LINReS

LINReS is a Live Response script designed to run on suspect/compromised Linux systems system with a minimal impact on the system to satisfy various forensic standards requirements. This script has been tested successfully on RedHat Enterprise Linux systems.

LINReS consists of mostly statically compiled binaries and includes the various shared libraries that may be required to run the binaries (which are not statically compiled). All in all, no binary from the compromised system is used by this tool which mitigates the risk of collecting information on a trojaned system.

This script follows a simple client-server model in which the suspect system acts as the server and forensics workstation of the investigator (running MS-Windows) acts as a client and receives all the incident response data from the suspect system. We are advocate using MS-Windows as the client system primarily due to the ease of using a persistent option (-L) on the Netcat command.

LINReS contains three different scripts which collect volatile data and non-volatile from the suspect system that caters to the requirements of the 'Initial Response' phase in the Incident Response Methodology as adopted by NII.

Main Features

Collects both volatile and non-volatile information from the suspect system
Collects meta data of all the files on the suspect system
Computes hashes of all the files on the suspect system
Transfers data through the network using persistent netcat connections
Minimal touch on the suspect system
Uses mostly statically compiled binaries

Download LINReS for RedHat 4

Download LINReS for RedHat 3

Disclaimer

Disclaimer of warranty: The programs are provided "AS IS" without warranty of any kind. NII further disclaims all warranties, express and implied, including without limitation, any implied warranties of merchantability or fitness for a particular purpose.

Limitation of liability: In no event shall NII or its licensors be liable for any indirect, incidental, special, punitive or consequential damages, or damages for loss of profits, revenue, data or data use, incurred by customer or any third party, whether in an action in contract or tort, even if NII has been advised of the possibility of such damages. NII's entire liability for damages hereunder shall in no event exceed the fees actually paid by customer to nii for this license.


Comments and Feedback


I found the article that you wrote regarding Sybase security very informative, as I searched the whole world for something to this effect.
Faaizah Mohomed, KPMG


I have gone through your Unix Auditing handbook. I must say it is a very impressive and comprehensive document. Good work!
Shiv Aggarwal
Chief Manager (Information Systems Audit), Global Trust Bank Ltd.

[Reference: Penetration Testing exercise]
The project went off very well. The report was very good. We are impressed with the level and detail of the work. Thanks for completing the project on time and in such a short notice and in a tight schedule. I liked working with the team and look forward for more team work. Very talented bunch!
Sourav Banerjee, CISA, CISM, CISSP, ITIL
SecureView Services Team.
Network Intelligence (India) Pvt. Ltd. © 2008-2010 | Copyright | Disclaimer
info@niiconsulting.com