, answer the Check Your Work questions.
To display | Command |
---|---|
current system date and time | date |
when was the system rebooted | uptime -p |
system information | uname –a |
whether a network interface is running in a promiscuous mode | ifconfig |
unusual and suspicious processes and services | ps –eaf |
network connections | netstat lsof -i |
Open in memory, but unlinked files (requested for deletion) | lsof +L1 |
files opened by the process PID | lsof –p (PID) |
Currently logged in users (three options) | w who users |
all root-owned (uid=0) SUID files. | find / -uid 0 –perm -4000 –print |
logged general system activities | tail –f /var/log/messages |
a list of all users with last logged in (and logged out) times stored in the log file /var/log/wtmp | last |
any regular files in /directory_path that has been modified within 1 day (24 hours) | find /directory_path –type f –mtime -1 -print |
free disk space | df |
amount of free and used physical and swap memory in system | free |