12.

Incident Response: Investigating UNIX System

Finding the installed software in the system
By collecting all the installed packages list we can identify the software used by the attacker and
responsible for the incident.
Commands used:
1. Displays the list of installed software
 dpkg --get-selections
Output depicting all the installed packages list. The size of list depends on the number of
packages installed.

2. Package Installation details

 /var/lib/dpkg/status Contains details about installed packages
 /var/log/dpkg.log file records information when a package is installed.
3. Examining the running processes in the system
All the UNIX-based system offer the “ps -elf” command for displaying currently running processes.
Let’s look at the command usage now.

Report a snapshot of the current processes in long listing format containing User ID, Process ID, etc.
4. Examining the system uptime
Uptime indicates how long the system has been running since the last reboot. For example, if uptime
is only a few minutes, the system has been rebooted recently and it may not be worthwhile to collect
volatile data. And it may not be worthwhile if the security incident occurred before the beginning of
the uptime period.
Examining the system user shell history
.bash_history (bash shell), .history (sh), etc., -- these files provides us all the commands used by the
user since the last reboot.
Path: /home/<username>/.bash_history
Command: history

5. Listing out the open files in the system

Operating Systems maintain a list of open files, which typically include the user or process that
opened each file. By examining this, the nature and purpose of the each process can be determined.

6. File System Listings

ls –alRu >> Modified time
The MAC times play a major role in collecting relevant files in the analysis part of incident.
7. Passwords -- /etc/passwd, /etc/shadow, /etc/group
8. Logged on users
> who
9. Current user
> whoami

10. Use “netstat-anp” to list all applications associated with open ports.

This command is used to print network connections routing tables, interface statistics, masquerade
connections and multi memberships.
11. Route Command

> netstat –rn

The native “netstat –rn” route commands display the current routing table and gateways for all
routes on the suspicious computer.

13. Check DNS settings and the hosts file

For Linux, the /etc/resolv.conf file holds the DNS search suffixes and the assigned name servers. On a
DHCP(Dynamic Host COnfiguration Protocol) system, this file may not be fully populated by the
DHCP client script, therefore the file /etc/resolv.conf, /etc/hosts needs to be checked.