Incident Reponse Script for High Performance Computing Clusters. This script was developed for the High-Performance-Computing System Administration seminar (https://hps.vi4io.org/teaching/autumn_term_2022/hpcsa). The corresponding paper can be found under https://hps.vi4io.org/_media/teaching/autumn_term_2022/hpcsa_dominik_mann_forensic_tools.pdf
- Ensure the script is executable, run "chmod +x <script_name>"
- Run with Sudo privileges, "sudo ./<script_name>"
- The tools folder needs to be place in the same directory as the script.
The purpose of this scirpt is to gather information in an incident reponse case. It was tested on Rocky 8 and Rocky 9. It collects:
- Volatile data in the order of volatility [NIST]:
- (optional) Memory image
- Network connections & configurations
- Login sessions
- Contents of memory
- Running processes
- Open files
- Operating system information Additionally it collects following non-volatile data:
- Cron files
- User and group lists
- /var/logs
- Suspicious and Keyfiles
- (optional) Compromise scanning with Thor-lite
- (optional) SLURM jobs executed on the node
The script uses local binaries and additionally following tools provided with the script: (Binaries need to be provided manually)
- AVML: Memory collection
- Unhide: Lists hidden processes / ports
- Thor-lite: Compromise assessment tool
Please make sure that the file system under / is mounted with the option noatime.
If this is not the case, please execute the command
mount -o remount,noatime /dev/sdX / where X is the filesystem
under /. This ensures that no timestamps are modified during investigation.
Note that noatime option has no effect on NFS mounts.
Please create an own license if you intend to use the thor-lite scanner. A license can be created under "https://www.nextron-systems.com/thor-lite/". Afterwards place it in the tools/thor-lite folder.