This document provides an overview of extracting Bash command history from Unix memory images using digital forensics techniques. It discusses how Bash stores command history in memory and on disk, and how forensic analysts can extract that history from a memory dump. It includes a case study demonstrating extracting Bash history from multiple processes and showing that the "history -c" command only clears history for that individual process. The document aims to help digital forensics practitioners recover command history during memory forensics investigations.
Web technologies are evolving at such a frenetic pace that it becomes almost mandatory to learn on your own. A lot of us still depend on other people to do this learning for us, and we tend to use their answers to solve our everyday problems.
Inconsistent implementations, rapidly evolving specs, questionable performance impacts and maintenance implications mean we cannot always depend on others for answers but must involve ourselves actively in the process of developing specifications for new Web technologies. But how do we go about it?
There are some simple rituals we can all do, which can have us be better-informed and also better inform the people and groups who are most directly involved in the development of new Web technologies.
Web technologies are evolving at such a frenetic pace that it becomes almost mandatory to learn on your own. A lot of us still depend on other people to do this learning for us, and we tend to use their answers to solve our everyday problems.
Inconsistent implementations, rapidly evolving specs, questionable performance impacts and maintenance implications mean we cannot always depend on others for answers but must involve ourselves actively in the process of developing specifications for new Web technologies. But how do we go about it?
There are some simple rituals we can all do, which can have us be better-informed and also better inform the people and groups who are most directly involved in the development of new Web technologies.
EuroPython 2014 - How we switched our 800+ projects from Apache to uWSGIMax Tepkeev
During the last 7 years the company I am working for developed more than 800 projects in PHP and Python. All this time we were using Apache+nginx for hosting this projects. In this talk I will explain why we decided to switch all our projects from Apache+nginx to uWSGI+nginx and how we did that.
In the Container world, there is a need to build observability around apps and backing services running in containers. The observability should allow to capture on demand low level metrics at a low overhead. The proposal is to use ebpf as the tracing technology to capture details at kernel & user level, and generate on demand flamegraphs, heat maps for applications & backing services. The Linux kernel has a built-in BPF JIT compiler, and an in-kernel verifier which is used to validate eBPF programs. This allows user defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively. eBPF provides in-kernel implementation of storage maps such as histograms and hash-maps, which helps in efficient copy of summarized monitoring data from kernel to user space with low overhead.
These features make eBPF programs safe to run in production and allow admins and engineers to collect crucial data from systems for performance analysis and monitoring.
Slides from my DockerCon EU 2017 Talk.
Find the abstract below:
"In this talk, we'll discover how Docker comes to the rescue of the Ops Team, while rebuilding from scratch our monitoring infrastructure. We'll start by quickly describing the challenges, to focus on why and how using docker saved the project. From fixing dependencies and isolation issues, implementing rolling upgrades and new features hot addition, to building a completely modular, scalable and resilient infrastructure, we'll talk about why CI/CD workflows, docker tooling and Docker Swarm were the key to success."
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.
EuroPython 2014 - How we switched our 800+ projects from Apache to uWSGIMax Tepkeev
During the last 7 years the company I am working for developed more than 800 projects in PHP and Python. All this time we were using Apache+nginx for hosting this projects. In this talk I will explain why we decided to switch all our projects from Apache+nginx to uWSGI+nginx and how we did that.
In the Container world, there is a need to build observability around apps and backing services running in containers. The observability should allow to capture on demand low level metrics at a low overhead. The proposal is to use ebpf as the tracing technology to capture details at kernel & user level, and generate on demand flamegraphs, heat maps for applications & backing services. The Linux kernel has a built-in BPF JIT compiler, and an in-kernel verifier which is used to validate eBPF programs. This allows user defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively. eBPF provides in-kernel implementation of storage maps such as histograms and hash-maps, which helps in efficient copy of summarized monitoring data from kernel to user space with low overhead.
These features make eBPF programs safe to run in production and allow admins and engineers to collect crucial data from systems for performance analysis and monitoring.
Slides from my DockerCon EU 2017 Talk.
Find the abstract below:
"In this talk, we'll discover how Docker comes to the rescue of the Ops Team, while rebuilding from scratch our monitoring infrastructure. We'll start by quickly describing the challenges, to focus on why and how using docker saved the project. From fixing dependencies and isolation issues, implementing rolling upgrades and new features hot addition, to building a completely modular, scalable and resilient infrastructure, we'll talk about why CI/CD workflows, docker tooling and Docker Swarm were the key to success."
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.
Internet Marketing sta je i kako se njime sluziti?
Smisao Internet Marketinga??
Primenjivost Internet Marketinga!!
Internet marketing tehnike!!
Case study!!
OSDC 2017 | Mgmt Config: Autonomous systems by James ShubinNETWAYS
Mgmt is a next gen config management tool that takes a fresh look at existing automation problems. Three of the main design features of the tool include:
* Parallel execution
* Event driven mechanism
* Distributed architecture
This presentation will briefly introduce the tool and spend most of the time presenting and demoing some of the newer features in the project. We'll present some of the new resources (virt, password, etc) new features (libified mgmt, send/recv, DSL) and how these can be used to build autonomous systems. Finally we'll talk about some of the future designs we're planning and make it easy for new users to get involved and help shape the project.
OSDC 2017 - James Shubin - MGMT config autonomous systemsNETWAYS
Mgmt is a next gen config management tool that takes a fresh look at existing automation problems. Three of the main design features of the tool include:
* Parallel execution
* Event driven mechanism
* Distributed architecture
This presentation will briefly introduce the tool and spend most of the time presenting and demoing some of the newer features in the project. We'll present some of the new resources (virt, password, etc) new features (libified mgmt, send/recv, DSL) and how these can be used to build autonomous systems. Finally we'll talk about some of the future designs we're planning and make it easy for new users to get involved and help shape the project.
From Arm to Z: Building, Shipping, and Running a Multi-platform Docker Swarm ...Docker, Inc.
We live in a multi-platform world, and who doesn't want their project to run on all of them? The last few DockerCon events have covered the introduction of multi-platform image capabilities into the Docker registry and engine releases. Now it's time to put these features to good use building applications across architectures and running them all in a heterogeneous Docker Swarm! In this talk we'll cover the new `docker manifest` command for making multi-architecture images; how to emulate architectures in docker containers on your own machine; and give a live demonstration of these capabilities with a Docker Swarm consisting of workers of different CPU architectures, including armhf, ppc64le, s390x, and x86_64. We'll also share some pointers for making sure your project is multi-platform ready! Three Takeaways: 1. Attendees will be introduced to manifest lists and how to create multi-arch images using the new 'docker manifest' command. 2. Attendees will learn how to easily create and deploy a basic multi-arch service using multi-platform images. 3. Bonus: Attendees will learn how to run non-native docker containers on their systems.
This is a slightly updated draft of a talk I was planning on giving at Hadoop Summit in 2015. However the abstract was rejected. Rather than toss it, I'm going to share it with all of you on the (almost) 1 year anniversary of the first big commit of this feature!
Keep in mind that this is (currently) locked away in trunk. If you ever want to see this see the light of day, bug your vendors....
Video: https://www.youtube.com/watch?v=uibLwoVKjec . Talk by Brendan Gregg for Sysdig CCWFS 2016. Abstract:
"You have a system with an advanced programmatic tracer: do you know what to do with it? Brendan has used numerous tracers in production environments, and has published hundreds of tracing-based tools. In this talk he will share tips and know-how for creating CLI tracing tools and GUI visualizations, to solve real problems effectively. Programmatic tracing is an amazing superpower, and this talk will show you how to wield it!"
Launch the First Process in Linux SystemJian-Hong Pan
The session: https://coscup.org/2022/en/session/AGCMDJ
After Linux kernel boots, it will try to launch first process “init” in User Space. Then, the system begins the featured journey of the Linux distribution.
This sharing takes Busybox as the example and shows that how does Linux kernel find the “init” which directs to the Busybox. And, what will Busybox do and how to get the console. Try to make it like a simple Linux system.
Before Linux kernel launches “init” process, the file system and storage corresponding drivers/modules must be loaded to find the “init”. Besides, to mount the root file system correctly, the kernel boot command must include the root device and file system format parameters.
On the other hand, the Busybox directed from “init” is a lightweight program, but has rich functions, just like a Swiss Army Knife. So, it is usually used on the simple environment, like embedded Linux system.
This sharing will have a demo on a virtual machine first, then on the Raspberry Pi.
Drafts:
* https://hackmd.io/@starnight/Busbox_as_the_init
* https://hackmd.io/@starnight/Build_Alpines_Root_Filesystem_Bootstrap
Relate idea: https://hackmd.io/@starnight/Systems_init_and_Containers_COMMAND_Dockerfiles_CMD
You have a system with an advanced programmatic tracer: do you know what to do with it? Brendan has used numerous tracers in production environments, and has published hundreds of tracing-based tools. In this talk he will share tips and know-how for creating CLI tracing tools and GUI visualizations, to solve real problems effectively. Programmatic tracing is an amazing superpower, and this talk will show you how to wield it!
While python is widely used for automating administration tasks, it’s not still widely known and used between system administrators.
iPython is an interactive python shell that embeds bash functionalities. We’ll show how to :
* replace some bash tasks avoiding common errors
* resembling some bash behaviour
* create testing (nose) and monitoring scripts
* use flask to expose those scripts on HTTP
Il TechAdvisor Roberto Polli condivide l'esperienza maturata su iPython, una potente shell interattiva nata per affiancare la classica shell Bash comunemente utilizzata dagli amministratori di sistema. Attraverso degli esempi pratici mostra le principali differenze tra i due approcci ed aiuta a comprendere quale sia lo strumento più adatto a specifici casi d'uso.
Durante la presentazione mostra inoltre come:
- evitare errori comuni negli script bash;
- velocizzare la creazione di script per l'esecuzione di test mediante la libreria nose;
- riutilizzare moduli Python esistenti nella shell interattiva;
- usare il framework Flask per convertire facilmente gli script in web services.
Code
http://ipython.org/
http://flask.pocoo.org/
http://nose.readthedocs.org/
https://github.com/ioggstream/dsadmin/
Babel
http://www.babel.it
http://vaunaspada.babel.it/blog
It's crucial to make sure everyone's local environment is identical if you're a part of geographically distributed team and your project is composed of many services. It's also quite unlikely that all cogs in your app will spin self-sufficiently. Search engines, various APIs, authentication endpoints and HTTP accelerators - all of these services are standard these days. Your app is a part of a much wider picture.
This complexity forces you not only to broaden your mind during design phase, but it also affects the way your software is deployed. All the moving parts should be available on every single environment - including the one that works on your machine. Having in mind aforementioned complexity double click on a ZIP file is a poor man's solution. Duct taping things will end badly. And if anything can go wrong, it will, so better be prepared.
Our goal was clear - portable, versionable and predictable environment everyone can run. Throughout our journey with Vagrant, Packer and Chef we learned a lot of things:
- how box over-optimization can lead to poor user experience
- why it's important to make first "vagrant up" as quick as possible
- not everything should be dockerized
- Vagrant box is a 'virtual' release artifact and needs the same care your app receives
- successful Packer build is often half of the story
- why Consul deployment in a Vagrant box is not as trivial as it may sound
- how to optimize long Chef runs and provide more granular approach to your dev team
- it's surprisingly easy to get from "I don't want to run any VMs on my laptop!" to "Hope you have Vagrant for that"
A Journey to Boot Linux on Raspberry PiJian-Hong Pan
Each processor/chip architecture has its own procedure to boot the kernel. It works with desgined partition layout and vendor specific firmwares/bootloaders in the boot partition. We can learn the related knowledge from the Raspbian image for Raspberry Pi, which is the board we can obtain easily. However, the diversity between the special booting procedures with specific firmwares/bootloaders increases the complexity for distribution maintainers. It will be great if there is a way to make it more generic that can be applied to most of the chip architectures/boards to boot up the system.
After referring to some Linux distributions, we learned U-Boot may play a role in the solution. It splits the booting procedure into hardware specific and generic system parts. This helps distribution maintainers deploy the generic system with OSTree, including device trees.
Let’s deep dive into this magic booting procedure!
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
3. forensicinsight.org
Bash
• Bourne-again shell
• GNU 프로젝트를 위해 Brian Fox가 작성한 유
닉스 셸
• GNU OS, Linux, Mac OS X 기본 셸
• Cygwin이나 MinGW로 윈도에서 사용 가능
• 명령 히스토리, 디렉터리 스택, $RANDOM
POSIX 형식 명령어 치환, 명령어 자동 완성
4. forensicinsight.org
Bash
• When started as an interactive login shell:
• /etc/profile, ~/.bash_profile, ~/.bash_login,
/.profile
• When a login shell exits : ~/.bash_logout
• When started as an interactive shell :
~/.bashrc
5. forensicinsight.org
History Storage
• 사용자 명령어를 저장하여 추 후 해당 명령어
를 바로 실행 시킬 수 있게 함
• ![HISTORY NUMBER]
• 시간 값은 정의되어 있지 않으며, 실행한 명령
어를 ~/.bash_history에 순차적으로 기록
• Mac OS X는 500개의 히스토리를 기록
6. forensicinsight.org
History Storage
• The history list is an array of history
entries
typedef void * histdata_t;
typedef struct _hist_entry {
char *line;
char *timestamp;
histdata_t data;
} HIST_ENTRY;
/*
* A structure used to pass around the current state of the history.
*/
typedef struct _hist_state {
HIST_ENTRY **entries; /* Pointer to the entries themselves. */
int offset; /* The location pointer within this array. */
int length; /* Number of elements within this array. */
int size; /* Number of slots allocated to this array. */
int flags;
} HISTORY_STATE;
reference : http://linux.die.net/man/3/history
8. forensicinsight.org
Extracting bash history
• 1. Live Forensics
• ~/.bash_history 파일 추출
• History Functions 이용 (GNU History
library)
• 2. Memory Forensics
• 맵핑된history 파일 추출
• bash 프로세스 영역에서 HIST_ENTRY 추출
9. forensicinsight.org
Extracting bash history
memory image
bash memory 1
bash memory 2
bash memory 3
bash memory 4
bash memory 5
bash process memory
TEXT
DATA
STACK
HEAP Space
LIBRARY
HEAP
0x7fdf68d00240 0x7fdf68d00240
0x7fdf68d00000
0x7fdf68e00000
HEAP
HEAP
12. forensicinsight.org
Case Study
• 히스토리 타임스탬프 대부분이 동일한 이유?
• 히스토리 파일에 시간 정보가 없음
• 프로세스가 히스토리 파일을 로드하고, 로드
시간으로 파일 내의 모든 히스토리 시간 정보
를 저장
• 즉, 신규 입력된 명령어 이전의 히스토리의 시
간 정보를 명령어 실행 시간으로 오해하면 안됨.
13. forensicinsight.org
Case Study
• 히스토리 타임스탬프 대부분이 동일한 이유?
0x6DCB74A8 11746 1 255 0 com.apple.audio. _netbios(501,20) (501,20) Fri Nov 15 04:45:30 2013
0x161C0C9E8 11767 1 255 0 com.apple.WebKit _netbios(501,20) (501,20) Fri Nov 15 04:48:47 2013
0x163B0AA80 11935 247 255 0 Terminal chainbreaker(501,20) (501,20) Fri Nov 15 05:19:13 2013
0x1F8E8F000 11944 11935 255 0 login chainbreaker(0,20) (0,20) Fri Nov 15 05:19:22 2013
0x16110E950 11945 11944 255 0 bash chainbreaker(501,20) (501,20) Fri Nov 15 05:19:22 2013
0x8917D7E0 11987 303 255 0 mdworker _spotlight(89,89) (89,89) Fri Nov 15 05:23:47 2013
0x18E5ED000 11988 11945 255 0 sudo chainbreaker(0,20) (0,20) Fri Nov 15 05:23:48 2013
0x87DFF748 11989 11988 255 0 osxpmem chainbreaker(0,0) (0,0) Fri Nov 15 05:23:48 2013
0x8657E540 11990 8781 255 0 thnuclnt chainbreaker(501,20) (501,20) Fri Nov 15 05:24:06 2013
11945 bash Fri Nov 15 05:19:22 2013 python vol.py -i ../test.mem -o lsof
11945 bash Fri Nov 15 05:19:22 2013 python vol.py -i ../test.mem -o ps -x 1541
11945 bash Fri Nov 15 05:19:22 2013 ls
11945 bash Fri Nov 15 05:19:22 2013 file 1541-bash-
11945 bash Fri Nov 15 05:19:22 2013 file 1541-bash-*
11945 bash Fri Nov 15 05:19:22 2013 rm 1541-bash-*
11945 bash Fri Nov 15 05:19:22 2013 python vol.py -i ../test.mem -o ps | grep securityd
11945 bash Fri Nov 15 05:19:22 2013 python vol.py -i ../test.mem -o ps -x 14
11945 bash Fri Nov 15 05:19:22 2013 ls
11945 bash Fri Nov 15 05:19:22 2013 ls
11945 bash Fri Nov 15 05:19:22 2013 clear
11945 bash Fri Nov 15 05:19:22 2013 ls
15. forensicinsight.org
Case Study
• history -c 명령어 이 후 추출 가능 여부
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:19:22 2013
11945 bash Fri Nov 15 05:23:41 2013 ./osxpmem -f raw historyc.bin
11945 bash Fri Nov 15 05:23:48 2013 sudo ./osxpmem -f raw historyc.bin
11945 bash Fri Nov 15 05:23:29 2013 ls
11945 bash Fri Nov 15 05:20:05 2013
16. forensicinsight.org
Case Study
• 원격으로 붙은 쉘에서 history -c 를 실행
• 실험 방법
• bash 프로세스 여러 개 실행
• 하나의 bash 프로세스에서 history -c 실행
• 메모리 덤프 후 분석
• 결론 : 해당 bash history 내역만 삭제
17. forensicinsight.org
Case Study
chainbreaker@testmachine:~/volafox$ python vol.py -i ../dump2.bin -o bash_history
[+] PID : 328, PROCESS: bash, HISTORY COUNT: 40
[+] PID : 586, PROCESS: bash, HISTORY COUNT: 19
[+] PID : 619, PROCESS: bash, HISTORY COUNT: 0
[+] PID : 769, PROCESS: bash, HISTORY COUNT: 4
PID PROCESS TIME (UTC+0) CMD
328 bash Fri Nov 15 06:11:12 2013 ls
328 bash Fri Nov 15 06:12:24 2013 python vol.py -i ../after.bin -o uname
328 bash Fri Nov 15 06:11:39 2013 cd volafox
328 bash Fri Nov 15 05:31:35 2013 cd /tmp/
328 bash Fri Nov 15 06:11:04 2013 ls
328 bash Fri Nov 15 05:32:27 2013 sudo ./osxpmem -f raw after.bin
328 bash Fri Nov 15 06:13:09 2013 clear
328 bash Fri Nov 15 06:11:07 2013 sudo mv after.bin ~
328 bash Fri Nov 15 05:31:27 2013 cat ~/.bash_history
328 bash Fri Nov 15 05:31:36 2013 ls
328 bash Fri Nov 15 06:11:39 2013 ls
328 bash Fri Nov 15 05:32:18 2013 ls -al
328 bash Fri Nov 15 06:11:20 2013 sudo chown n0fate:staff after.bin
328 bash Fri Nov 15 06:11:27 2013 sudo chown chainbreaker:staff after.bin
328 bash Fri Nov 15 05:31:11 2013 ls
328 bash Fri Nov 15 05:31:11 2013 ./osxpmem -f raw historyc.bin
328 bash Fri Nov 15 05:31:11 2013 sudo ./osxpmem -f raw historyc.bin
328 bash Fri Nov 15 05:31:11 2013 ls
328 bash Fri Nov 15 05:31:11 2013 ls -al
328 bash Fri Nov 15 05:31:11 2013 sudo mv *.bin ~
328 bash Fri Nov 15 05:31:11 2013 cd ~
328 bash Fri Nov 15 05:31:11 2013 sudo chown chainbreaker:staff *.bin
328 bash Fri Nov 15 05:31:11 2013 chmod 664 *.bin
328 bash Fri Nov 15 05:31:11 2013 ls -al
328 bash Fri Nov 15 05:31:11 2013 cd volafox
328 bash Fri Nov 15 05:31:11 2013 python vol.py -i ../dump.bin -o ps
328 bash Fri Nov 15 05:31:11 2013 python vol.py -i ../dump.bin -o bash_history
328 bash Fri Nov 15 05:31:11 2013 python vol.py -i ../historyc.bin -o bash_history
328 bash Fri Nov 15 05:31:11 2013 sudo reboot
328 bash Fri Nov 15 06:11:12 2013 cd ~
328 bash Fri Nov 15 05:32:15 2013 lsa
328 bash Fri Nov 15 05:32:11 2013 sudo chown -R root:wheel OSXPMem
328 bash Fri Nov 15 05:32:02 2013 chown -R root:wheel OSXPMem
328 bash Fri Nov 15 06:13:17 2013 history
328 bash Fri Nov 15 05:32:15 2013 cd OSXPMem/
328 bash Fri Nov 15 06:11:44 2013 python vol.py -i ../after.bin -o ps
328 bash Fri Nov 15 06:12:47 2013 python vol.py -i ../after.bin -o ps
328 bash Fri Nov 15 06:11:36 2013 sudo chmod 644 after.bin
328 bash Fri Nov 15 06:12:44 2013 python vol.py -i ../after.bin -o kextstat
328 bash Fri Nov 15 06:13:51 2013 history
586 bash Fri Nov 15 05:31:43 2013 cd Downloads/
586 bash Fri Nov 15 05:31:41 2013 cd ~
586 bash Fri Nov 15 05:31:41 2013 python vol.py -i ../dump.bin -o bash_history
586 bash Fri Nov 15 05:31:41 2013 cd volafox
586 bash Fri Nov 15 05:31:41 2013 python vol.py -i ../dump.bin -o ps
586 bash Fri Nov 15 05:31:41 2013 ls -al
586 bash Fri Nov 15 05:31:41 2013 sudo chown chainbreaker:staff *.bin
586 bash Fri Nov 15 05:31:41 2013 chmod 664 *.bin
586 bash Fri Nov 15 05:31:41 2013 ls
586 bash Fri Nov 15 05:31:41 2013 ls
586 bash Fri Nov 15 05:31:41 2013 sudo mv *.bin ~
586 bash Fri Nov 15 05:31:41 2013 ./osxpmem -f raw historyc.bin
586 bash Fri Nov 15 05:31:41 2013 sudo ./osxpmem -f raw historyc.bin
586 bash Fri Nov 15 05:31:43 2013 ls
586 bash Fri Nov 15 05:31:41 2013 python vol.py -i ../historyc.bin -o bash_history
586 bash Fri Nov 15 05:31:41 2013 sudo reboot
586 bash Fri Nov 15 05:31:41 2013 ls -al
586 bash Fri Nov 15 05:31:48 2013 tar xvf OSXPMem-RC1.tar
586 bash Fri Nov 15 05:31:54 2013 mv OSXPMem /tmp
769 bash Fri Nov 15 06:14:08 2013 cd OSXPMem/
769 bash Fri Nov 15 06:14:22 2013 sudo ./osxpmem -f raw dump2.bin
769 bash Fri Nov 15 06:14:01 2013 cd /tmp/
769 bash Fri Nov 15 06:14:01 2013 ls
chainbreaker@testmachine:~/volafox$