Linux Process Forensics
Linux process environment allows to extract interesting information about used commands and directories, users, system variables, SSH connection, etc.
The SSH information extracted from a process is really interesting since it allows to know the ip from where the access occurred, datetimes, etc.
It is necessary not to kill a suspicious process since important information can be destroyed.
/proc/<pid>/environ
With the pid of the process we can access your data "environ"
What is interesting for the analyst?
- Antiforensic
- Ip ssh source
- Environment variables
Script for Process Forensics Analysis
Process
- In the victim we check the existing processes:
ps -auxwv
-
We look for strange processes or not of the system
- We check the system ports:
Netstat -nalp | more
In the active internet connections we can find the different ports established for the strange processes. In the process that interests us, we write down the PID
- We extract the process environment
Strings /proc/<pid>/environ
- histsize if it is 0 can indicate an antiforensic action
- sshconnection, with ip source and port and destination source and port.
- sshclient, with ip and port source
- Find all processes automatically those that have ssh client.
find /proc -name environ -maxdepth 2 -type f 2>/dev/null | xargs grep -o "SSH_CLIENT" 2>/dev/null
- obtain / proc listing for suspicious process ID
ls -al /proc/<pid>
- know the current working directory
- binary deleted or not
- the datestamp creation date can serve to know when the process was created.
- Recover linux malware binary While the process is running you can recover the deleted binary
cp /proc/<pid>/exe ./recovered
- calculate hash of the binary obtained or send to virustotal
Sha1sum /bin/nc
Sha1sum ./recovered
-
explore malware command line The command line is stored under
/proc/<PID>
/ cmdline and the command name is shown under/proc/<PID>/comm
-
know the open file descriptors To discover hidden files and directories that the malware may be using.
ls -al /proc/<PID>/fd
- linux process maps It shows libraries that malware is using and other files that it may be using
cat /proc/<PID>/maps
- Process stack
cat /proc/<PID>/stack
You can reveal more details ...
- malware status For process details. As parent PIDs ... memory usage ...
cat /proc/<PID>/status
Example Extraction with process_forensics.sh: extract.txt
In this example the process are execute via ssh local... not is a good example ;-(
pid|command|path|oldpath|args|sha1|ipsrc|portsrc|ipdst|portdst
2515|bash|||-bash|59fea2c26edbbab48daaf73e7cd16ebc47475e83|127.0.0.1|51144|127.0.0.1|22
4423|x7|/tmp|/home/emanon/Documentos/process_forensics|./x7-vv-k-w1 l31337|17e5fc46c25360bed448927dd76548a122517d46|127.0.0.1|51144|127.0.0.1|22