| name | collecting-volatile-evidence-from-compromised-host |
| description | 按照易失性顺序从受攻陷系统收集易失性取证证据,在数据丢失前保全内存、网络连接、进程和系统状态。
|
| domain | cybersecurity |
| subdomain | incident-response |
| tags | ["incident-response","dfir","forensics","volatile-evidence","memory-forensics","chain-of-custody"] |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
从受攻陷主机收集易失性证据(Volatile Evidence)
适用场景
- 安全事件已确认且受攻陷主机已识别
- 系统隔离、关机或修复开始前
- 怀疑存在内存驻留恶意软件(无文件攻击)
- 需要捕获网络连接、运行中的进程和系统状态
- 法律程序可能要求取证证据保全
- 事件需要基于易失性数据的根因分析
前置条件
- USB 或网络共享上的取证采集工具包(可信工具)
- 用于内存采集的 WinPmem/LiME
- 用于磁盘镜像的写保护器或取证工作站
- 证据监管链(Chain of Custody)文档表格
- 具备完整性验证的安全证据存储
- 证据采集授权(内部人员案件需法律/HR 审批)
工作流程
步骤 1:准备采集环境
sha256sum /mnt/forensic_usb/tools/* > /tmp/toolkit_hashes.txt
diff /mnt/forensic_usb/tools/known_good_hashes.txt /tmp/toolkit_hashes.txt
EVIDENCE_DIR="/mnt/evidence/$(hostname)_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$EVIDENCE_DIR"
echo "Collection started: $(date -u)" > "$EVIDENCE_DIR/collection_log.txt"
echo "Collector: $(whoami)" >> "$EVIDENCE_DIR/collection_log.txt"
echo "System: $(hostname)" >> "$EVIDENCE_DIR/collection_log.txt"
步骤 2:采集系统内存(最高易失性)
winpmem_mini_x64.exe "$EVIDENCE_DIR\memdump_$(hostname).raw"
insmod /mnt/forensic_usb/lime.ko "path=$EVIDENCE_DIR/memdump_$(hostname).lime format=lime"
dd if=/proc/kcore of="$EVIDENCE_DIR/kcore_dump.raw" bs=1M
osxpmem -o "$EVIDENCE_DIR/memdump_$(hostname).aff4"
sha256sum "$EVIDENCE_DIR/memdump_"* > "$EVIDENCE_DIR/memory_hash.sha256"
步骤 3:采集网络状态
netstat -anob > "$EVIDENCE_DIR/netstat_connections.txt" 2>&1
Get-NetTCPConnection | Export-Csv "$EVIDENCE_DIR/tcp_connections.csv" -NoTypeInformation
Get-NetUDPEndpoint | Export-Csv "$EVIDENCE_DIR/udp_endpoints.csv" -NoTypeInformation
ss -tulnp > "$EVIDENCE_DIR/socket_stats.txt"
netstat -anp > "$EVIDENCE_DIR/netstat_all.txt" 2>/dev/null
cat /proc/net/tcp > "$EVIDENCE_DIR/proc_net_tcp.txt"
cat /proc/net/udp > "$EVIDENCE_DIR/proc_net_udp.txt"
arp -a > "$EVIDENCE_DIR/arp_cache.txt"
route print > "$EVIDENCE_DIR/routing_table.txt"
ip route show > "$EVIDENCE_DIR/routing_table.txt"
ipconfig /displaydns > "$EVIDENCE_DIR/dns_cache.txt"
systemd-resolve --statistics > "$EVIDENCE_DIR/dns_stats.txt" 2>/dev/null
netsh advfirewall show allprofiles > "$EVIDENCE_DIR/firewall_rules.txt"
iptables -L -n -v > "$EVIDENCE_DIR/iptables_rules.txt"
步骤 4:采集运行中的进程
tasklist /V /FO CSV > "$EVIDENCE_DIR/process_list_verbose.csv"
wmic process list full > "$EVIDENCE_DIR/wmic_process_full.txt"
Get-Process | Select-Object Id,ProcessName,Path,StartTime,CPU,WorkingSet |
Export-Csv "$EVIDENCE_DIR/ps_processes.csv" -NoTypeInformation
wmic process get ProcessId,Name,CommandLine,ParentProcessId,ExecutablePath /FORMAT:CSV > \
"$EVIDENCE_DIR/process_commandlines.csv"
ps auxwwf > "$EVIDENCE_DIR/process_tree.txt"
ps -eo pid,ppid,user,args --forest > "$EVIDENCE_DIR/process_forest.txt"
cat /proc/*/cmdline 2>/dev/null | tr '\0' ' ' > "$EVIDENCE_DIR/proc_cmdline_all.txt"
listdlls.exe -accepteula > "$EVIDENCE_DIR/loaded_dlls.txt"
for pid in $(ls /proc/ | grep -E '^[0-9]+$'); do
echo "=== PID $pid ===" >> "$EVIDENCE_DIR/proc_maps.txt"
cat "/proc/$pid/maps" 2>/dev/null >> "$EVIDENCE_DIR/proc_maps.txt"
done
handle.exe -accepteula > "$EVIDENCE_DIR/open_handles.txt"
lsof > "$EVIDENCE_DIR/open_files.txt"
步骤 5:采集已登录用户和会话
query user > "$EVIDENCE_DIR/logged_in_users.txt"
query session > "$EVIDENCE_DIR/active_sessions.txt"
net session > "$EVIDENCE_DIR/net_sessions.txt" 2>&1
net use > "$EVIDENCE_DIR/mapped_drives.txt" 2>&1
who > "$EVIDENCE_DIR/who_output.txt"
w > "$EVIDENCE_DIR/w_output.txt"
last -50 > "$EVIDENCE_DIR/last_logins.txt"
lastlog > "$EVIDENCE_DIR/lastlog.txt"
cat /var/log/auth.log | tail -200 > "$EVIDENCE_DIR/recent_auth.txt" 2>/dev/null
步骤 6:采集系统配置状态
date -u > "$EVIDENCE_DIR/system_time_utc.txt"
w32tm /query /status > "$EVIDENCE_DIR/ntp_status.txt"
ntpq -p > "$EVIDENCE_DIR/ntp_status.txt"
set > "$EVIDENCE_DIR/environment_vars.txt"
env > "$EVIDENCE_DIR/environment_vars.txt"
schtasks /query /fo CSV /v > "$EVIDENCE_DIR/scheduled_tasks.csv"
crontab -l > "$EVIDENCE_DIR/crontab_current.txt" 2>/dev/null
ls -la /etc/cron.* > "$EVIDENCE_DIR/cron_dirs.txt" 2>/dev/null
sc queryex type=service state=all > "$EVIDENCE_DIR/services_all.txt"
systemctl list-units --type=service --all > "$EVIDENCE_DIR/systemd_services.txt"
reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "$EVIDENCE_DIR/reg_run_hklm.reg" /y
reg export "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "$EVIDENCE_DIR/reg_run_hkcu.reg" /y
reg export "HKLM\SYSTEM\CurrentControlSet\Services" "$EVIDENCE_DIR/reg_services.reg" /y
步骤 7:对所有证据计算哈希并记录监管链
cd "$EVIDENCE_DIR"
sha256sum * > evidence_manifest.sha256
cat > "$EVIDENCE_DIR/chain_of_custody.txt" << EOF
证据监管链记录(CHAIN OF CUSTODY RECORD)
========================
案例 ID: IR-YYYY-NNN
采集日期: $(date -u)
采集人: $(whoami)
系统: $(hostname)
系统 IP: $(hostname -I 2>/dev/null || ipconfig | grep IPv4)
采集方式: 通过可信 USB 工具包进行实时取证采集
证据项目:
$(ls -la "$EVIDENCE_DIR/" | grep -v chain_of_custody)
SHA256 清单: evidence_manifest.sha256
转移记录: [待填写]
存储位置: [待填写]
EOF
核心概念
| 概念 | 说明 |
|---|
| 易失性顺序(Order of Volatility) | RFC 3227 - 优先采集最易失数据:寄存器 > 缓存 > 内存 > 磁盘 |
| 实时取证(Live Forensics) | 在系统关闭前从运行中的系统采集证据 |
| 证据监管链(Chain of Custody) | 跟踪证据从采集到法庭全程处理过程的文档 |
| 取证可靠性(Forensic Soundness) | 确保证据采集过程不改变原始证据 |
| 可信工具(Trusted Tools) | 从外部介质使用已验证工具,而非受攻陷系统上的工具 |
| 证据完整性(Evidence Integrity) | 采集后立即对所有证据计算 SHA256 哈希 |
| 洛卡德交换原则(Locard's Exchange Principle) | 每次接触都留下痕迹 - 尽量减少调查人员的操作痕迹 |
工具与系统
| 工具 | 用途 |
|---|
| WinPmem | Windows 内存采集 |
| LiME(Linux Memory Extractor) | Linux 内核内存采集 |
| Sysinternals Suite | 进程、句柄和 DLL 分析(Windows) |
| Velociraptor | 大规模远程取证采集 |
| KAPE(Kroll Artifact Parser) | Windows 自动化产物采集 |
| CyLR | 跨平台实时响应采集 |
| GRR Rapid Response | 远程实时取证框架 |
常见场景
- 无文件恶意软件攻击:基于 PowerShell 的攻击,磁盘上无文件。内存转储是包含恶意脚本的关键证据。
- 活跃 C2 会话:攻击者建立实时连接。网络连接和进程数据揭示 C2 基础设施。
- 内部人员数据窃取:员工复制文件。进程列表、映射驱动器和网络连接显示外泄活动。
- 受攻陷的 Web 服务器:检测到 Web Shell。内存中可能包含尚未写入磁盘的额外后门。
- 横向移动进行中:攻击者在系统间移动。内存中的认证令牌和网络会话揭示影响范围。
输出格式
- 内存转储文件(.raw 或 .lime 格式)及 SHA256 哈希
- 网络状态捕获(连接、ARP、DNS、路由)
- 带命令行和父进程的进程列表
- 用户会话和认证数据
- 系统配置快照
- 含 SHA256 校验和的证据清单
- 证据监管链文档