Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE Manual page 104
Hide thumbs
Also See for ENTERPRISE LINUX 3 - SECURITY GUIDE:
- Manual (410 pages) ,
- System administration manual (348 pages) ,
- Reference manual (324 pages)
Table of Contents
Advertisement
92
This command creates a single file named
conv=noerror,sync
encountered on the suspect drive. It is now possible to study the resulting image file or even attempt
to recover deleted files.
10.4.2. Gathering Post-Breach Information
The topic of digital forensics and analysis itself is quite broad, yet the tools are mostly architecture
specific and cannot be applied generically. However, incident response, analysis, and recovery are
important topics. With proper knowledge and experience, Red Hat Enterprise Linux can be an ex-
cellent platform for performing these types of analysis, as it includes several utilities for performing
post-breach response and restoration.
Table 10-1 details some commands for file auditing and management. It also lists some examples
that can be used to properly identify files and file attributes (such as permissions and access dates)
to allow the collection of further evidence or items for analysis. These tools, when combined with
intrusion detection systems, firewalls, hardened services, and other security measures, can help reduce
the amount of potential damage when an attack occurs.
Note
For detailed information about each tool, refer to their respective man pages.
Command
dd
grep
strings
options force
to continue reading and dumping data even if bad sectors are
dd
Function
Creates a bit-image copy (or disk
dump) of files and partitions.
Combined with a check of the
md5sums of each image,
administrators can compare a
pre-breach image of a partition or
file with a breached system to see if
the sums match.
Finds useful string (text) information
inside files and directories as well as
reveals permissions, script changes,
file attributes, and more. Used
mostly as a piped command of for
commands like
,
ls
ifconfig
Prints the strings of printable
characters within a file. It is most
useful for auditing executables for
anomalies such as
mail
to unknown addresses or logging to
a non-standard log file.
using a 1k block size for speed. The
image1
Example
dd if=/bin/ls of=ls.dd
|md5sum ls.dd >ls-sum.txt
ps auxw |grep /bin
, or
ps
strings /bin/ps |grep
'mail'
commands
Chapter 10. Incident Response
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE
Related Products for Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE
- Red Hat ENTERPRISE LINUX 3 - FOR IBM ESERVER ISERIES AND IBM ESERVER PSERIES
- Red Hat ENTERPRISE LINUX 3 - USING BINUTILS
- Red Hat ENTERPRISE LINUX 3 - STEP BY STEP GUIDE
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.5
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.7
- Red Hat ENTERPRISE LINUX 4 - DM MULTIPATH
- Red Hat ENTERPRISE LINUX 4.5.0 -
- Red Hat ENTERPRISE LINUX 5.1 DM MULTIPATH
- Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE
- Red Hat LINUX 7.1 - ISERIES
- Red Hat Enterprise Linux 2.1
- Red Hat ENTERPRISE LINUX 5 - VIRTUAL SERVER ADMINISTRATION
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 5.2
- Red Hat ENTERPRISE LINUX 5.5 - S 2010
- Red Hat ENTERPRISE LINUX 5.3 - RELEASE MANIFEST
- Red Hat ENTERPRISE LINUX 5.1 - LINUX ORACLE
Need help?
Do you have a question about the ENTERPRISE LINUX 3 - SECURITY GUIDE and is the answer not in the manual?
Questions and answers