After a cyber incident, data must be collected to investigate and protect evidence. Collecting data is sensitive process, should not cause the target to collapse and data corruption. Therefore, We need to make minimum changes on the target system while collecting data.
It is necessary to automate the collection process to avoid situations like data corruption, system downing. Check these situations before collecting:
- Is automation tested before?
- Does it cause performance problems?
- What to do if the system crashes?
Also a basic tool should be able to collect these data:
- System time and date
- Operating system
- General system information
- Users and groups list
- Network details
- Network connections
- Services and software list
- Active processes
- Browser history
- System configurations
- ARP table, DNS cache
NOTE: If file transfer is necessary, hash information should also be sent to confirm that the file has not changed during the transfer.
I wanted to build my own automation and designed TCP client-server structure with Python.
Firstly, i found a code sample that can connect as admin and client
Then, created TCP socket for data acquisition on admin field
I prepared the Python codes (data.py) that listened to the client side (main.py) and create the data in line with the commands received.
If commands reaching the listener starts with “!”, it sending to getValue() function in the data.py file.
If the requested data is supported by the target, data collection begins. Requested data and commands executed for requested data.
|System date and time||date|
|Operating system||cat /etc/issue|
|Kernel version||uname -a|
|Network connections||netstat -anp|
|Network interfaces||ifconfig -a|
|Routing table||netstat -rn|
I installed 3 separate Ubuntu machine on VM for testing tool and installed the tool.
When i check the server terminal, i saw client and admin connected to server successfully
When i requested browser history with admin user, i got client’s browser history.
Some commands executed:
You can access all of the source code on my Github page.