Advanced Artifact Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Advanced Artifact Analysis Advanced artifact analysis Toolset, Artifact analysis training material November 2014 European Union Agency for Network and Information Security www.enisa.europa.eu Advanced artifact analysis Toolset, Artifact analysis training material November 2014 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors This document was created by Lauri Palkmets, Cosmin Ciobanu, Yonas Leguesse, and Christos Sidiropoulos in consultation with DFN-CERT Services1 (Germany), ComCERT2 (Poland), and S-CURE3 (The Netherlands). Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected] Acknowledgements ENISA wants to thank all institutions and persons who contributed to this document. A special ‘Thank You’ goes to the following contributors: 1. Todor Dragostinov from ESMIS, Bulgaria 2. Michael Ligh from MNIN.ORG, United States 1 Klaus Möller, and Mirko Wollenberg 2 Mirosław Maj, Tomasz Chlebowski, Krystian Kochanowski, Dawid Osojca, Paweł Weżgowiec, and Adam Ziaja 3 Michael Potter, Alan Robinson, and Don Stikvoort Page ii Advanced artifact analysis Toolset, Artifact analysis training material November 2014 Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2014 Reproduction is authorised provided the source is acknowledged. Page iii Advanced artifact analysis Toolset, Artifact analysis training material November 2014 Table of Contents 1 General description 2 1.1 Prerequisites 2 1.2 Tools overview 3 1.2.1 Volatility 3 1.2.2 Python for Volatility 3 1.2.3 PyCrypto 3 1.2.4 PIL 3 1.2.5 Distorm3 3 1.2.6 Yara 3 1.3 Memory acquisition tools 4 1.3.1 WinPmem, MacPmem 4 1.3.2 LiME 4 1.4 Other tools 4 1.4.1 Strings 4 1.4.2 Grep 4 1.4.3 Ncat 4 1.5 Alternatives 5 1.5.1 Kernel Debugger 5 1.5.2 Mandiant Memoryze 5 1.5.3 Second Look 5 1.6 Virtual Memory images 5 1.7 Virtual Appliances 5 2 Exercise Course 6 2.1 Introduction 6 2.2 Task 1: Acquiring memory images 6 2.2.1 Task 1.1: Acquiring memory images from Windows 7 2.2.2 Task 1.2 Acquiring memory images from Linux 9 2.3 Task 2: Basic analysis of Windows images 15 2.3.1 Task 2.1: Windows process analysis 15 2.3.2 Task 2.2: Network connection analysis 19 2.3.3 Task 2.3: Registry analysis 20 2.3.4 Task 2.4: File and other analysis 24 2.4 Task 3: Basic Linux memory analysis 26 2.4.1 Task 3.1: Linux process analysis 26 2.4.2 Task 3.2: Linux network connection analysis 29 2.4.3 Task 3.3: File and kernel analysis 32 2.5 Task 4: Finding and obtaining malware from memory images 35 2.5.1 Task 4.1 Windows malware 35 Page iv Advanced artifact analysis Toolset, Artifact analysis training material November 2014 2.5.2 Task 4.2 Linux malware 37 3 Commands used 40 4 Bibliography 42 Page v Advanced artifact analysis Toolset, Artifact analysis training material November 2014 During the course of the exercise the students will learn how to obtain Main Objective memory images from different sources and to analyse them. Both Windows and Linux systems will be covered. CERT staff involved with the technical analysis of incidents, especially Targeted Audience those dealing with forensics. In-depth knowledge of operating system concepts is a prerequisite. Python knowledge is helpful but not required. Total Duration 6 – 7.5 hours Introduction to the exercise (Memory forensics) 1.5 hours Task 1: Acquiring memory images 1 hour 1-1.5 Task 2: Basic Windows memory analysis hours Time Schedule 1-1.5 Task 3: Basic Linux memory analysis hours 1-1.5 Task 4: Obtaining and analysing malware from memory hours Summary of the exercise 0.5 hours Frequency Once per person Page 1 Advanced artifact analysis Toolset, Artifact analysis training material November 2014 1 General description During the course of this exercise, the students will learn how to acquire and analyse memory images from Windows and Linux operating systems with the Volatility toolkit4. Students that have completed the “Digital forensics”5 course may already be familiar with some of the concepts covered in this exercise. At the beginning, the trainer will introduce the basic concepts of memory forensics, such as acquisition of memory and its analysis. Additionally, the students will be given basic information on how to use Volatility.4 In the first part, the students will learn how to acquire memory images from Windows and Linux operating systems. In the second and third part, the students will perform basic analysis tasks while working with Windows and Linux memory dumps. In the last part, the students are confronted with advanced analysis techniques, such as identifying and isolating a malware sample from a given memory image. The exercise can be held with all parts in sequence. But it is also possible to hold only the introduction, together with either the Windows or the Linux parts to focus on only one operating system or if the time frame doesn't allow for a full training, additionally there will also be an open discussion at the end of the exercise. 1.1 Prerequisites It is assumed that the students are familiar with • The general process of incident response and digital forensics.6,7,8,9 • Basic concepts from C / Assembler programming such as low level data types (char, int), arrays, structures, etc.10,11,12,13,14 • General operating system concepts such as processes, threads, stack, heap, kernel, memory management, etc.15,16,17,18 4 http://www.volatilityfoundation.org/ (last visited: 30. 9. 2014) 5 https://www.enisa.europa.eu/activities/cert/support/exercise, exercise no 24 (last visited: 30. 9. 2014) 6 https://www.enisa.europa.eu/activities/cert/background (last visited: 30. 9. 2014) 7 https://www.enisa.europa.eu/activities/cert/support (last visited: 30. 9. 2014) 8 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf (last visited: 30. 9. 2014) 9 http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf (last visited: 30. 9. 2014) 10 Mitchell: “Concepts in Programming Languages”, Cambrigde University Press, ISBN 0521780985 11 Van Roy, et al.: “Concepts, Techniques, and Models of Computer Programming”, MIT Press, ISBN: 9780262220699 12 http://www.cprogramming.com/(last visited: 30. 9. 2014) 13 http://en.wikibooks.org/wiki/C_Programming (last visited: 30. 9. 2014) 14 http://en.wikibooks.org/wiki/X86_Disassembly (last visited: 30. 9. 2014) 15 Silberschatz, et al.: “Operating System Concepts”, 9th ed., Wiley, ISBN-13: 978-1118063330 16Russinovich, et al.: “Windows Internals”, 6th ed., Microsoft Press, ISBN-13: 978-0735648739 (part1), ISBN-13: 978-0735665873 (part 2), http://technet.microsoft.com/de-de/sysinternals/bb963901.aspx (last visited: 30. 9. 2014) 17 Wolfgang Mauerer: “Professional Linux Kernel Architecture“,Wrox, ISBN-13: 978-0470343432 18 Bovet, et al.: “Understanding the Linux Kernel”, 3rd ed., O'Reilly, ISBN-13: 978-0596005658 Page 2 Advanced artifact analysis Toolset, Artifact analysis training material November 2014 • Standard Unix command line tools, such as grep, sort, etc. 1.2 Tools overview The following section gives an overview about the tools used in this exercise. 1.2.1 Volatility Volatility is an open source framework for the extraction of digital artifacts from volatile memory (RAM) samples. It is now (2014) developed and supported by The Volatility Foundation.19 1.2.2 Python for Volatility Having the Python20 interpreter and its libraries installed is a prerequisite to running Volatility. At least version 2.6 (better 2.7) is required. A Linux or Windows operating system with x86 or x64 architecture is preferred although Volatility should run on any system that supports Python. Python 3 is currently (as of version 2.3.1 and 2.4) not supported. Furthermore, several Python libraries are needed by Volatility that typically are not installed automatically when installing the main Python package. Teachers should check for the presence of these packages when assembling their own analysis system. 1.2.3 PyCrypto The Python Cryptography Toolkit21 supplies hashing and encryption algorithms as well as encryption protocols and other routines, such as random number generators.
Recommended publications
  • Linux Tutorial Last Updated: September 29 2021 for Windows Users
    VLAAMS SUPERCOMPUTER Innovative Computing CENTRUM for A Smarter Flanders Linux Tutorial Last updated: September 29 2021 For Windows Users Authors: Jasper Devreker (UGent), Ewan Higgs (UGent), Kenneth Hoste (UGent) Acknowledgement: VSCentrum.be Audience: This document is a hands-on guide for using the Linux command line in the context of the UGent HPC infrastructure. The command line (sometimes called ’shell’) can seems daunting at first, but with a little understanding can be very easy to use. Everything you do startsatthe prompt. Here you have the liberty to type in any commands you want. Soon, you will be able to move past the limited point and click interface and express interesting ideas to the computer using the shell. Gaining an understanding of the fundamentals of Linux will help accelerate your research using the HPC infrastructure. You will learn about commands, managing files, and some scripting basics. Notification: In$ commands this tutorial specific commands are separated from the accompanying text: These should be entered by the reader at a command line in a terminal on the UGent-HPC. They appear in all exercises preceded by a $ and printed in bold. You’ll find those actions ina grey frame. Button are menus, buttons or drop down boxes to be pressed or selected. “Directory” is the notation for directories (called “folders” in Windows terminology) or specific files. (e.g., “/user/home/gent/vsc400/vsc40000”) “Text” Is the notation for text to be entered. Tip: A “Tip” paragraph is used for remarks or tips. They can also be downloaded from the VSC website at https://www.vscentrum.be.
    [Show full text]
  • Netcat and Trojans/Backdoors
    Netcat and Trojans/Backdoors ECE4883 – Internetwork Security 1 Agenda Overview • Netcat • Trojans/Backdoors ECE 4883 - Internetwork Security 2 Agenda Netcat • Netcat ! Overview ! Major Features ! Installation and Configuration ! Possible Uses • Netcat Defenses • Summary ECE 4883 - Internetwork Security 3 Netcat – TCP/IP Swiss Army Knife • Reads and Writes data across the network using TCP/UDP connections • Feature-rich network debugging and exploration tool • Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions. • UNIX and Windows versions available at: http://www.atstake.com/research/tools/network_utilities/ ECE 4883 - Internetwork Security 4 Netcat • Designed to be a reliable “back-end” tool – to be used directly or easily driven by other programs/scripts • Very powerful in combination with scripting languages (eg. Perl) “If you were on a desert island, Netcat would be your tool of choice!” - Ed Skoudis ECE 4883 - Internetwork Security 5 Netcat – Major Features • Outbound or inbound connections • TCP or UDP, to or from any ports • Full DNS forward/reverse checking, with appropriate warnings • Ability to use any local source port • Ability to use any locally-configured network source address • Built-in port-scanning capabilities, with randomizer ECE 4883 - Internetwork Security 6 Netcat – Major Features (contd) • Built-in loose source-routing capability • Can read command line arguments from standard input • Slow-send mode, one line every N seconds • Hex dump of transmitted and received data • Optional ability to let another program service established connections • Optional telnet-options responder ECE 4883 - Internetwork Security 7 Netcat (called ‘nc’) • Can run in client/server mode • Default mode – client • Same executable for both modes • client mode nc [dest] [port_no_to_connect_to] • listen mode (-l option) nc –l –p [port_no_to_connect_to] ECE 4883 - Internetwork Security 8 Netcat – Client mode Computer with netcat in Client mode 1.
    [Show full text]
  • Measuring Software Performance on Linux Technical Report
    Measuring Software Performance on Linux Technical Report November 21, 2018 Martin Becker Samarjit Chakraborty Chair of Real-Time Computer Systems Chair of Real-Time Computer Systems Technical University of Munich Technical University of Munich Munich, Germany Munich, Germany [email protected] [email protected] OS program program CPU .text .bss + + .data +/- + instructions cache branch + coherency scheduler misprediction core + pollution + migrations data + + interrupt L1i$ miss access + + + + + + context mode + + (TLB flush) TLB + switch data switch miss L1d$ +/- + (KPTI TLB flush) miss prefetch +/- + + + higher-level readahead + page cache miss walk + + multicore + + (TLB shootdown) TLB coherency page DRAM + page fault + cache miss + + + disk + major minor I/O Figure 1. Event interaction map for a program running on an Intel Core processor on Linux. Each event itself may cause processor cycles, and inhibit (−), enable (+), or modulate (⊗) others. Abstract that our measurement setup has a large impact on the results. Measuring and analyzing the performance of software has More surprisingly, however, they also suggest that the setup reached a high complexity, caused by more advanced pro- can be negligible for certain analysis methods. Furthermore, cessor designs and the intricate interaction between user we found that our setup maintains significantly better per- formance under background load conditions, which means arXiv:1811.01412v2 [cs.PF] 20 Nov 2018 programs, the operating system, and the processor’s microar- chitecture. In this report, we summarize our experience on it can be used to improve high-performance applications. how performance characteristics of software should be mea- CCS Concepts • Software and its engineering → Soft- sured when running on a Linux operating system and a ware performance; modern processor.
    [Show full text]
  • Checkpointing Under Linux with Berkeley Lab Checkpoint/Restart
    N1GE6 Checkpointing and Berkeley Lab Checkpoint/Restart Liang PENG Lip Kian NG N1GE6 Checkpointing and Berkeley Lab Checkpoint/Restart Liang PENG Lip Kian NG APSTC-TB-2004-005 Abstract: N1GE6, formerly known as Sun Grid Engine, is widely used in HPTC environment for efficient utilization of compute resources. As applications in such environment are generally compute intensive, fault tolerance is required to minimize the impact of hardware failure. N1GE6 has several fault tolerance features and in this report, the focus will be on the checkpointing support and the integration of Berkeley Lab Checkpoint/Restart will be used as an example. Keywords: checkpoint, Grid Engine, blcr Email Address: [email protected] [email protected] Revision History Version Date Comments 1.1 Jul 14, 2004 1.2 Dec 28, 2004 Feedback from Reuti (reuti__at__staff.uni-marburg.de) • Transparent interface is user-level (Table 1). • Update to state diagram (Illustration 2). N1GE6 Checkpointing and Berkeley Lab Checkpoint/Restart Liang PENG Lip Kian NG Asia Pacific Science and Technology Center Sun Microsystems Pte Ltd, Singapore Introduction Checkpointing is the process of writing out the state information of a running application to physical storage periodically. With this feature, an application will be able to restart from the last checkpointed state instead of from the beginning which would have been computationally expensive in HPTC environment. In general, checkpointing tools can be classified into 2 different classes: • Kernel-level – Such tools are built into the kernel of the operating system. During a checkpoint, the entire process space (which tends to be huge) is written to physical storage.
    [Show full text]
  • Netcat Starter
    www.allitebooks.com Instant Netcat Starter Learn to harness the power and versatility of Netcat, and understand why it remains an integral part of IT and Security Toolkits to this day K.C. Yerrid BIRMINGHAM - MUMBAI www.allitebooks.com Instant Netcat Starter Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: January 2013 Production Reference: 1170113 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-84951-996-0 www.packtpub.com www.allitebooks.com Credits Author Project Coordinators K.C. "K0nsp1racy" Yerrid Shraddha Bagadia Esha Thakker Reviewer Jonathan Craton Proofreader Kelly Hutchison IT Content and Commissioning Editor Graphics Grant Mizen Aditi Gajjar Commissioning Editor Production Coordinator Priyanka Shah Melwyn D'sa Technical Editor Cover Work Ameya Sawant Melwyn D'sa Copy Editor Cover Image Alfida Paiva Conidon Miranda www.allitebooks.com About the author K.C.
    [Show full text]
  • Linux Kernel and Driver Development Training Slides
    Linux Kernel and Driver Development Training Linux Kernel and Driver Development Training © Copyright 2004-2021, Bootlin. Creative Commons BY-SA 3.0 license. Latest update: October 9, 2021. Document updates and sources: https://bootlin.com/doc/training/linux-kernel Corrections, suggestions, contributions and translations are welcome! embedded Linux and kernel engineering Send them to [email protected] - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 1/470 Rights to copy © Copyright 2004-2021, Bootlin License: Creative Commons Attribution - Share Alike 3.0 https://creativecommons.org/licenses/by-sa/3.0/legalcode You are free: I to copy, distribute, display, and perform the work I to make derivative works I to make commercial use of the work Under the following conditions: I Attribution. You must give the original author credit. I Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. I For any reuse or distribution, you must make clear to others the license terms of this work. I Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. Document sources: https://github.com/bootlin/training-materials/ - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 2/470 Hyperlinks in the document There are many hyperlinks in the document I Regular hyperlinks: https://kernel.org/ I Kernel documentation links: dev-tools/kasan I Links to kernel source files and directories: drivers/input/ include/linux/fb.h I Links to the declarations, definitions and instances of kernel symbols (functions, types, data, structures): platform_get_irq() GFP_KERNEL struct file_operations - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 3/470 Company at a glance I Engineering company created in 2004, named ”Free Electrons” until Feb.
    [Show full text]
  • Singularityce User Guide Release 3.8
    SingularityCE User Guide Release 3.8 SingularityCE Project Contributors Aug 16, 2021 CONTENTS 1 Getting Started & Background Information3 1.1 Introduction to SingularityCE......................................3 1.2 Quick Start................................................5 1.3 Security in SingularityCE........................................ 15 2 Building Containers 19 2.1 Build a Container............................................. 19 2.2 Definition Files.............................................. 24 2.3 Build Environment............................................ 35 2.4 Support for Docker and OCI....................................... 39 2.5 Fakeroot feature............................................. 79 3 Signing & Encryption 83 3.1 Signing and Verifying Containers.................................... 83 3.2 Key commands.............................................. 88 3.3 Encrypted Containers.......................................... 90 4 Sharing & Online Services 95 4.1 Remote Endpoints............................................ 95 4.2 Cloud Library.............................................. 103 5 Advanced Usage 109 5.1 Bind Paths and Mounts.......................................... 109 5.2 Persistent Overlays............................................ 115 5.3 Running Services............................................. 118 5.4 Environment and Metadata........................................ 129 5.5 OCI Runtime Support.......................................... 140 5.6 Plugins.................................................
    [Show full text]
  • Netcat − Network Connections Made Easy
    Netcat − network connections made easy A lot of the shell scripting I do involves piping the output of one command into another, such as: $ cat /var/log/messages | awk '{print $4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15}' | sed −e 's/\[[0−9]*\]:/:/' | sort | uniq | less which shows me the system log file after removing the timestamps and [12345] pids and removing duplicates (1000 neatly ordered unique lines is a lot easier to scan than 6000 mixed together). The above technique works well when all the processing can be done on one machine. What happens if I want to somehow send this data to another machine right in the pipe? For example, instead of viewing it with less on this machine, I want to somehow send the output to my laptop so I can view it there. Ideally, the command would look something like: $ cat /var/log/messages | awk '{print $4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15}' | sed −e 's/\[[0−9]*\]:/:/' | sort | uniq | laptop That exact syntax won't work because the shell thinks it needs to hand off the data to a program called laptop − which doesn't exist. There's a way to do it, though. Enter Netcat Netcat was written 5 years ago to perform exactly this kind of magic − allowing the user to make network connections between machines without any programming. Let's look at some examples of how it works. Let's say that I'm having trouble with a web server that's not returning the content I want for some reason.
    [Show full text]
  • Steering Connections to Sockets with BPF Socket Lookup Hook
    Steering connections to sockets with BPF socket lookup hook Jakub Sitnicki, Cloudflare @jkbs0 @cloudflare October 28-29, 2020 Who am I? ● Software Engineer at Cloudflare Spectrum TCP/UDP reverse proxy, Linux kernel, ... ● Contributor to Linux kernel networking & BPF subsystems Goal Run a TCP echo service on ports 7, 77, and 777 … using one TCP listening socket. Fun? We will need… ❏ VM running Linux kernel 5.9+ ❏ bpftool 5.9+ ❏ libbpf headers ❏ kernel headers vm $ uname -r 5.9.1-36.vanilla.1.fc32.x86_64 vm $ bpftool version bpftool v5.9.1 Code and instructions at https://github.com/jsitnicki/ebpf-summit-2020 We will need… a TCP echo server $ sudo dnf install nmap-ncat $ nc -4kle /bin/cat 127.0.0.1 7777 & Netcat + /bin/cat [1] 1289 $ ss -4tlpn sport = 7777 State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 10 127.0.0.1:7777 0.0.0.0:* users:(("nc",pid=1289,fd=3)) $ nc -4 127.0.0.1 7777 hello⏎ Test it! hello ^D Check open ports on VM external IP vm $ ip -4 addr show eth0 check VM IP 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet 192.168.122.221/24 brd 192.168.122.255 scope global dynamic noprefixroute eth0 valid_lft 2563sec preferred_lft 2563sec host $ nmap -sT -p 1-1000 192.168.122.221 … Not shown: 999 closed ports scan first 1000 ports PORT STATE SERVICE 22/tcp open ssh 7, 77, 777 are closed Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds What is socket lookup? socket receive Application buffer socket Receive path for local delivery lookup Protocol filter INPUT Network raw mangle nat routing conntrack forward PREROUTING PREROUTING PREROUTING decision TC Ring alloc_skb XDP ingress Buffer Driver Wikipedia - Packet flow in Netfilter and General Networking Service dispatch with BPF socket lookup packet metadata BPF program lookup result struct bpf_sk_lookup { (1) 010 (4) __u32 family; 101 Ncat socket 010 __u32 protocol; __u32 remote_ip4; (2) is (3) pick __u32 remote_port; local port echo service __u32 local_ip4; open? socket __u32 local_port; /* ..
    [Show full text]
  • SUSE Linux Enterprise Server 11 SP4 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 11 SP4
    SUSE Linux Enterprise Server 11 SP4 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 11 SP4 Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a SUSE or Novell trademark; an asterisk (*) denotes a third party trademark. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xi 1 Available Documentation xii 2 Feedback xiv 3 Documentation Conventions xv I BASICS 1 1 General Notes on System Tuning 2 1.1 Be Sure What Problem to Solve 2 1.2 Rule Out Common Problems 3 1.3 Finding the Bottleneck 3 1.4 Step-by-step Tuning 4 II SYSTEM MONITORING 5 2 System Monitoring Utilities 6 2.1 Multi-Purpose Tools 6 vmstat 7
    [Show full text]
  • Introduction to UNIX Summary of Some Useful Commands
    Introduction to UNIX "...the number of UNIX installations has grown to 10, with more expected..." - Dennis Ritchie and Ken Thompson, June 1972 (Bell Lab.) Universities, research institutes, government bodies and computer companies all began using the powerful UNIX system to develop many of the technologies which today are part of a UNIX system. Guide to UNIX on the beginners level: http://www.ee.surrey.ac.uk/Teaching/Unix/ Summary of some useful commands: Some basic UNIX commands cd directory_name change to the directory directory_name cd .. change to the directory above the current directory cd ~ change to the home directory cp file_1 file_2 copy the file file_1 to the file file_2 ln –s source linkname link the file with the name source to the file linkname ls directory_name show the content of the directory directory_name ls –l directory_name show in detail the content of the directory directory_name ls –a directory_name show all files including hidden files of the directory directory_name mkdir directory_name create the new directory directory_name less file_name show the content of the file file_name tail file_name show the last part of a file file_name head file_name show the top part of a file file_name (x)emacs file_name edit the file file_name using the editor xemacs mv file_1 to file_2 change the filename file_1 to file_2 rm –i file_name remove the file file_name (the system asks for confirmation) rm –ri directory_name remove all files recursive in the directory directory_name rmdir directory_name remove the directory directory_name
    [Show full text]
  • System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1
    SUSE Linux Enterprise Server 15 SP1 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1 An administrator's guide for problem detection, resolution and optimization. Find how to inspect and optimize your system by means of monitoring tools and how to eciently manage resources. Also contains an overview of common problems and solutions and of additional help and documentation resources. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xiii
    [Show full text]