[Tools] linux-explorer - Easy-to-use live forensics toolbox for Linux endpoints

[References]

  1. https://github.com/intezer/linux-explorer


0) 개요

  • Python & Flask 기반의 리눅스 엔트포인트 라이브 포렌식 도구

1) 기능

  • ps
    • 전체 프로세스 목록 확인
    • 프로레스 메모리 맵 확인 및 메모리 문자열을 쉽게 가져오기
    • 원클릭 메모리 덤프
    • 자동으로 공개된 서비스에 해시 검색
      • VirusTotal / AlienVault OTX / MalShare
  • users
    • 사용자 목록
  • find
    • 이름 및 정규식에 의한 의심스러운 파일 검색
  • netstat
    • Whois
  • logs
    • syslog
    • auth.log(사용자 인증 로그)
    • ufw.log(방화벽 로그)
    • bash history
  • anti-rootkit
    • chkrootkit
  • yara
    • YARA signatures( by @Neo23x0)를 이용한 파일 및 디렉토리 스캔
    • 메모리 주소 공간에서 동작하는 프로세스 스캔
    • 자신의 YARA 시그니쳐 업로드 가능

2) 사전 설치되어야 하는 것들

  • yara
    • sudo apt-get install yara
  • chkrootkit
    • sudo apt-get install chkrootkit

3) 설치 과정

  • git clone
malware@CEAT:~$ cd Tools/
malware@CEAT:~/Tools$ git clone https://github.com/intezer/linux_expl0rer
Cloning into 'linux_expl0rer'...
remote: Counting objects: 392, done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 392 (delta 4), reused 13 (delta 4), pack-reused 375
Receiving objects: 100% (392/392), 1.72 MiB | 610.00 KiB/s, done.
Resolving deltas: 100% (39/39), done.
Checking connectivity… done

  • 필요한 파이썬 라이브러리 확인 및 설치
malware@CEAT:~/Tools$ cd linux_expl0rer/
malware@CEAT:~/Tools/linux_expl0rer$ cat requirements.txt
certifi==2017.11.5
chardet==3.0.4
click==6.7
Flask==0.12.2
idna==2.6
itsdangerous==0.24
Jinja2==2.10
MarkupSafe==1.0
OTXv2==1.2
psutil==5.4.1
requests==2.18.4
simplejson==3.12.0
urllib3==1.22

malware@CEAT:~/Tools/linux_expl0rer$ sudo pip install -r requirements.txt

  • 해시값 확인을 위한 서비스들의 API 정보 설정 (옵션)
malware@CEAT:~/Tools/linux_expl0rer$ cat config.py
VT_APIKEY = ''
OTX_APIKEY = ''
MALSHARE_APIKEY = ‘'


  • 실행 권한을 준 뒤에 실행
malware@CEAT:~/Tools/linux_expl0rer$chmod +x start_server.sh
malware@CEAT:~/Tools/linux_expl0rer$./start_server.sh


4) 설치 과정 중 발생한 오류

  • yara가 설치되어 있지 않다는 오류 메시지 확인
malware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of master.zip or
master.zip.zip, and cannot find master.zip.ZIP, period.
[*] starting Linux Expl0rer...
Traceback (most recent call last):
File "linux_explorer.py", line 21, in
toolbox = dict({'yara': tools.YARA(),
File "/home/malware/Tools/linux_expl0rer/tools.py", line 16, in __init__
raise Exception('error: %s not installed' % self.__class__.__name__)
Exception: error: YARA not installed
    • linux_explorer.py, line 21
    • linux_expl0rer/tools.py, line 16

  • 현재 환경에는 다음과 같이 yara 가 정상적으로 동작
malware@CEAT:~/Tools/linux_expl0rer$ yara
yara: wrong number of arguments
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID

Try `--help` for more options

  • yara가 설치된 경로 확인
malware@CEAT:~/Tools/linux_expl0rer$ find / -name yara 2> /dev/null
/usr/local/bin/yara
/usr/local/lib/python2.7/dist-packages/cuckoo/data/yara
/usr/local/include/yara
/home/malware/cuckoo-modified/data/yara
/home/malware/.cuckoo/yara
/home/malware/Tools/yara-3.4.0/yara
/home/malware/Tools/yara-3.4.0/windows/yara
/home/malware/Tools/yara-3.4.0/libyara/include/yara
    • 이전에 확인한 tools.py에 명시된 경로와 차이로 현재 설치된 경로로 변경


  • 정상 동작 확인
malware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of master.zip or
master.zip.zip, and cannot find master.zip.ZIP, period.
[*] starting Linux Expl0rer...
* Running on http://127.0.0.1:8080/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 251-971-847
    • IP 및 포트번호 변경이 필요한 경우



5) 실행

  • IP 변경 후 재실행해도 정상동작 확인
malware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of master.zip or
master.zip.zip, and cannot find master.zip.ZIP, period.
[*] starting Linux Expl0rer...
* Running on http://127.0.0.1:8080/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 251-971-847
^Cmalware@CEAT:~/Tools/linux_expl0rer$ ./start_server.sh
[*] fetching up-to-date yara signatures...
Archive: master.zip
125a22041186964c6ced8707da2a320cc667f6cf
inflating: yara_rules/apt_agent_btz.yar
inflating: yara_rules/apt_alienspy_rat.yar
inflating: yara_rules/apt_apt10.yar
inflating: yara_rules/thor_inverse_matches.yar
inflating: yara_rules/threat_lenovo_superfish.yar
[*] starting Linux Expl0rer...
* Running on http://192.168.200.111:8080/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
* Debugger PIN: 251-971-847

  • 접속 화면



6) 한계점

  • 로컬 환경에서 빠르게 라이브 포렌식을 할 때는 용이하게 사용 할 수 있는 점이 있지만 grr 프레임워크가 보다 더 강력한 기능을 제공
    • 구글에서 공개한 도구 - https://github.com/google/grr
      • 파이썬 기반
      • 원격 라이브 포렌식 프레임워크
      • GRR is a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients.


comments powered by Disqus