LX1.11 Module Summary

Module Summary

This module established the complete evidence collection methodology for Linux incident response — the tools, commands, procedures, decision framework, and automation that ensure evidence is captured before it disappears.

UAC is the primary triage tool. The Unix Artifact Collector runs from external media, requires no installation, and collects over 200 artifact categories. The ir_triage profile captures critical evidence in 3–8 minutes. The full profile captures everything in 15–30 minutes. Output is organized by category: live_response/ (volatile), logs/ (log files), system/ + user/ (configuration and user artifacts), bodyfile/ (filesystem metadata). All files are automatically hashed.

The live response sequence captures volatile data in priority order. Seven steps: system timestamp, logged-in users, running processes (with /proc direct reads that bypass rootkits), network connections (with /proc/net/ direct reads), open files and deleted-but-open binaries, loaded kernel modules, and volatile filesystem contents. The /proc direct read technique is the most critical — it provides kernel-level truth about processes and connections that userspace tools cannot hide.

Remote and cloud-specific collection extends the methodology. SSH-based collection pipes output to the forensic workstation. Cloud disk snapshots are forensically cleaner than live imaging — no login required, point-in-time capture. Container collection races restarts — docker export and kubectl cp before termination. Cloud audit trails (CloudTrail, Activity Log) provide a second evidence plane.

Evidence integrity is non-negotiable. SHA256 hashing at collection, verification at every transfer. Chain of custody documentation records who, when, how. Analysis on copies, never originals. Legal proceedings add dual hashing, witness documentation, and tamper-evident sealing.

The complete collection sequence is ordered by phase. Pre-collection → Memory (LiME) → Volatile (UAC/manual) → Cloud API → Persistent (logs, config) → Disk image → Close. The environment determines which phases apply.

Memory acquisition requires preparation. LiME must be pre-compiled for the target kernel. Pre-compilation for every kernel version in your infrastructure is a proactive task — done before the incident, not during it. Without a pre-compiled module, alternatives are limited to /proc/kcore or skipping memory entirely.

Disk imaging captures the complete filesystem state. dc3dd with simultaneous hashing for bare-metal and VMs. Cloud snapshots for cloud VMs. Forensic mounting with read-only, no-exec, no-suid options prevents evidence modification during analysis. LVM and LUKS considerations affect imaging strategy.

Container evidence is ephemeral. Docker collection: inspect, logs, diff, export, cp, exec. Kubernetes adds kubectl and audit logs. Dead container recovery: runtime logs, /var/lib/docker writable layer, persistent volumes. Container escape detection: Docker socket mount, privileged flag, excessive capabilities.

Triage prioritizes collection under time pressure. Attacker active → capture process and network state immediately. Incident type determines evidence priority (SSH → auth logs, web app → access logs, crypto → processes). Multi-system incidents → ir_triage all systems first, full collection on priority systems second. Available access determines feasible methods.

Automation ensures consistency. The live response collection script captures 10 evidence phases with automatic hashing and logging. Deploy the script to your forensic workstation, USB drive, and network share before the incident. Customize for your distribution and environment.

What comes next. LX2 (Filesystem Forensics) teaches you to analyze the filesystem evidence collected in this module — ext4 inodes, timestamps, deleted file recovery, and timeline generation with plaso and Sleuth Kit.