• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Forensics > Collecting Volatile Data with AWK

Collecting Volatile Data with AWK

June 2, 2015 By Mark Wolters

On a recent forensics case, a coworker and I noticed some interesting logs on a Linux web server. TCPDump showed some strange traffic from a handful of IPs, but the access logs were not showing any visits from the offending addresses. The traffic was encrypted so it wasn’t possible to see what was being sent, so we needed to do some additional digging. A lot is required to take a memory image of a Linux machine, so we decided to go with something faster and more targeted: collect volatile data with AWK.

AWK Primer

If you are already an AWK guru, this section is not for you. Head on down to the next one!

simpleAWKscript
Simple AWK Script Output

Below is a simple AWK script that explains some of the basic features of the tool. The script explains itself pretty well. Above is the output when I run it against my apache2 logs.   AWK can search like grep, cut like cut, and even can run system commands!

Collecting Volatile Data

The ability to run system commands allows us to capture snapshots when we find certain text (such as a specific error message). In the forensics case I mentioned at the beginning, we were looking for outbound connections, the sources, and and the specific running processes so that we could (theoretically) record the malicious actions in real time. Several useful Linux-based tools that fulfilled our needs were netstat (to see current network connections), ps (to view the processes), and lsof to view open files and the processes that were connected to them. We used the network connections to correlate processes that had open files and then tried to determine what was causing the strange logs.

The goal, of course, was to identify sufficient evidence of a breach.   In this case, we monitored the error_log using tail and search for our error. Every time it occurs, it appends the new volatile data to the specified files.

Here’s an example test run.

test_run

 

The files appear after we echo “Malicious” to our fake error log. I ran netstat with the flags -anp to give us all sockets, what program is running, and the numeric addresses. Ps is run with the aux flag so that we’re able to see all user processes, list processes without controlling ttys, and user oriented format.

 

Since we were working on a potentially compromised system, our tools might not be trusted. BusyBox  turned out to be a great option, as I didn’t have any prepared safe binaries. BusyBox was created for embedded Linux systems so it is small and had most of the utilities that we need.

 

What else can we do with AWK? How about monitoring a file for users that access it? Or alerting when a specific user logs in? It’s definitely a useful tool. I recommend exploring it further. Keep hacking!

References

http://how-to.linuxcareer.com/learning-linux-commands-awk

https://www.digitalocean.com/community/tutorials/how-to-use-the-awk-language-to-manipulate-text-in-linux

 

Share this...
  • Reddit
  • email
  • Facebook
  • Twitter
  • Linkedin

Mark Wolters

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • Sophos UTM Home Edition – 3 – The Setup 10.7k views
  • DLL Injection Part 1: SetWindowsHookEx 10.6k views
  • Leveraging MS16-032 with PowerShell Empire 9.9k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.7k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2020 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.