LINReS is a Live Response script designed to run on suspect/compromised Linux systems system with a minimal impact on the system to satisfy various forensic standards requirements. This script has been tested successfully on RedHat Enterprise Linux systems.
LINReS consists of mostly statically compiled binaries and includes the various shared libraries that may be required to run the binaries (which are not statically compiled). All in all, no binary from the compromised system is used by this tool which mitigates the risk of collecting information on a trojaned system.
This script follows a simple client-server model in which the suspect system acts as the server and forensics workstation of the investigator (running MS-Windows) acts as a client and receives all the incident response data from the suspect system. We are advocate using MS-Windows as the client system primarily due to the ease of using a persistent option (-L) on the Netcat command.
LINReS contains three different scripts which collect volatile data and non-volatile from the suspect system that caters to the requirements of the 'Initial Response' phase in the Incident Response Methodology as adopted by NII.
- Collects both volatile and non-volatile information from the suspect system
- Collects meta data of all the files on the suspect system
- Computes hashes of all the files on the suspect system
- Transfers data through the network using persistent netcat connections
- Minimal touch on the suspect system
- Uses mostly statically compiled binaries
DISCLAIMER OF WARRANTY: THE PROGRAMS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. NII FURTHER DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
LIMITATION OF LIABILITY: IN NO EVENT SHALL NII OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR DATA USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF NII HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NII'S ENTIRE LIABILITY FOR DAMAGES HEREUNDER SHALL IN NO EVENT EXCEED THE FEES ACTUALLY PAID BY CUSTOMER TO NII FOR THIS LICENSE.