Linux forensics refers to performing forensic investigation on a Linux operated device. To do so, the investigators should have a good understanding on the techniques required to conduct live analysis; to collect volatile and non-volatile data, along with knowledge of various shell commands and the information they can retrieve. The investigators should also be aware of the Linux log files, their storage and location in the directory, as they are the most important sources of information to trace down the attacker. This module will walk you through the various shell commands, methods to collect volatile data, the different log files and the information they provide.
Shall Commands
Investigators use the shell commands in Linux for collecting information from the system. Some of the frequently used commands include:
1. dmesg
The command dmesg is the short for display message or ‘Driver Message’. The command displays the kernel ring buffers, which contains the information about the drivers loaded into kernel during boot process and error messages produced at the time of loading the drivers into kernel. These messages are helpful in resolving the restoring the device’s driver issues.
Syntax: dmesg options
dmesg | grep –i ethO (Displays hardware information of the Ethernet port eth0)
2. fsck
The command fsck, is meant for File System Consistency Check. It is a tool to check the consistency of Linux file system and repair.
Syntax: fsck —A (Checks all configured filesystems)
3. Stat
Displays file or file system status.
Syntax: stat [OPTION]… FILE…
4. history
The command history checks and lists the Bash shell commands used. This command helps the users for auditing purposes.
Syntax: history n (Lists the last n commands)
5. mount
The command mount causes mounting of a file system or a device to the directory structure, making it accessible by the system.
Syntax: mount -t type device dir (Requests kernel to attach the file system found on device of type type at the directory dir)
Related Product : Computer Hacking Forensic Investigator | CHFI
Linux Log Files
Log files are records of all the activities performed over an operating system. Linux log files store information about the system’s kernel and the services running in the system. In Linux OS, different log files hold different information, which helps the investigators to analyze various issues during a security incident.
Investigators should learn and understand about the contents of various log files, which will help them during security incidents and help them understand the locations they might have to look for finding potential evidences.
Below mentioned are some locations for Linux log files, which can help the investigators to find out the required data and resolve the issues. Additional log locations include:
/var./log/messages: Global system messages
/var/log/dmesg: Kernel ring buffer information
/var/log/cron: Information about the cron job in this file
/va 00g/user.Jog: All user level logs
/vra /log/lastlog: Recent login information
/var/log/boot.log: Information logged on system boots
Collecting Volatile Data (cont’d)
1. .bash_history
The .bash history file stores the command history. These file helps the investigator to analyze the commands used in the terminal by the malicious user.
2. /proc
The /proc/ directory is also known as proc file system. The directory comprises of the order of special files that represent the current state of a kernel. Investigators can find the information of the systems hardware and the processes running them. The proc file system acts as interface for the internal data structures within the kernel.
3. Ps
The command ps is the short notation for “process status”. The command is used to view the list of processes running in the system. It provides a snapshot of the current processes along with detailed information of user Id, CPU usage, memory usage, command name, etc. Investigators can check for the tree to determine any suspicious processes and dependencies.
Investigators need detailed information and evidences to solve the case with ease. The above commands provide ample information about the non-volatile data on a Linux machine. The investigator can decide which information needs to be extracted from the configuration files, or which information about (or from) files needs to be collected for additional analysis because in some cases the attacker could be actively logged into the system during the investigation. In such cases, the investigator may decide to track the attacker.
The investigator must also preserve certain important information from being modified or deleted. This includes safeguarding the non-volatile information of the system, including firewall logs, swap files, antivirus logs, slack space, and unallocated drive space. To preserve the integrity of the evidence, a chain of custody is prepared and the collected evidence is documented for further investigation.
Also Read : Introduction of Event Logs Analysis
4. Swap Space
Linux operating system allocates certain amount of storage space on a hard disk called Swap Space. OS uses as the virtual memory extension of a computer’s real memory (RAM). The OS splits physical RAM into bits/chunks of memory called pages. Having a swap space allows your computer’s operating system to pretend that you have more RAM than you actually do. The least recently used pages in RAM can be “swapped out” to your hard disk until they are needed later, so that new files can be “swapped ink’ to RAM. In larger operating systems (such as IBM’s OS/390) the swapping is called paging.
One advantage of a swap space is, the ability to organize itself as a single contiguous space so that the system can operate it using fewer I/O operations to read or write a complete file. In general, Windows and UNIX-based operating systems provide a default swap space of a certain size that the user or a system administrator can change.
Questions related to this topic
- Where are user files stored in Linux?
- How do I view log files in Linux?
- Which directory in the file structure holds the printer details in Unix?
- How do I see the last 10 lines of a file in Linux?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
