LINReS – An open source Linux Incident Response Tool!

By Chetan Gupta, NII Consulting

In accordance with NII’s mantra of innovation and research, we have developed our own tool to conduct initial response on compromised Linux systems. This tool is appropriately titled LINReS which stand for “Linux INcident Response Script”.
LINReS is a Live Response script designed to run on suspect/compromised Linux systems. LINReS consists of mostly statically compiled binaries and includes the various shared libraries that may be required to run the binaries (a few which are not statically compiled). All in all, no binary from the compromised system is used by this tool which mitigates the risk of collecting information on a trojaned system.

This script follows a simple client-server modeling where the suspect system acts as the server and forensics workstation of the investigator (running MS-Windows) acts as a client and receives all the incident response data from the suspect system.

LINReS calls three different scripts which collect volatile and non-volatile data from the suspect system that caters to the requirements of the ‘Initial Response’ phase in the Incident Response Methodology. The data collected by the scripts is sent to a forensics workstation through three different Netcat connections. The Netcat connections are automatically created by the script. On the client side, three listeners have to be setup by the investigator manually or it could be automated by a simple Windows batch script provided in the toolkit.

More information about the tool is available at:
http://www.niiconsulting.com/innovation/linres.html

Download LINReS:
LINReS is available for download at the following links:
http://prdownloads.sourceforge.net/linres/LINReS.tar.gz?download
http://prdownloads.sourceforge.net/linres/LINReS_RHEL3_v1.1.tar.gz?download

We have tested this tool successfully on RHEL3 and RHEL4 and would soon be releasing variants for the other flavours of Linux.

We sincerely hope that this tool would be useful to forensic investigators and anybody who has been assigned the task of conducting investigations on a Linux system. We would appreciate any feedback on LINReS and look forward to adding onto and improving its functionality.

Happy testing!

Author


2 comments

Hey Guys,

Thanks for the excellent content and new tool. I downloaded and tested it on a fully patched Ubuntu Dapper Drake system with no luck. I know you said it had only been tested on RHEL4 but I thought I’d give it a shot. Here’s the error message if it helps: ./bin/tbash: error while loading shared libraries: libtermcap.so.2: cannot open shared object file: No such file or directory

If you need any help testing, let me know.

-jhs
http://www.johnhsawyer.com

Hey John,
Thanks for your effort! You are getting this error as the version of the some shared libraries and glibc would vary on the different versions of Linux. We have just uploaded LINReS for RHEL3 and would soon upload the tool for other versions of Linux. We would appreciate if you could test them and provide your feedback.
Chetan

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.