System Snapshot Collection

• Overview
• Distinction from Agent/Controller System Snapshot
• Features
  • Collected Data
• Usage
  • Basic Collection
  • Custom Output Location
  • Forensic Investigation with System Snapshot
  • Multi-System Collection
• Output Format
• Platform Support
  • Linux
  • macOS
  • Windows
• Use Cases
  • 1. Incident Response Triage
  • 2. Malware Investigation
  • 3. Baseline Creation
  • 4. Multi-System Investigation
  • 5. Container/VM Forensics
• Analysis Techniques
  • Process Analysis
  • Network Analysis
  • Module Analysis
  • File Handle Analysis
• Integration with Other Features
  • With Artifact Collection
  • With Timeline Generation
  • With Module/Target System
• Best Practices
  • 1. Collect Early
  • 2. Preserve Original
  • 3. Document Collection
• Database server
  • 4. Correlate Data
  • 5. Look for Anomalies
  • Limitations
    • Windows Open Files
    • Process Details
    • Performance Impact
    • Privilege Requirements
  • Security Considerations
    • Sensitive Data
    • Evidence Integrity
    • Access Control
  • Troubleshooting
    • Empty Process List
    • No Network Connections
    • lsof Not Available
    • Permission Denied
  • Future Enhancements
  • Related Documentation
  • References

This document describes sus's system snapshot capabilities for capturing volatile system state at the start of forensic investigations and incident response.

Overview

The system snapshot feature captures a point-in-time snapshot of volatile system information at the beginning of analysis, before any file scanning begins. This includes running processes, active network connections, loaded kernel modules, open files, environment variables, and system information.

[!NOTE] This is different from the agent/controller "live response" feature which allows running arbitrary commands on remote agents (similar to Microsoft Defender for Endpoint or Elastic EDR live response). System snapshot is a passive data collection feature that captures system state automatically.

Distinction from Agent/Controller System Snapshot

System Snapshot (this feature):

• Passive collection of system state
• Runs automatically at analysis start
• Captures predefined set of data (processes, connections, modules, etc.)
• No command execution
• Forensic/investigative focus

Agent/Controller System Snapshot (existing feature):

• Interactive command execution on remote agents
• On-demand, user-initiated
• Flexible - run any command
• MDE/Elastic EDR-style capabilities
• Real-time incident response focus

Features

Collected Data

1. System Information

   • Hostname and architecture
   • Operating system name and version
   • Kernel version
   • System uptime
   • Boot time
   • CPU count and total memory
   • Currently logged-in users

2. Running Processes

   • Process ID (PID) and parent process ID (PPID)
   • Process name and full command line
   • Executable path
   • User/owner (Unix/Linux)
   • CPU percentage and memory usage (where available)
   • Process start time

3. Network Connections

   • Protocol (TCP/UDP)
   • Local and remote addresses with ports
   • Connection state (ESTABLISHED, LISTEN, TIME_WAIT, etc.)
   • Associated process ID and name (where available)

4. Loaded Kernel Modules/Drivers

   • Module name and size
   • Dependencies (used by list)
   • Module path (where available)
   • Linux: From /proc/modules
   • macOS: From kextstat
   • Windows: From driverquery

5. Open Files and Handles

   • Process ID and name
   • File descriptor number
   • File type (regular file, directory, socket, etc.)
   • Full file path
   • Unix/Linux/macOS: From lsof command
   • Windows: Not currently supported (requires admin privileges)

6. Environment Variables

   • Complete snapshot of environment variables
   • Can reveal PATH configurations, temporary directories, user settings

Usage

Basic Collection

Collect live response data and save to default location:

sus /path --system-snapshot

This creates output/system_snapshot.json with all volatile system state.

Custom Output Location

Specify a custom path for the live response data:

sus /path --system-snapshot --system-snapshot-output /investigation/system_state.json

Forensic Investigation with System Snapshot

Combine live response with artifact collection for comprehensive investigation:

sus /evidence \
  --target KAPE_Triage \
  --collect \
  --system-snapshot \
  --generate-timeline json

This creates:

• output/collected/ - Copied artifacts
• output/system_snapshot.json - System state snapshot
• output/timeline.json - Timeline of events
• output/analysis.db - Analysis database

Multi-System Collection

Collect live response from multiple systems with tags:

# Web server
sus /mnt/web01 \
  --tag-dir '/mnt/web01:web01' \
  --system-snapshot \
  --system-snapshot-output /investigation/web01_live.json

# Database server
sus /mnt/db01 \
  --system-snapshot \
  --system-snapshot-output /investigation/db01_live.json

Output Format

System snapshot data is saved in JSON format with the following structure:

{
  "timestamp": "2024-01-15T10:30:00Z",
  "collection_host": "webserver01",
  "system_info": {
    "hostname": "webserver01",
    "os_name": "Ubuntu 22.04 LTS",
    "os_version": "22.04",
    "kernel_version": "5.15.0-91-generic",
    "architecture": "x86_64",
    "uptime_seconds": 1234567,
    "boot_time": "2024-01-01T00:00:00Z",
    "logged_in_users": ["admin", "service"],
    "cpu_count": 8,
    "total_memory_kb": 16777216
  },
  "processes": [
    {
      "pid": 1234,
      "ppid": 1,
      "name": "nginx",
      "cmdline": "nginx: master process /usr/sbin/nginx -g daemon on;",
      "exe_path": "/usr/sbin/nginx",
      "user": "www-data",
      "cpu_percent": 0.5,
      "memory_kb": 12345,
      "start_time": "2024-01-15T08:00:00Z"
    }
  ],
  "network_connections": [
    {
      "protocol": "tcp",
      "local_address": "0.0.0.0",
      "local_port": 80,
      "remote_address": "192.168.1.100",
      "remote_port": 54321,
      "state": "ESTABLISHED",
      "pid": 1234,
      "process_name": "nginx"
    }
  ],
  "loaded_modules": [
    {
      "name": "e1000e",
      "size": 286720,
      "used_by": [],
      "path": "/lib/modules/5.15.0-91-generic/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko"
    }
  ],
  "open_files": [
    {
      "pid": 1234,
      "process_name": "nginx",
      "fd": 5,
      "file_type": "file",
      "path": "/var/log/nginx/access.log"
    }
  ],
  "environment_variables": {
    "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "HOME": "/root",
    "SHELL": "/bin/bash"
  }
}

Platform Support

Linux

• ✅ Full support
• System info from /proc and uname
• Process list from ps
• Network connections from netstat
• Kernel modules from /proc/modules
• Open files from lsof

macOS

• ✅ Full support
• System info from sw_vers, sysctl, uname
• Process list from ps
• Network connections from netstat
• Kernel extensions from kextstat
• Open files from lsof

Windows

• ⚠️ Partial support
• System info from systeminfo
• Process list from wmic
• Network connections from netstat
• Loaded drivers from driverquery
• Open files: Not supported (requires admin privileges and third-party tools)

Use Cases

1. Incident Response Triage

Quickly capture system state during an active incident:

sus / \
  --system-snapshot \
  --target Quick_Triage \
  --collect \
  --output-dir /cases/incident_$(date +%Y%m%d_%H%M%S)

2. Malware Investigation

Identify suspicious processes and connections:

sus /suspicious \
  --system-snapshot \
  --profile profiles/base/malware.toml \
  --collect

Then analyze system_snapshot.json for:

• Processes with unusual command lines
• Unexpected network connections
• Suspicious loaded modules
• Hidden or masquerading processes

3. Baseline Creation

Create system baseline for comparison:

# Create baseline
sus / --system-snapshot --system-snapshot-output /baselines/system_baseline.json

# Later, compare current state
sus / --system-snapshot --system-snapshot-output /investigation/current_state.json

# Use external tools to diff the JSON files

4. Multi-System Investigation

Collect state from multiple systems:

#!/bin/bash
for host in web01 web02 db01 cache01; do
  ssh $host "sus / --system-snapshot --system-snapshot-output /tmp/live_${host}.json"
  scp $host:/tmp/live_${host}.json /investigation/
done

5. Container/VM Forensics

Collect from running containers or VMs:

# Docker container
docker exec -it container_name sus / --system-snapshot

# Kubernetes pod
kubectl exec -it pod-name -- sus / --system-snapshot

Analysis Techniques

Process Analysis

Look for:

• Processes with suspicious names (typosquatting)
• Unusual command line arguments
• Processes running from temp directories
• Processes with unusual parent-child relationships
• High CPU/memory usage

Network Analysis

Identify:

• Unexpected listening services
• Connections to suspicious IPs
• Connections on non-standard ports
• Processes with many connections

Module Analysis

Check for:

• Unknown or unsigned modules
• Modules loaded from unusual locations
• Recently loaded modules
• Modules with no dependencies (potentially rootkits)

File Handle Analysis

Examine:

• Deleted but still open files (Unix)
• Processes accessing sensitive data
• Temporary file usage
• Log file access patterns

Integration with Other Features

With Artifact Collection

Combine live response with file collection:

sus /system \
  --system-snapshot \
  --collect \
  --target forensic-investigation

Creates complete evidence package with both volatile and non-volatile data.

With Timeline Generation

Correlate system state with file access times:

sus /evidence \
  --system-snapshot \
  --generate-timeline json \
  --collect

Allows temporal analysis of file modifications vs. process activity.

With Module/Target System

Use forensic targets with live response:

# KAPE-style triage with live response
sus / --target KAPE_Triage --system-snapshot --collect

# Browser artifacts with live response (see running browsers)
sus / --target KAPE_BrowserHistory --system-snapshot

# Windows execution evidence with live processes
sus / --target KAPE_EvidenceOfExecution --system-snapshot

Best Practices

1. Collect Early

Capture live response at the beginning of investigation before system state changes.

2. Preserve Original

Keep original live response JSON for chain of custody.

3. Document Collection

Database server

sus /mnt/db01
--tag-dir '/mnt/db01:db01'
--system-snapshot
--system-snapshot-output /investigation/db01_live.json

Record when and why live response was collected:

```bash
sus / --system-snapshot --system-snapshot-output \
  /case/evidence/system_snapshot_$(date -Iseconds).json

4. Correlate Data

Cross-reference live response with:

• File analysis results
• Timeline events
• Network logs
• System logs

5. Look for Anomalies

Compare against known-good baselines to identify:

• New/unknown processes
• Unexpected network activity
• Recently loaded modules
• Unusual file access patterns

Limitations

Windows Open Files

Open file collection not currently supported on Windows due to:

• Requires administrative privileges
• No built-in equivalent to lsof
• Would need third-party tools (e.g., Sysinternals Handle.exe)

Process Details

Some process details may be limited:

• CPU/memory metrics not collected on all platforms
• Process start times may be approximate
• User information may not be available

Performance Impact

System snapshot collection:

• May take several seconds on busy systems
• lsof can be slow with many open files
• Limited to 10,000 open files to prevent huge output

Privilege Requirements

Some data requires elevated privileges:

• Full process information (all users)
• Some network connection details
• System driver information (Windows)

Security Considerations

Sensitive Data

System snapshot may capture:

• Command line arguments with passwords
• Environment variables with secrets
• Network connections to internal systems
• Process names revealing infrastructure

Recommendation: Review and redact sensitive information before sharing.

Evidence Integrity

System snapshot data is volatile:

• Cannot be independently verified
• Changes between collections
• No cryptographic integrity by default

Recommendation:

• Hash the output file immediately: sha256sum system_snapshot.json
• Document collection time and methodology
• Collect multiple snapshots if needed

Access Control

Protect live response files:

chmod 600 system_snapshot.json
chown investigator:investigators system_snapshot.json

Troubleshooting

Empty Process List

• Check if ps or wmic is available
• Verify permissions (may need elevated privileges)
• Check system compatibility

No Network Connections

• Verify netstat is installed
• Some connections may require privileges
• Check if connections exist (use native tools to verify)

lsof Not Available

• Install lsof: apt-get install lsof or brew install lsof
• Open files collection will be skipped if unavailable
• Not critical for basic investigation

Permission Denied

• Some data requires root/administrator privileges
• Run with elevated privileges if needed
• Partial data will still be collected

Future Enhancements

Planned features:

• Direct sysinfo crate integration (eliminate command dependencies)
• Windows open files support via native APIs
• Memory dump integration
• Active connections packet capture
• Real-time monitoring mode
• Diff mode to compare snapshots
• Export to STIX/CybOX formats
• Integration with Plaso/log2timeline

Related Documentation

• Artifact Collection - File artifact collection
• Timeline Generation - Timeline creation
• Compound Targets - Module and target system
• UAC/KAPE Features - Feature analysis and roadmap

References

• UAC (Unix-like Artifacts Collector): https://github.com/tclahr/uac
• KAPE (Kroll Artifact Parser and Extractor): https://www.kroll.com/kape
• SANS DFIR: https://www.sans.org/digital-forensics-incident-response/
• Volatility Framework: https://www.volatilityfoundation.org/