Digital Forensics su Linux: Acquisizione Memoria, Analisi Processi e Timeline Reconstruction

🧰 Materiali necessari

• Forensic workstation Ubuntu 22.04 o SIFT Workstation
• Sleuth Kit (TSK) toolkit
• Volatility 3 framework
• Plaso log2timeline
• AVML (Microsoft) per memory acquisition
• LiME (Linux Memory Extractor)
• dcfldd o dc3dd per disk imaging
• Autopsy per GUI analysis
• Timesketch per timeline visualization
• foremost e scalpel per file carving
• External storage USB 3.0 ad alta capacita
• Hardware write blocker (per acquisition forense legale)
• Chain of custody forms
• VM Linux vulnerable per practice
• Lab environment isolato da production

📋 Passi

1. 1
   Setup laboratorio forensics Linux
   {"step":1,"title":"Setup laboratorio forensics Linux","description":"Prepara forensic workstation con Ubuntu 22.04 o SIFT Workstation (SANS). Installa tool: sleuthkit, plaso, volatility3, autopsy, binwalk, foremost, scalpel. Crea VM Linux Ubuntu vulnerable target con services: SSH, Apache web server, MySQL. Simula compromise: crea user backdoor con sudo, deploya webshell PHP in \/var\/www, installa cron job persistence. Snapshot VM pre-compromise per ground truth comparison. Documenta scenario incident dettagliato per reference durante analisi."}
2. 2
   Live response toolkit preparation
   {"step":2,"title":"Live response toolkit preparation","description":"Prepara USB con statically compiled binary: busybox-static, statically linked netstat, lsof, ps, awk. Crea script collect.sh che esegue: date, hostname, uname -a, uptime, who, w, last, lsmod, ps auxf, netstat -anp, ss -anp, lsof, find \/ -mtime -7 -ls (recently modified), cat \/etc\/passwd \/etc\/shadow \/etc\/sudoers, listing \/var\/log. Output salvati su USB read-only mount. Hash output con sha256sum. Testa toolkit su lab VM verificando che funzioni senza modificare significativamente il target."}
3. 3
   Memory acquisition con AVML
   {"step":3,"title":"Memory acquisition con AVML","description":"Scarica AVML pre-built binary da Microsoft GitHub release. Trasferisci a target via secure channel o USB. Su target esegui: sudo .\/avml \/mnt\/external\/memory.lime. Tool rileva kernel version, usa appropriate method. Output ha dimensione approssimativa della RAM di sistema. Hash immediato: sha256sum memory.lime > memory.lime.sha256. Trasferisci a forensic workstation e verifica hash matches. Documenta acquisition: time start e end, tool version, target system info, hash value."}
4. 4
   Fallback memory acquisition con LiME
   {"step":4,"title":"Fallback memory acquisition con LiME","description":"Se AVML fails su older kernel, usa LiME. Scarica source: git clone https:\/\/github.com\/504ensicsLabs\/LiME. Build su sistema con matching kernel version o direttamente sul target se necessario: cd src, make. Output lime-VERSION-KERNEL.ko. Trasferisci modulo a target. Load: insmod lime.ko path=\/mnt\/external\/memory.lime format=lime. Output saved. Unload immediatamente dopo: rmmod lime. Hash output. Approccio richiede kernel header matching, piu complesso di AVML ma funziona su legacy kernel."}
5. 5
   Setup Volatility 3 e profile generation
   {"step":5,"title":"Setup Volatility 3 e profile generation","description":"Installa Volatility 3 su forensic workstation: pip install volatility3. Per Linux memory, serve ISF symbol file matching kernel. Scarica da Volatility GitHub se disponibile per kernel version, o genera con tool dwarf2json usando kernel debug symbols (file vmlinux). Posiziona ISF in volatility3\/symbols\/linux\/ directory. Test: vol -f memory.lime linux.banners.Banners mostra kernel version. Verifica match con ISF disponibile per confermare compatibilita prima di procedere con analisi approfondita."}
6. 6
   Memory analysis processi running
   {"step":6,"title":"Memory analysis processi running","description":"Esegui plugin linux.pslist: vol -f memory.lime linux.pslist.PsList. Output process list con PID, PPID, name, user. Cross-reference con live ps acquisition: discrepanza indica process hidden da rootkit o memoria tampered. Plugin linux.psaux.PsAux mostra full command line. Cerca anomalie: shell child di webserver (webshell indicator), process running senza disk file (memory-resident malware), user context inusuale. Plugin linux.bash.Bash estrae bash history da memory anche se HISTFILE e stato disabilitato."}
7. 7
   Network connection analysis da memory
   {"step":7,"title":"Network connection analysis da memory","description":"Plugin linux.sockstat.Sockstat lista open socket incluse network connection: PID, file descriptor, protocol, local e remote address. Identifica suspicious connection: outbound verso non-corporate IP, listening port su workstation (potential C2 callback), destination port inusuale. Confronta con live netstat output: rootkit puo nascondere connection in userland (netstat), memory analysis vede kernel structure direttamente. Lookup destination IP in threat intelligence: VirusTotal, AbuseIPDB per context."}
8. 8
   Detection rootkit kernel module
   {"step":8,"title":"Detection rootkit kernel module","description":"Plugin linux.lsmod.Lsmod lista loaded module. Confronta con expected baseline per distribution: extra modules sono suspicious. Plugin linux.check_modules.Check_modules rileva SLUB list manipulation: rootkit puo unlinkare module dalla lista visibile a lsmod ma module rimane attivo. Discrepanza tra i due e rivelatore. Plugin linux.malfind.Malfind rileva memory region executable e writable simultaneamente (suspicious: normalmente codice e RX, dati RW). Inject code in legitimate process e tecnica comune."}
9. 9
   Disk imaging con dcfldd
   {"step":9,"title":"Disk imaging con dcfldd","description":"Power off target safely o acquisisci live se downtime impossibile. Boot da forensic Live USB. Collega external storage. Identifica target disk: lsblk mostra block device. Image: dcfldd if=\/dev\/sda of=\/mnt\/external\/target.dd hash=sha256 hashlog=\/mnt\/external\/hash.txt bs=4M conv=noerror,sync. Process mostra progress e genera hash continuamente. Verifica dopo completion: sha256sum di target.dd deve corrispondere a hashlog. Documenta: time start e end, source device, destination, hash, examiner name."}
10. 10
    Mount image read-only e Sleuth Kit analysis
    {"step":10,"title":"Mount image read-only e Sleuth Kit analysis","description":"Su forensic workstation analizza image. Mount read-only: mount -o ro,loop,noload target.dd \/mnt\/evidence. Verifica mount: ls \/mnt\/evidence mostra filesystem. Usa Sleuth Kit: fls -r -m \/ target.dd > bodyfile.txt (recursive file listing inclusi deleted). mactime -d -b bodyfile.txt > timeline.csv (convert a timeline CSV). Apri in spreadsheet o filtra con awk per time range. Cerca keyword: grep -i suspicious_term su timeline.csv identifica attivita rilevante."}
11. 11
    Persistence mechanism examination
    {"step":11,"title":"Persistence mechanism examination","description":"Esamina sistematicamente persistence locations su mounted image. cat \/mnt\/evidence\/etc\/crontab e \/mnt\/evidence\/var\/spool\/cron\/* per cron jobs. ls \/mnt\/evidence\/etc\/systemd\/system\/ per service files, cerca recenti o inusuali. cat \/mnt\/evidence\/etc\/rc.local. find \/mnt\/evidence\/etc\/profile.d\/ -type f, controlla content. find \/mnt\/evidence\/home -name authorized_keys -exec cat {} +. Controlla \/etc\/ld.so.preload (tipicamente dovrebbe essere vuoto su sistema pulito). Documenta ogni suspicious entry con full content e mtime."}
12. 12
    Log analysis investigativa
    {"step":12,"title":"Log analysis investigativa","description":"Esamina log comprehensivamente. cat \/mnt\/evidence\/var\/log\/auth.log filtrando per failed login (grep Failed), successful sudo (grep sudo:), SSH session. last -f \/mnt\/evidence\/var\/log\/wtmp mostra login history. journalctl -D \/mnt\/evidence\/var\/log\/journal\/ per systemd journal. Cross-reference timestamp con incident timeline. Identifica lateral movement: SSH login da internal IP da unusual user. Controlla log gap: periodo di silenzio puo indicare log deletion. Verifica log integrity se log forwarding esterno e configurato."}
13. 13
    Web server compromise investigation
    {"step":13,"title":"Web server compromise investigation","description":"Esamina Apache access logs in \/mnt\/evidence\/var\/log\/apache2\/access.log: filtra per User-Agent inusuale (curl da external, scanner come Nikto o sqlmap), HTTP method POST con large body, URI che accede a file .php non legitimate, HTTP 200 status su path sospetto. Identifica webshell: find \/mnt\/evidence\/var\/www -name *.php -newer \/var\/log\/apache2\/access.log.1 -ls. Leggi content del file suspicious, identifica obfuscation e base64 encoded payload. Documenta attack vector e initial access timestamp."}
14. 14
    Timeline super-timeline con plaso
    {"step":14,"title":"Timeline super-timeline con plaso","description":"Plaso (log2timeline) aggrega evidence da multiple source. log2timeline.py timeline.plaso \/path\/to\/disk\/image processa intera disk image. Output single plaso file contenente tutti gli eventi: file MAC times, log entries, browser history. psort.py -o l2tcsv timeline.plaso > supertimeline.csv. Output CSV con potenzialmente milioni di righe. Filtra per time window incident: psort.py -o l2tcsv --slice 2026-05-15 timeline.plaso. Tagga eventi interessanti. Visualizza in Timesketch (Google open source)."}
15. 15
    Report e chain of custody documentation
    {"step":15,"title":"Report e chain of custody documentation","description":"Componi final forensic report con struttura: Executive Summary (non-technical), Methodology (tool used, approach, chain of custody), Findings (sequenza cronologica degli eventi, evidence a supporto), Conclusions (cosa e successo, attacker capability, scope), Recommendations (remediation, detection improvement). Includi screenshot di tool output, hash table di evidence, timeline visualization. Chain of custody form: acquisition timestamp, examiner, hash, transfer a chi. Firma e timestamp il report. Conserva raw evidence per potenziali procedimenti legali."}