Skill

collecting-volatile-evidence-from-compromised-host

Collects volatile forensic evidence from compromised hosts in volatility order: memory dumps with WinPmem/LiME, network connections, processes, system state. For incident response before isolation.

Bash

Linux

Powershell

security

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- 安全事件已确认且受攻陷主机已识别

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

collecting-volatile-evidence-from-compromised-host

Collects volatile forensic evidence from compromised hosts following order of volatility: memory dumps, network connections, processes, system state. For incident response.

asi

collecting-volatile-evidence-from-compromised-host

5.9k

Collects volatile forensic evidence from compromised hosts following order of volatility: memory dumps via WinPmem/LiME, network connections with netstat/ss, processes, and system state.

7 files

cybersecurity-skills

performing-endpoint-forensics-investigation

Performs digital forensics on compromised endpoints: memory acquisition with WinPMEM/FTK, disk imaging, Volatility 3 analysis, Windows artifacts like Prefetch/Shimcache. For incident investigations and evidence collection.

7 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

从受攻陷主机收集易失性证据（Volatile Evidence）

适用场景

安全事件已确认且受攻陷主机已识别
系统隔离、关机或修复开始前
怀疑存在内存驻留恶意软件（无文件攻击）
需要捕获网络连接、运行中的进程和系统状态
法律程序可能要求取证证据保全
事件需要基于易失性数据的根因分析

前置条件

USB 或网络共享上的取证采集工具包（可信工具）
用于内存采集的 WinPmem/LiME
用于磁盘镜像的写保护器或取证工作站
证据监管链（Chain of Custody）文档表格
具备完整性验证的安全证据存储
证据采集授权（内部人员案件需法律/HR 审批）

工作流程

步骤 1：准备采集环境

# 挂载取证 USB 工具包（不要在受攻陷系统上安装工具）
# 验证工具包完整性
sha256sum /mnt/forensic_usb/tools/* > /tmp/toolkit_hashes.txt
diff /mnt/forensic_usb/tools/known_good_hashes.txt /tmp/toolkit_hashes.txt

# 创建带时间戳的证据输出目录
EVIDENCE_DIR="/mnt/evidence/$(hostname)_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$EVIDENCE_DIR"
echo "Collection started: $(date -u)" > "$EVIDENCE_DIR/collection_log.txt"
echo "Collector: $(whoami)" >> "$EVIDENCE_DIR/collection_log.txt"
echo "System: $(hostname)" >> "$EVIDENCE_DIR/collection_log.txt"

步骤 2：采集系统内存（最高易失性）

# Windows - WinPmem 内存采集
winpmem_mini_x64.exe "$EVIDENCE_DIR\memdump_$(hostname).raw"

# Linux - LiME 内核模块内存采集
insmod /mnt/forensic_usb/lime.ko "path=$EVIDENCE_DIR/memdump_$(hostname).lime format=lime"

# Linux - 通过 /proc/kcore 替代方案
dd if=/proc/kcore of="$EVIDENCE_DIR/kcore_dump.raw" bs=1M

# macOS - osxpmem
osxpmem -o "$EVIDENCE_DIR/memdump_$(hostname).aff4"

# 立即对内存转储文件计算哈希
sha256sum "$EVIDENCE_DIR/memdump_"* > "$EVIDENCE_DIR/memory_hash.sha256"

步骤 3：采集网络状态

# 活跃网络连接
# Windows
netstat -anob > "$EVIDENCE_DIR/netstat_connections.txt" 2>&1
Get-NetTCPConnection | Export-Csv "$EVIDENCE_DIR/tcp_connections.csv" -NoTypeInformation
Get-NetUDPEndpoint | Export-Csv "$EVIDENCE_DIR/udp_endpoints.csv" -NoTypeInformation

# Linux
ss -tulnp > "$EVIDENCE_DIR/socket_stats.txt"
netstat -anp > "$EVIDENCE_DIR/netstat_all.txt" 2>/dev/null
cat /proc/net/tcp > "$EVIDENCE_DIR/proc_net_tcp.txt"
cat /proc/net/udp > "$EVIDENCE_DIR/proc_net_udp.txt"

# ARP 缓存
arp -a > "$EVIDENCE_DIR/arp_cache.txt"

# 路由表
route print > "$EVIDENCE_DIR/routing_table.txt"  # Windows
ip route show > "$EVIDENCE_DIR/routing_table.txt"  # Linux

# DNS 缓存
ipconfig /displaydns > "$EVIDENCE_DIR/dns_cache.txt"  # Windows
# Linux：因解析器不同而异，检查 systemd-resolve 或 nscd
systemd-resolve --statistics > "$EVIDENCE_DIR/dns_stats.txt" 2>/dev/null

# 活跃防火墙规则
netsh advfirewall show allprofiles > "$EVIDENCE_DIR/firewall_rules.txt"  # Windows
iptables -L -n -v > "$EVIDENCE_DIR/iptables_rules.txt"  # Linux

步骤 4：采集运行中的进程

# Windows - 详细进程列表
tasklist /V /FO CSV > "$EVIDENCE_DIR/process_list_verbose.csv"
wmic process list full > "$EVIDENCE_DIR/wmic_process_full.txt"
Get-Process | Select-Object Id,ProcessName,Path,StartTime,CPU,WorkingSet |
  Export-Csv "$EVIDENCE_DIR/ps_processes.csv" -NoTypeInformation

# Windows - 带命令行和父进程的进程信息
wmic process get ProcessId,Name,CommandLine,ParentProcessId,ExecutablePath /FORMAT:CSV > \
  "$EVIDENCE_DIR/process_commandlines.csv"

# Linux - 完整进程树
ps auxwwf > "$EVIDENCE_DIR/process_tree.txt"
ps -eo pid,ppid,user,args --forest > "$EVIDENCE_DIR/process_forest.txt"
cat /proc/*/cmdline 2>/dev/null | tr '\0' ' ' > "$EVIDENCE_DIR/proc_cmdline_all.txt"

# 已加载的进程模块/DLL
# Windows
listdlls.exe -accepteula > "$EVIDENCE_DIR/loaded_dlls.txt"
# Linux
for pid in $(ls /proc/ | grep -E '^[0-9]+$'); do
  echo "=== PID $pid ===" >> "$EVIDENCE_DIR/proc_maps.txt"
  cat "/proc/$pid/maps" 2>/dev/null >> "$EVIDENCE_DIR/proc_maps.txt"
done

# 打开的文件句柄
handle.exe -accepteula > "$EVIDENCE_DIR/open_handles.txt"  # Windows (Sysinternals)
lsof > "$EVIDENCE_DIR/open_files.txt"  # Linux

步骤 5：采集已登录用户和会话

# Windows
query user > "$EVIDENCE_DIR/logged_in_users.txt"
query session > "$EVIDENCE_DIR/active_sessions.txt"
net session > "$EVIDENCE_DIR/net_sessions.txt" 2>&1
net use > "$EVIDENCE_DIR/mapped_drives.txt" 2>&1

# Linux
who > "$EVIDENCE_DIR/who_output.txt"
w > "$EVIDENCE_DIR/w_output.txt"
last -50 > "$EVIDENCE_DIR/last_logins.txt"
lastlog > "$EVIDENCE_DIR/lastlog.txt"
cat /var/log/auth.log | tail -200 > "$EVIDENCE_DIR/recent_auth.txt" 2>/dev/null

步骤 6：采集系统配置状态

# 系统时间（对时间线至关重要）
date -u > "$EVIDENCE_DIR/system_time_utc.txt"
w32tm /query /status > "$EVIDENCE_DIR/ntp_status.txt"  # Windows
ntpq -p > "$EVIDENCE_DIR/ntp_status.txt"  # Linux

# 环境变量
set > "$EVIDENCE_DIR/environment_vars.txt"  # Windows
env > "$EVIDENCE_DIR/environment_vars.txt"  # Linux

# 计划任务 / Cron 作业
schtasks /query /fo CSV /v > "$EVIDENCE_DIR/scheduled_tasks.csv"  # Windows
crontab -l > "$EVIDENCE_DIR/crontab_current.txt" 2>/dev/null  # Linux
ls -la /etc/cron.* > "$EVIDENCE_DIR/cron_dirs.txt" 2>/dev/null

# 服务
sc queryex type=service state=all > "$EVIDENCE_DIR/services_all.txt"  # Windows
systemctl list-units --type=service --all > "$EVIDENCE_DIR/systemd_services.txt"  # Linux

# Windows 注册表 - 关键自启动位置
reg export "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "$EVIDENCE_DIR/reg_run_hklm.reg" /y
reg export "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "$EVIDENCE_DIR/reg_run_hkcu.reg" /y
reg export "HKLM\SYSTEM\CurrentControlSet\Services" "$EVIDENCE_DIR/reg_services.reg" /y

步骤 7：对所有证据计算哈希并记录监管链

# 为所有已采集证据生成 SHA256 哈希
cd "$EVIDENCE_DIR"
sha256sum * > evidence_manifest.sha256

# 创建证据监管链记录
cat > "$EVIDENCE_DIR/chain_of_custody.txt" << EOF
证据监管链记录（CHAIN OF CUSTODY RECORD）
========================
案例 ID: IR-YYYY-NNN
采集日期: $(date -u)
采集人: $(whoami)
系统: $(hostname)
系统 IP: $(hostname -I 2>/dev/null || ipconfig | grep IPv4)
采集方式: 通过可信 USB 工具包进行实时取证采集

证据项目:
$(ls -la "$EVIDENCE_DIR/" | grep -v chain_of_custody)

SHA256 清单: evidence_manifest.sha256
转移记录: [待填写]
存储位置: [待填写]
EOF

核心概念

概念	说明
易失性顺序（Order of Volatility）	RFC 3227 - 优先采集最易失数据：寄存器 > 缓存 > 内存 > 磁盘
实时取证（Live Forensics）	在系统关闭前从运行中的系统采集证据
证据监管链（Chain of Custody）	跟踪证据从采集到法庭全程处理过程的文档
取证可靠性（Forensic Soundness）	确保证据采集过程不改变原始证据
可信工具（Trusted Tools）	从外部介质使用已验证工具，而非受攻陷系统上的工具
证据完整性（Evidence Integrity）	采集后立即对所有证据计算 SHA256 哈希
洛卡德交换原则（Locard's Exchange Principle）	每次接触都留下痕迹 - 尽量减少调查人员的操作痕迹

工具与系统

工具	用途
WinPmem	Windows 内存采集
LiME（Linux Memory Extractor）	Linux 内核内存采集
Sysinternals Suite	进程、句柄和 DLL 分析（Windows）
Velociraptor	大规模远程取证采集
KAPE（Kroll Artifact Parser）	Windows 自动化产物采集
CyLR	跨平台实时响应采集
GRR Rapid Response	远程实时取证框架

常见场景

无文件恶意软件攻击：基于 PowerShell 的攻击，磁盘上无文件。内存转储是包含恶意脚本的关键证据。
活跃 C2 会话：攻击者建立实时连接。网络连接和进程数据揭示 C2 基础设施。
内部人员数据窃取：员工复制文件。进程列表、映射驱动器和网络连接显示外泄活动。
受攻陷的 Web 服务器：检测到 Web Shell。内存中可能包含尚未写入磁盘的额外后门。
横向移动进行中：攻击者在系统间移动。内存中的认证令牌和网络会话揭示影响范围。

输出格式

内存转储文件（.raw 或 .lime 格式）及 SHA256 哈希
网络状态捕获（连接、ARP、DNS、路由）
带命令行和父进程的进程列表
用户会话和认证数据
系统配置快照
含 SHA256 校验和的证据清单
证据监管链文档