essay type
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
System Forensics, Investigation, and Response
Lesson 9 Linux Forensics
Page 2System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Learning Objective
§ Summarize various types of digital forensics.
Page 3System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Key Concepts § Linux file systems § What to look for in Linux system logs § Forensically interesting Linux directories § Important Linux shell commands § How to undelete files from Linux
Page 4System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
History of Linux
1969 UNIX created
1972 UNIX released
1983 GNU
Page 5System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
History of Linux (Cont.)
1987 Minix
1991 Linux
2017 Hundreds of Linux distros
Page 6System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux Shells
Bourne shell (sh)
Bourne-again shell (Bash)
C shell (csh)
Korn shell (ksh)
Page 7System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Common Linux Shell Commands
Page 8System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Common Linux Shell Commands (Cont.)
Page 9System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Common Linux Shell Commands (Cont.)
Page 10System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
GNU Network Object Model Environment (GNOME)
C ourtesy of The G
N O
M E
P roject
Page 11System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
K Desktop Environment (KDE)/Plasma
C ourtesy of TK
D E
Page 12System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Other Linux GUIs §Common Desktop Environment (CDE) • Originally developed in 1994 for UNIX
systems • Based on HP’s Visual User Environment
(VUE) §Enlightenment • Relatively new • Designed for graphics developers
Page 13System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux Boot Process
Kernel Initializes devices Real mode to protected mode
MBR GRUB LILO
BIOS POST
Page 14System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux Boot Process (Cont.)
Runlevels
INIT
Page 15System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Run Levels
Page 16System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Logical Volume Manager §An abstraction layer that provides volume
management for the Linux kernel §On a single system (like a single desktop or
server), primary role is to allow: • The resizing of partitions • The creation of backups by taking
snapshots of the logical volumes
Page 17System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux Distributions §Open source operating system §Popular distributions: • Ubuntu • Red Hat Enterprise Linux (RHEL) • OpenSUSE • Debian • Slackware
Page 18System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux File Systems §Extended File System (ext) • Current version is 4
§ext4 supports volumes up to 1 exabyte and single files up to 16 terabytes
§ext3 and ext4 support three types of journaling: • journal (most secure) • ordered • writeback (least secure)
Page 19System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux File Systems (Cont.) §Reiser File System • Supports journaling • Performs well when hard disk has large
number of smaller files §Berkeley Fast File System • Also known as UNIX File System • Developed at UC-Berkeley for Linux • Uses a bitmap to track free clusters,
indicating availability
Page 20System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux Logs Log Contents
/var/log/faillog Failed user logins
/var/log/kern.log Messages from the operating system’s kernel
/var/log/lpr.log Items that have been printed
/var/log/mail.* Email activity
/var/log/mysql.* MySQL database server activity
Page 21System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux Logs (Cont.) Log Contents
/var/log/apache2/* Apache web server activity
/var/log/lighttpd/* Lighttpd web server activity
/var/log/apport.log Application crashes
Intrusion detection system logs
Suspicious traffic
Page 22System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Viewing Logs §Text editor in GUI §Any of these commands work from the
shell: • dmesg | lpr • # tail -f /var/log/lpr.log • # less /var/log/ lpr.log • # more -f /var/log/ lpr.log
Page 23System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Linux Directories §Key directories are important to the
functioning of every operating system §Directories are also important places to
seek out evidence in an investigation
Page 24System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/root §Home directory for the root user • Contains data for the administrator
§Linux root user is equivalent to Windows Administrator
Page 25System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
The /bin Directory
Page 26System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/sbin §Similar to /bin §Contains binary files not intended for the
average computer user
Page 27System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/etc §Contains configuration files, such as for
web servers, boot loaders, security software, and many other applications
Page 28System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/etcinittab File §Sets boot-up process and operation • Example: init level for the system on start-up
label run_level action:a process
boot bootwait initdefault sysinit
Page 29System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/dev §Contains device files • Interfaces to devices
§All devices should have a device file in /dev §Device naming conventions: • hd = hard drive • fd = floppy drive • cd = CD • Example: Main hard drive can be /dev/hd0
Page 30System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/mnt §Many devices are mounted in /mnt §Drives must be mounted prior to use §Checking this directory lets you know what
is currently mounted on system
Page 31System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/boot §Contains files critical for booting §Boot loader (LILO or GRUB) looks in this
directory §Kernel images commonly located in /boot
Page 32System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/usr §Contains subdirectories for individual users
Page 33System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
/var and /varspool §/var • Contains data that is changed during
system operation §/varspool • Contains the print queue
Page 34System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
The /proc Directory
Page 35System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Shell Commands for Forensics §Linux has hundreds of shell commands §Some can be very useful in forensic
investigations
Page 36System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
The dmesg Command
Page 37System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
The pstree Command
Page 38System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
The file Command
Page 39System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Undeleting Linux Files: Manually
Move system to single-user mode
Use grep or similar command Example: grep -b ‘search-text’ /dev/partition > file.txt
Use command-line editor to view file
Page 40System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Let’s Play:
Identify the Shell Command
Page 41System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 1
§Displays the commands that have previously been entered
Answer choices:
a. dmesg b. grep c. history d. ls
Page 42System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 1
history
Page 43System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 2
§Shows all the processes in the form of a tree structure
Answer choices:
a. ps b. pstree c. ls d. top
Page 44System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 2
pstree
Page 45System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 3
§Takes the name you provide and returns the ID for that process; can work with partial names
Answer choices:
a. pgrep b. dd c. grep d. file
Page 46System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 3
pgrep
Page 47System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 4
§Lists the processes in the order of how much CPU time the process is utilizing
Answer choices:
a. ps b. ls c. su d. top
Page 48System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 4
top
Page 49System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 5
§A criminal changes a file extension. This command can identify the file.
Answer choices:
a. history b. ls c. file d. mount
Page 50System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 5
file
Page 51System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 6
§Halts a running process based on the process ID (PID) you provide
Answer choices:
a. kill b. dmesg c. ps d. finger
Page 52System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 6
kill
Page 53System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 7
§Invokes the super user mode
Answer choices:
a. who b. grep c. finger d. su
Page 54System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 7
su
Page 55System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Command 8
§Provides information about a specific user
Answer choices:
a. finger b. who c. su d. grep
Page 56System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Answer 8
finger
Page 57System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Kali Linux §Has a number of forensics tools §Can use as quality control tool to
complement OSForensics, FTK, or Encase §Includes Autopsy, a web-based graphical
user interface for the command-line tool Sleuth Kit
Page 58System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Autopsy
Page 59System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Autopsy (Cont.)
Page 60System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Autopsy (Cont.)
Page 61System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Autopsy (Cont.)
Page 62System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Summary §Linux file systems §What to look for in Linux system logs §Forensically interesting Linux directories §Important Linux shell commands §How to undelete files from Linux