0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] one page modified

This commit is contained in:
CPol 2020-12-25 20:14:31 +00:00 committed by gitbook-bot
parent 51a9045b16
commit c70d8d39d5
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
forensics/basic-forensics-esp/linux-forensics.md
View File

@ -27,6 +27,29 @@ cat /etc/passwd #Unexpected data?
cat /etc/shadow #Unexpected data?
```
## Memory Dump
In order to obtain the memory of the running system it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).
In order to **compile** it you need to use the **exact same kernel** the victim machine is using.
{% hint style="info" %}
Remember that you **cannot install LiME or any other thing** in the victim machine it will make several changes to it
{% endhint %}
So, if you have an identical version of Ubuntu you can use `apt-get install lime-forensics-dkms`
In other cases you need to download [**LiME**](https://github.com/504ensicsLabs/LiME) from github can compile it with correct kernel headers:
```bash
make -C /lib/modules/<kernel version>/build M=$PWD
sudo insmod lime.ko "path=/home/sansforensics/Desktop/mem_dump.bin format=lime"
```
LiME supports 3 formats:
* Raw \(every segment concatenated together\)
* Padded \(same as raw, but with zeroes in right bits\)
* Lime \(recommended format with metadata
## Search for known Malware
### Modified System Files