Network 2 Time Line (N2TM) Linux volatile gathering tool

4050-581 Hieu Nguyen 11-8-2012 @1456

Overview
Obtaining volatile data LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Obtaining volatile data LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Obtaining volatile data

System date and time (date) A list of the users who are currently logged on (who) Time/date stamps for the entire file system
(log2timeline) A list of the systems that have current or had recent connections to the system (last) A list of currently running processes A list of currently open sockets The applications listening on open sockets

Obtaining volatile data LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

LSOF

A list of currently running processes A list of currently open sockets The applications listening on open sockets

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

N2TM features

Parses out all the users child processes Lists out all the IPv4/IPv6 is currently using
by the user Language

Error Checking:
o Check for valid user before processing

o BASH and AWK

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Usage
Current release: nt2m -i [username] #get IPv4/IPv6 connections and sockets nt2m -p [username] #get all the users processes Future release:
n2tm -ia all #get all user live IPv4/IPv6 addresses and sockets n2tm -pa all #get all users running processes n2tm -iw [username] #parses out IPv4/IPv6 CSV file of this user n2tm pw [username] #parses out processes CSV file of this user

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Usefulness

Anti malware Anti malicious network activity Script integration

o

Output to CSV format (future release) Memory capture + n2tm

e.g., for user in `who | cut -d" " -f1 | sort | uniq`; do bash n2tm.sh -i $user; done

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Requirements

Privilege OS(s)
o Linux/Unix o Mac o root

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Demo

http://code.google.com/p/network-2-timeline/

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Challenges
Problems cannot be solved by the same level of thinking that created them. Albert Einstein quotes

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Reference(s)

man lsof

Obtaining volatile data

LOSF N2TM features Usage Usefulness Requirements Demo Challenges Reference(s) Questions

Questions?