Collect evidence from Linux endpoints manually using the Trend Micro Incident Response Toolkit.
ImportantEvidence archives use the same folder structures as the SANS Institute and the CyLR
tool.
|
Procedure
- In the Trend Vision One console, go to .
- Click Collect Evidence.
- Configure the following settings for manual collection.SettingDescriptionEvidence typesThe types of evidence to collect.
Note
For Linux endpoints, the following information is required:Archive location on endpointLocation of the evidence package on the local endpoint.Important
-
The local archive does not have encryption, and remains on the endpoint until deleted. This might allow access to sensitive information to anyone with access to the file system or reveal the presence of an ongoing investigation.
-
Evidence archives take up hard drive space and may impact endpoint performance.
- Click Download TMIRT () to download the Trend Micro Incident Response Toolkit.
- Deploy the toolkit to the endpoints on which you want to collect evidence.
- Execute the toolkit.
- Extract the contents of the zip archive.
- Execute
TMIRT.sh
as the root user.
- (Optional) If you do not have enough privileges to execute scripts, execute the
following commands.
- Discover the endpoint OS architecture by executing the
uname -m
command.Important
-
For AArch64 or ARM64 architecture, use the TMIRT-arm64.tgz toolkit.
-
For i386 or i686 architecture, use the TMIRT-x86.tgz toolkit.
-
For AMD64 or x86_64 architecture, use the TMIRT-x64.tgz toolkit.
-
- To extract the toolkit from the TGZ file, execute the
./tar -xf
command with the correct TMIRT version based on your OS architecture. - To begin collecting evidence, execute
./TMIRT evidence --config_file ./config.json
.
- Discover the endpoint OS architecture by executing the
- Upload the evidence packages the toolkit generates to the
Forensics app.
Tip
You can upload multiple files at once. Each file must not exceed 4 GB.
The Forensics app
begins processing the uploaded evidence packages.
Important
|