Top 8 Tools For Linux / Unix Memory Forensics Analysis

Posted on April 3, 2013 by mea

Memfetch

It is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers – and a convenient way to grab “screenshots” from many types of text-based interactive utilities. To install memfetch:
## FreeBSD ##
pkg_add -r -v memfetch

## other *nix user download it from the following url ##
wget http://lcamtuf.coredump.cx/soft/memfetch.tgz
tar xvf memfetch.tgz
cd memfetch && make

via Top 8 Tools For Linux / Unix Memory Forensics Analysis.

This looks like a useful tool. From the README file:

Debuggers like gdb are pretty good for examining small sections
of code or memory, but are pretty much useless for massive comparison, sophisticated searches and such. It’s good to be able to retrieve full memory image to run it thru grep, strings, your favorite viewer or any other tool. Quite obviously, I developed this code not because it’s extremely difficult to do it on your own, but because it is a valuable shell utility for all kinds of deep hacking activities that simply saves you time.

Memfetch is a convenient screenshot grabber for ssh or screen sessions, by the way 😉

I chose memfetch from the eight since it seemed the most intuitive and simple. The downloadable tarball contains a single .c file and a make file. Unfortunately the installation isn’t as easy as portrayed in the above blurb. On Fedora 14 I needed to futz with the C_INCLUDE_PATH and add the kernel…/asm-generic into the path. I also had to symbolic link an asm to asm-generic in the kernel source include directory because the program wanted a asm/path.h file. Things have changed since 2007 when this program was last updated. But it works and it may prove useful. I’m sure Backtrack 5 must have this tool, or tool like this, pre installed.

permission denied for file write

Posted on April 1, 2013 by mea

Redirections such as > or | are performed by the running shell, before it invokes sudo.

You have to either use

sudo sh -c "echo blah > /proc/blah", or run a root shell with sudo -s.

via linux – Bash: permission denied for file write – Super User.

This had me stumped until the greatness of google divined the answer and why my user script couldn’t write to a root owned file using plain old sudo. After figuring this out I also realized I don’t need to write to a root owned file after all but I found this solution interesting.

agedu: Unix / Linux Command For Tracking Down Wasted Disk Space

Posted on December 23, 2012 by mea

Say hello to agedu tool (pronounced as ‘age dee you’) – it scans a directory tree and produces reports about how much disk space is used in each directory and subdirectory, and also how that usage of disk space corresponds to files with last-access times a long time ago. In other words, this command might help you to free up disk space.

via agedu: Unix / Linux Command For Tracking Down Wasted Disk Space.

Can I access agedu reports using terminal mode?
Type the following command (replace /home/wwwroot with actual path):
$ agedu -t /home/wwwroot

Trace the Process and See What It is Doing with strace

Posted on September 23, 2012 by mea

strace is a useful diagnostic, instructional, and debugging tool. It can save lots of headache. System administrators, diagnosticians and trouble-shooters will find it invaluable for solving problems with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. This is also useful to submit bug reports to open source developers.

via Debugging Tip: Trace the Process and See What It is Doing with strace.

Run strace against /bin/foo and capture its output to a text file in output.txt:
$ strace -o output.txt /bin/foo

How to Repair a Corrupt MBR and boot into Linux

Posted on July 27, 2012 by mea

If you don’t have a Fedora CD, then you need not despair. You can also repair the boot loader using one of the numerous live CDs available.

via How to Repair a Corrupt MBR and boot into Linux | All about Linux.

The chroot command is featured in this howto article.

using DD to image a disk over SSH

Posted on July 26, 2012 by mea

What I like to do is log into the remote server and run “watch -n 1 iptables –list -v -n” to watch the byte count to give you an idea of how much data has been passed already. of course you’ll have to start iptables first if it isnt running.

via using DD to image a disk over SSH | daverdave.com.

This is pretty useful too. I couldn’t do this using sshfs so googled and found that regular ssh works. I do not like to image disks with disks running other than the one being imaged. I find it too dangerous that a single mistype could wipe out a functioning disk. Doing this over a nework seems much safer. Here’s the command I used from the linked to article:

ssh desthost.domain.com “dd if=/dev/sda” | dd of=/dev/sda bs=1024k conv=notrunc,noerror

The destination host feeds the image. The host that runs this command is a Knoppix live boot with the only HD running being the one being written to. I suppose if I were to do this a lot then a dedicated image machine might prove useful with an HD to store the images and some OS and a burn HD in a hot swap slot. The HD with OS and images would be expendible in that an accidental overwrite would be a mere inconvenience instead of actual loss of data.

TCPDUMP question

Posted on June 29, 2012 by mea

It seems to work as expected for me, but I did notice one thing. When I first tried to run the program as root, it failed to create the first file with a permission error. It turns out that tcpdump changes uid/gid internally to the user/group tcpdump. Since that user/group did not have write access to the directory, it failed. Once I created a subdir and gave tcpdump ownership of the subdir (chown/chgrp), tcpdump performed as expected.

via TCPDUMP question – FedoraForum.org.

To backup partitions in Linux

Posted on June 9, 2012 by mea

dd if=/dev/[drive] | gzip -c > zipped_drive_image.bin.gz

Perl Reference

Posted on March 23, 2012 by mea

Why search yourself, though? perldoc’s -f switch searches perlfunc for you, presenting only the documentation for the named operator. Type instead:
$ perldoc -f substr

Two LVM VolGroup’s, same name, one is system disk – what to do?

Posted on January 28, 2012 by mea

It’s a lot easier to rename the “old” volume group if the old drive is the only one connected to the system.

Using your first FC4 installation CD and with only the old drive installed, boot into rescue mode (boot: linux rescue), but don’t search for or mount the FC installation. At the command prompt, you will probably need to active the lvm like this:

lvm vgscan

lvm lvscan

lvm vgchange -a y

lvm pvscan

lvm lvscan

The last two commands should list your volume group(s) and logical volume(s). Now use vgrename to fix the problem:

lvm vgrename VolGroup00 whatever_you_want_to_call_it

Note that all lvm commands need to be preceded with “lvm” in rescue mode.

via Two LVM VolGroup’s, same name, one is system disk – what to do?.

Bucktown Bell

Cut to the chase.

Tag Archives: linux command