Scribd
Upload
100 views6 pages

UNIX Incident Response Guide

This document outlines steps for investigating a UNIX system incident response: 1. Find installed software by using dpkg commands to list all installed packages and their installation details. 2. Examine currently running processes using the "ps -elf" command and system uptime using the "uptime" command. 3. Check user shell history files like .bash_history for commands run since last reboot. 4. List open files using operating system commands to determine the nature and purpose of running processes. 5. Check file system listings modified times, passwords, logged on users, open ports, routing tables, and DNS/host files for clues in the investigation.

Uploaded by

Khumaini Shaik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
100 views6 pages

UNIX Incident Response Guide

This document outlines steps for investigating a UNIX system incident response: 1. Find installed software by using dpkg commands to list all installed packages and their installation details. 2. Examine currently running processes using the "ps -elf" command and system uptime using the "uptime" command. 3. Check user shell history files like .bash_history for commands run since last reboot. 4. List open files using operating system commands to determine the nature and purpose of running processes. 5. Check file system listings modified times, passwords, logged on users, open ports, routing tables, and DNS/host files for clues in the investigation.

Uploaded by

Khumaini Shaik
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

12.

Incident Response: Investigating UNIX System


Finding the installed software in the system
By collecting all the installed packages list we can identify the software used by the attacker and
responsible for the incident.
Commands used:
1. Displays the list of installed software
 dpkg --get-selections
Output depicting all the installed packages list. The size of list depends on the number of
packages installed.

2. Package Installation details


 /var/lib/dpkg/status Contains details about installed packages
 /var/log/dpkg.log file records information when a package is installed.
3. Examining the running processes in the system
All the UNIX-based system offer the “ps -elf” command for displaying currently running processes.
Let’s look at the command usage now.

Report a snapshot of the current processes in long listing format containing User ID, Process ID, etc.
4. Examining the system uptime
Uptime indicates how long the system has been running since the last reboot. For example, if uptime
is only a few minutes, the system has been rebooted recently and it may not be worthwhile to collect
volatile data. And it may not be worthwhile if the security incident occurred before the beginning of
the uptime period.
Examining the system user shell history
.bash_history (bash shell), .history (sh), etc., -- these files provides us all the commands used by the
user since the last reboot.
Path: /home/<username>/.bash_history
Command: history

5. Listing out the open files in the system


Operating Systems maintain a list of open files, which typically include the user or process that
opened each file. By examining this, the nature and purpose of the each process can be determined.

6. File System Listings


ls –alRu >> Modified time
The MAC times play a major role in collecting relevant files in the analysis part of incident.
7. Passwords -- /etc/passwd, /etc/shadow, /etc/group
8. Logged on users
> who
9. Current user
> whoami

10. Use “netstat-anp” to list all applications associated with open ports.

This command is used to print network connections routing tables, interface statistics, masquerade
connections and multi memberships.
11. Route Command

> netstat –rn

The native “netstat –rn” route commands display the current routing table and gateways for all
routes on the suspicious computer.

13. Check DNS settings and the hosts file

For Linux, the /etc/resolv.conf file holds the DNS search suffixes and the assigned name servers. On a
DHCP(Dynamic Host COnfiguration Protocol) system, this file may not be fully populated by the
DHCP client script, therefore the file /etc/resolv.conf, /etc/hosts needs to be checked.

You might also like