Data Collection with Python on Linux Systems

After a cyber incident, data must be collected to investigate and protect evidence. Collecting data is sensitive process, should not cause the target to collapse and data corruption. Therefore, We need to make minimum changes on the target system while collecting data.

It is necessary to automate the collection process to avoid situations like data corruption, system downing. Check these situations before collecting:

  • Is automation tested before?
  • Does it cause performance problems?
  • What to do if the system crashes?

Also a basic tool should be able to collect these data:

  • System time and date
  • Operating system
  • General system information
  • Users and groups list
  • Network details 
  • Network connections 
  • Services and software list
  • Drivers
  • Files
  • Active processes
  • Browser history
  • System configurations
  • ARP table, DNS cache

NOTE: If file transfer is necessary, hash information should also be sent to confirm that the file has not changed during the transfer.

I wanted to build my own automation and designed TCP client-server structure with Python.

Firstly, i found a code sample that can connect as admin and client

Then, created TCP socket for data acquisition on admin field

I prepared the Python codes (data.py) that listened to the client side (main.py) and create the data in line with the commands received.

If commands reaching the listener starts with “!”, it sending to getValue() function in the data.py file.

If the requested data is supported by the target, data collection begins. Requested data and commands executed for requested data.

DataCommand
System date and timedate
Operating systemcat /etc/issue
Kernel versionuname -a
Uptimew
Userscat /etc/passwd
Groupscat /etc/group
Network connectionsnetstat -anp
Driverslsmod
Network interfacesifconfig -a
Routing tablenetstat -rn

I installed 3 separate Ubuntu machine on VM for testing tool and installed the tool.

MachineIP
Server192.168.131.128
Admin192.168.131.129
Client192.168.131.132

When i check the server terminal, i saw client and admin connected to server successfully

When i requested browser history with admin user, i got client’s browser history.

Some commands executed:

Bash history

Kernel version

You can access all of the source code on my Github page.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *