After a cyber incident, data must be collected to investigate and protect evidence. Collecting data is sensitive process, should not cause the target to collapse and data corruption. Therefore, We need to make minimum changes on the target system while collecting data.
It is necessary to automate the collection process to avoid situations like data corruption, system downing. Check these situations before collecting:
- Is automation tested before?
- Does it cause performance problems?
- What to do if the system crashes?
Also a basic tool should be able to collect these data:
- System time and date
- Operating system
- General system information
- Users and groups list
- Network details
- Network connections
- Services and software list
- Active processes
- Browser history
- System configurations
- ARP table, DNS cache
NOTE: If file transfer is necessary, hash information should also be sent to confirm that the file has not changed during the transfer. If you want to try what is written here in a SOC environment, you can register to the simulation for free on letsdefend.io.
We wanted to build my own automation and designed TCP client-server structure with Python.
Firstly, we found a code sample that can connect as admin and client
Then, created TCP socket for data acquisition on admin field
We prepared the Python codes (data.py) that listened to the client side (main.py) and create the data in line with the commands received.
If commands reaching the listener starts with “!”, it sending to getValue() function in the data.py file.
If the requested data is supported by the target, data collection begins. Requested data and commands executed for requested data.
|System date and time||date|
|Operating system||cat /etc/issue|
|Kernel version||uname -a|
|Network connections||netstat -anp|
|Network interfaces||ifconfig -a|
|Routing table||netstat -rn|
We installed 3 separate Ubuntu machine on VM for testing tool and installed the tool.
When we check the server terminal, we saw client and admin connected to server successfully
When we requested browser history with admin user, we got client’s browser history.
Some commands executed:
You can access all of the source code on our Github page.