SlideShare a Scribd company logo

Forensic3e ppt ch09

S
Skillspire LLC

cybersecurity

Education
1 of 62
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response Lesson 9 Linux Forensics
Page 2 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Understand the fundamentals of Linux.  Understand how to extricate data from a Linux computer.
Page 3 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts  Linux file systems  What to look for in Linux system logs  Forensically interesting Linux directories  Important Linux shell commands  How to undelete files from Linux
Page 4 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. History of Linux 1969 UNIX created 1972 UNIX released 1983 GNU
Page 5 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. History of Linux (Cont.) 1987 Minix 1991 Linux 2017 Hundreds of Linux distros
Page 6 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Shells Bourne shell (sh) Bourne-again shell (Bash) C shell (csh) Korn shell (ksh)
Page 7 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Common Linux Shell Commands
Page 8 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Common Linux Shell Commands (Cont.)
Page 9 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Common Linux Shell Commands (Cont.)
Page 10 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. GNU Network Object Model Environment (GNOME) Courtesy of The GNOME Project
Page 11 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. K Desktop Environment (KDE)/Plasma Courtesy of TKDE
Page 12 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Other Linux GUIs Common Desktop Environment (CDE) • Originally developed in 1994 for UNIX systems • Based on HP’s Visual User Environment (VUE) Enlightenment • Relatively new • Designed for graphics developers
Page 13 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Boot Process Kernel Initializes devices Real mode to protected mode MBR GRUB LILO BIOS POST
Page 14 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Boot Process (Cont.) Runlevels INIT
Page 15 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Run Levels
Page 16 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Logical Volume Manager An abstraction layer that provides volume management for the Linux kernel On a single system (like a single desktop or server), primary role is to allow: • The resizing of partitions • The creation of backups by taking snapshots of the logical volumes
Page 17 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Distributions Open source operating system Popular distributions: • Ubuntu • Red Hat Enterprise Linux (RHEL) • OpenSUSE • Fedora • Debian • Slackware
Page 18 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux File Systems Extended File System (ext) • Current version is 4 ext4 supports volumes up to 1 exabyte and single files up to 16 terabytes ext3 and ext4 support three types of journaling: • journal (most secure) • ordered • writeback (least secure)
Page 19 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux File Systems (Cont.) Reiser File System • Supports journaling • Performs well when hard disk has large number of smaller files Berkeley Fast File System • Also known as UNIX File System • Developed at UC-Berkeley for Linux • Uses a bitmap to track free clusters, indicating availability
Page 20 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Logs Log Contents /var/log/faillog Failed user logins /var/log/kern.log Messages from the operating system’s kernel /var/log/lpr.log Items that have been printed /var/log/mail.* Email activity /var/log/mysql.* MySQL database server activity
Page 21 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Logs (Cont.) Log Contents /var/log/apache2/* Apache web server activity /var/log/lighttpd/* Lighttpd web server activity /var/log/apport.log Application crashes Intrusion detection system logs Suspicious traffic
Page 22 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Viewing Logs Text editor in GUI Any of these commands work from the shell: • dmesg | lpr • # tail -f /var/log/lpr.log • # less /var/log/ lpr.log • # more -f /var/log/ lpr.log
Page 23 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Directories Key directories are important to the functioning of every operating system Directories are also important places to seek out evidence in an investigation
Page 24 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /root Home directory for the root user • Contains data for the administrator Linux root user is equivalent to Windows Administrator
Page 25 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The /bin Directory
Page 26 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /sbin Similar to /bin Contains binary files not intended for the average computer user
Page 27 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /etc Contains configuration files, such as for web servers, boot loaders, security software, and many other applications
Page 28 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /etcinittab File Sets boot-up process and operation • Example: init level for the system on start-up label run_level action:a process boot bootwait initdefault sysinit
Page 29 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /dev Contains device files • Interfaces to devices All devices should have a device file in /dev Device naming conventions: • hd = hard drive • fd = floppy drive • cd = CD • Example: Main hard drive can be /dev/hd0
Page 30 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /mnt Many devices are mounted in /mnt Drives must be mounted prior to use Checking this directory lets you know what is currently mounted on system
Page 31 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /boot Contains files critical for booting Boot loader (LILO or GRUB) looks in this directory Kernel images commonly located in /boot
Page 32 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /usr Contains subdirectories for individual users
Page 33 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /var and /varspool /var • Contains data that is changed during system operation /varspool • Contains the print queue
Page 34 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The /proc Directory
Page 35 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Shell Commands for Forensics Linux has hundreds of shell commands Some can be very useful in forensic investigations
Page 36 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The dmesg Command
Page 37 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The pstree Command
Page 38 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The file Command
Page 39 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Undeleting Linux Files: Manually Move system to single-user mode Use grep or similar command Example: grep -b ‘search-text’ /dev/partition > file.txt Use command-line editor to view file
Page 40 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Let’s Play: Identify the Shell Command
Page 41 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 1 Displays the commands that have previously been entered Answer choices: a. dmesg b. grep c. history d. ls
Page 42 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 1 history
Page 43 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 2 Shows all the processes in the form of a tree structure Answer choices: a. ps b. pstree c. ls d. top
Page 44 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 2 pstree
Page 45 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 3 Takes the name you provide and returns the ID for that process; can work with partial names Answer choices: a. pgrep b. dd c. grep d. file
Page 46 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 3 pgrep
Page 47 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 4 Lists the processes in the order of how much CPU time the process is utilizing Answer choices: a. ps b. ls c. su d. top
Page 48 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 4 top
Page 49 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 5 A criminal changes a file extension. This command can identify the file. Answer choices: a. history b. ls c. file d. mount
Page 50 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 5 file
Page 51 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 6 Halts a running process based on the process ID (PID) you provide Answer choices: a. kill b. dmesg c. ps d. finger
Page 52 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 6 kill
Page 53 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 7 Invokes the super user mode Answer choices: a. who b. grep c. finger d. su
Page 54 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 7 su
Page 55 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 8 Provides information about a specific user Answer choices: a. finger b. who c. su d. grep
Page 56 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 8 finger
Page 57 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Kali Linux Has a number of forensics tools Can use as quality control tool to complement OSForensics, FTK, or Encase Includes Autopsy, a web-based graphical user interface for the command-line tool Sleuth Kit
Page 58 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy
Page 59 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy (Cont.)
Page 60 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy (Cont.)
Page 61 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy (Cont.)
Page 62 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary Linux file systems What to look for in Linux system logs Forensically interesting Linux directories Important Linux shell commands How to undelete files from Linux

Recommended

Forensic3e ppt ch06
Forensic3e ppt ch06Forensic3e ppt ch06
Forensic3e ppt ch06Skillspire LLC
 
Forensic3e ppt ch08
Forensic3e ppt ch08Forensic3e ppt ch08
Forensic3e ppt ch08Skillspire LLC
 
Funsec3e ppt ch10
Funsec3e ppt ch10Funsec3e ppt ch10
Funsec3e ppt ch10Skillspire LLC
 
Funsec3e ppt ch07
Funsec3e ppt ch07Funsec3e ppt ch07
Funsec3e ppt ch07Skillspire LLC
 
Forensic3e ppt ch03
Forensic3e ppt ch03Forensic3e ppt ch03
Forensic3e ppt ch03Skillspire LLC
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13Skillspire LLC
 
Hacking3e ppt ch02
Hacking3e ppt ch02Hacking3e ppt ch02
Hacking3e ppt ch02Skillspire LLC
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06Skillspire LLC
 

Recommended

Forensic3e ppt ch06
Forensic3e ppt ch06Forensic3e ppt ch06
Forensic3e ppt ch06Skillspire LLC
 
Forensic3e ppt ch08
Forensic3e ppt ch08Forensic3e ppt ch08
Forensic3e ppt ch08Skillspire LLC
 
Funsec3e ppt ch10
Funsec3e ppt ch10Funsec3e ppt ch10
Funsec3e ppt ch10Skillspire LLC
 
Funsec3e ppt ch07
Funsec3e ppt ch07Funsec3e ppt ch07
Funsec3e ppt ch07Skillspire LLC
 
Forensic3e ppt ch03
Forensic3e ppt ch03Forensic3e ppt ch03
Forensic3e ppt ch03Skillspire LLC
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13Skillspire LLC
 
Hacking3e ppt ch02
Hacking3e ppt ch02Hacking3e ppt ch02
Hacking3e ppt ch02Skillspire LLC
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06Skillspire LLC
 
Forensic3e ppt ch07
Forensic3e ppt ch07Forensic3e ppt ch07
Forensic3e ppt ch07Skillspire LLC
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11Skillspire LLC
 
Funsec3e ppt ch13
Funsec3e ppt ch13Funsec3e ppt ch13
Funsec3e ppt ch13Skillspire LLC
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Dr. Ahmed Al Zaidy
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Hacking3e ppt ch01
Hacking3e ppt ch01Hacking3e ppt ch01
Hacking3e ppt ch01Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Dr. Ahmed Al Zaidy
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
Hacking3e ppt ch13
Hacking3e ppt ch13Hacking3e ppt ch13
Hacking3e ppt ch13Skillspire LLC
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 
Open Source: The Lifeblood of iXsystems
Open Source: The Lifeblood of iXsystemsOpen Source: The Lifeblood of iXsystems
Open Source: The Lifeblood of iXsystemsJoshua Smith
 
Foss Presentation
Foss PresentationFoss Presentation
Foss PresentationAhmed Mekkawy
 

More Related Content

What's hot

Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Dr. Ahmed Al Zaidy
 

What's hot (20)

Forensic3e ppt ch07
Forensic3e ppt ch07Forensic3e ppt ch07
Forensic3e ppt ch07
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11
 
Funsec3e ppt ch13
Funsec3e ppt ch13Funsec3e ppt ch13
Funsec3e ppt ch13
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03
 
Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12Fundamentals of Information Systems Security Chapter 12
Fundamentals of Information Systems Security Chapter 12
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10
 
Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6Fundamentals of Information Systems Security Chapter 6
Fundamentals of Information Systems Security Chapter 6
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
 
Hacking3e ppt ch01
Hacking3e ppt ch01Hacking3e ppt ch01
Hacking3e ppt ch01
 
Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15Fundamentals of Information Systems Security Chapter 15
Fundamentals of Information Systems Security Chapter 15
 
Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13Fundamentals of Information Systems Security Chapter 13
Fundamentals of Information Systems Security Chapter 13
 
Funsec3e ppt ch14
Funsec3e ppt ch14Funsec3e ppt ch14
Funsec3e ppt ch14
 
Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14Fundamentals of Information Systems Security Chapter 14
Fundamentals of Information Systems Security Chapter 14
 
Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2 Fundamentals of Information Systems Security Chapter 2
Fundamentals of Information Systems Security Chapter 2
 
Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1Fundamentals of Information Systems Security Chapter 1
Fundamentals of Information Systems Security Chapter 1
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10
 
Hacking3e ppt ch13
Hacking3e ppt ch13Hacking3e ppt ch13
Hacking3e ppt ch13
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05
 
Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8Fundamentals of Information Systems Security Chapter 8
Fundamentals of Information Systems Security Chapter 8
 

Similar to Forensic3e ppt ch09

Open Source: The Lifeblood of iXsystems
Open Source: The Lifeblood of iXsystemsOpen Source: The Lifeblood of iXsystems
Open Source: The Lifeblood of iXsystemsJoshua Smith
 
exp_1_20bca1108(kashish_dixit.docx
exp_1_20bca1108(kashish_dixit.docxexp_1_20bca1108(kashish_dixit.docx
exp_1_20bca1108(kashish_dixit.docxApkaAmitbro
 
Be Free Be Linux
Be Free Be LinuxBe Free Be Linux
Be Free Be Linuxaboelnour
 
exp_1_20bca1066 Internet.docx
exp_1_20bca1066 Internet.docxexp_1_20bca1066 Internet.docx
exp_1_20bca1066 Internet.docxApkaAmitbro
 
OS Lab: Introduction to Linux
OS Lab: Introduction to LinuxOS Lab: Introduction to Linux
OS Lab: Introduction to LinuxMotaz Saad
 
Programming and problem solving 3
Programming and problem solving 3Programming and problem solving 3
Programming and problem solving 3sushruth kamarushi
 
Linux directory structure by jitu mistry
Linux directory structure by jitu mistryLinux directory structure by jitu mistry
Linux directory structure by jitu mistryJITU MISTRY
 
Fight with linux reverse
Fight with linux reverseFight with linux reverse
Fight with linux reversechao yang
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)Wail Hassan
 
Intro tounix (1)
Intro tounix (1)Intro tounix (1)
Intro tounix (1)Raj Mirje
 
Linux a free and open source operating system
Linux a free and open source operating systemLinux a free and open source operating system
Linux a free and open source operating systembanwait
 
Linux a free and open source operating system
Linux a free and open source operating systemLinux a free and open source operating system
Linux a free and open source operating systembanwait
 

Similar to Forensic3e ppt ch09 (20)

Open Source: The Lifeblood of iXsystems
Open Source: The Lifeblood of iXsystemsOpen Source: The Lifeblood of iXsystems
Open Source: The Lifeblood of iXsystems
 
Foss Presentation
Foss PresentationFoss Presentation
Foss Presentation
 
Linux concept workshop
Linux concept workshopLinux concept workshop
Linux concept workshop
 
Linux training
Linux trainingLinux training
Linux training
 
Linux
Linux Linux
Linux
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktraining
 
exp_1_20bca1108(kashish_dixit.docx
exp_1_20bca1108(kashish_dixit.docxexp_1_20bca1108(kashish_dixit.docx
exp_1_20bca1108(kashish_dixit.docx
 
Be Free Be Linux
Be Free Be LinuxBe Free Be Linux
Be Free Be Linux
 
Linux technology
Linux technologyLinux technology
Linux technology
 
File000127
File000127File000127
File000127
 
exp_1_20bca1066 Internet.docx
exp_1_20bca1066 Internet.docxexp_1_20bca1066 Internet.docx
exp_1_20bca1066 Internet.docx
 
OS Lab: Introduction to Linux
OS Lab: Introduction to LinuxOS Lab: Introduction to Linux
OS Lab: Introduction to Linux
 
Linux
Linux Linux
Linux
 
Programming and problem solving 3
Programming and problem solving 3Programming and problem solving 3
Programming and problem solving 3
 
Linux directory structure by jitu mistry
Linux directory structure by jitu mistryLinux directory structure by jitu mistry
Linux directory structure by jitu mistry
 
Fight with linux reverse
Fight with linux reverseFight with linux reverse
Fight with linux reverse
 
Module 18 (linux hacking)
Module 18 (linux hacking)Module 18 (linux hacking)
Module 18 (linux hacking)
 
Intro tounix (1)
Intro tounix (1)Intro tounix (1)
Intro tounix (1)
 
Linux a free and open source operating system
Linux a free and open source operating systemLinux a free and open source operating system
Linux a free and open source operating system
 
Linux a free and open source operating system
Linux a free and open source operating systemLinux a free and open source operating system
Linux a free and open source operating system
 

More from Skillspire LLC

Introduction to analytics
Introduction to analyticsIntroduction to analytics
Introduction to analyticsSkillspire LLC
 

More from Skillspire LLC (20)

Logistics
LogisticsLogistics
Logistics
 
Introduction to analytics
Introduction to analyticsIntroduction to analytics
Introduction to analytics
 
Lecture 31
Lecture 31Lecture 31
Lecture 31
 
Lecture 30
Lecture 30Lecture 30
Lecture 30
 
Lecture 29
Lecture 29Lecture 29
Lecture 29
 
Review
ReviewReview
Review
 
Review version 4
Review version 4Review version 4
Review version 4
 
Review version 3
Review version 3Review version 3
Review version 3
 
Review version 2
Review version 2Review version 2
Review version 2
 
Lecture 25
Lecture 25Lecture 25
Lecture 25
 
Lecture 24
Lecture 24Lecture 24
Lecture 24
 
Lecture 23 p1
Lecture 23 p1Lecture 23 p1
Lecture 23 p1
 
Lecture 21
Lecture 21Lecture 21
Lecture 21
 
Lecture 17
Lecture 17Lecture 17
Lecture 17
 
Lecture 16
Lecture 16Lecture 16
Lecture 16
 
Lecture 15
Lecture 15Lecture 15
Lecture 15
 
Lecture 14
Lecture 14Lecture 14
Lecture 14
 
Lecture 14
Lecture 14Lecture 14
Lecture 14
 
Lecture 13
Lecture 13Lecture 13
Lecture 13
 
Lecture 12
Lecture 12Lecture 12
Lecture 12
 

Recently uploaded

Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...M56BOOKSTORE PRODUCT/SERVICE
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 

Recently uploaded (20)

Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
KSHARA STURA .pptx---KSHARA KARMA THERAPY (CAUSTIC THERAPY)————IMP.OF KSHARA ...
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 

Forensic3e ppt ch09

  • 1. © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. System Forensics, Investigation, and Response Lesson 9 Linux Forensics
  • 2. Page 2 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Understand the fundamentals of Linux.  Understand how to extricate data from a Linux computer.
  • 3. Page 3 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts  Linux file systems  What to look for in Linux system logs  Forensically interesting Linux directories  Important Linux shell commands  How to undelete files from Linux
  • 4. Page 4 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. History of Linux 1969 UNIX created 1972 UNIX released 1983 GNU
  • 5. Page 5 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. History of Linux (Cont.) 1987 Minix 1991 Linux 2017 Hundreds of Linux distros
  • 6. Page 6 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Shells Bourne shell (sh) Bourne-again shell (Bash) C shell (csh) Korn shell (ksh)
  • 7. Page 7 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Common Linux Shell Commands
  • 8. Page 8 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Common Linux Shell Commands (Cont.)
  • 9. Page 9 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Common Linux Shell Commands (Cont.)
  • 10. Page 10 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. GNU Network Object Model Environment (GNOME) Courtesy of The GNOME Project
  • 11. Page 11 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. K Desktop Environment (KDE)/Plasma Courtesy of TKDE
  • 12. Page 12 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Other Linux GUIs Common Desktop Environment (CDE) • Originally developed in 1994 for UNIX systems • Based on HP’s Visual User Environment (VUE) Enlightenment • Relatively new • Designed for graphics developers
  • 13. Page 13 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Boot Process Kernel Initializes devices Real mode to protected mode MBR GRUB LILO BIOS POST
  • 14. Page 14 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Boot Process (Cont.) Runlevels INIT
  • 15. Page 15 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Run Levels
  • 16. Page 16 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Logical Volume Manager An abstraction layer that provides volume management for the Linux kernel On a single system (like a single desktop or server), primary role is to allow: • The resizing of partitions • The creation of backups by taking snapshots of the logical volumes
  • 17. Page 17 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Distributions Open source operating system Popular distributions: • Ubuntu • Red Hat Enterprise Linux (RHEL) • OpenSUSE • Fedora • Debian • Slackware
  • 18. Page 18 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux File Systems Extended File System (ext) • Current version is 4 ext4 supports volumes up to 1 exabyte and single files up to 16 terabytes ext3 and ext4 support three types of journaling: • journal (most secure) • ordered • writeback (least secure)
  • 19. Page 19 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux File Systems (Cont.) Reiser File System • Supports journaling • Performs well when hard disk has large number of smaller files Berkeley Fast File System • Also known as UNIX File System • Developed at UC-Berkeley for Linux • Uses a bitmap to track free clusters, indicating availability
  • 20. Page 20 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Logs Log Contents /var/log/faillog Failed user logins /var/log/kern.log Messages from the operating system’s kernel /var/log/lpr.log Items that have been printed /var/log/mail.* Email activity /var/log/mysql.* MySQL database server activity
  • 21. Page 21 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Logs (Cont.) Log Contents /var/log/apache2/* Apache web server activity /var/log/lighttpd/* Lighttpd web server activity /var/log/apport.log Application crashes Intrusion detection system logs Suspicious traffic
  • 22. Page 22 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Viewing Logs Text editor in GUI Any of these commands work from the shell: • dmesg | lpr • # tail -f /var/log/lpr.log • # less /var/log/ lpr.log • # more -f /var/log/ lpr.log
  • 23. Page 23 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Linux Directories Key directories are important to the functioning of every operating system Directories are also important places to seek out evidence in an investigation
  • 24. Page 24 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /root Home directory for the root user • Contains data for the administrator Linux root user is equivalent to Windows Administrator
  • 25. Page 25 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The /bin Directory
  • 26. Page 26 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /sbin Similar to /bin Contains binary files not intended for the average computer user
  • 27. Page 27 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /etc Contains configuration files, such as for web servers, boot loaders, security software, and many other applications
  • 28. Page 28 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /etcinittab File Sets boot-up process and operation • Example: init level for the system on start-up label run_level action:a process boot bootwait initdefault sysinit
  • 29. Page 29 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /dev Contains device files • Interfaces to devices All devices should have a device file in /dev Device naming conventions: • hd = hard drive • fd = floppy drive • cd = CD • Example: Main hard drive can be /dev/hd0
  • 30. Page 30 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /mnt Many devices are mounted in /mnt Drives must be mounted prior to use Checking this directory lets you know what is currently mounted on system
  • 31. Page 31 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /boot Contains files critical for booting Boot loader (LILO or GRUB) looks in this directory Kernel images commonly located in /boot
  • 32. Page 32 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /usr Contains subdirectories for individual users
  • 33. Page 33 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. /var and /varspool /var • Contains data that is changed during system operation /varspool • Contains the print queue
  • 34. Page 34 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The /proc Directory
  • 35. Page 35 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Shell Commands for Forensics Linux has hundreds of shell commands Some can be very useful in forensic investigations
  • 36. Page 36 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The dmesg Command
  • 37. Page 37 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The pstree Command
  • 38. Page 38 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The file Command
  • 39. Page 39 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Undeleting Linux Files: Manually Move system to single-user mode Use grep or similar command Example: grep -b ‘search-text’ /dev/partition > file.txt Use command-line editor to view file
  • 40. Page 40 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Let’s Play: Identify the Shell Command
  • 41. Page 41 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 1 Displays the commands that have previously been entered Answer choices: a. dmesg b. grep c. history d. ls
  • 42. Page 42 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 1 history
  • 43. Page 43 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 2 Shows all the processes in the form of a tree structure Answer choices: a. ps b. pstree c. ls d. top
  • 44. Page 44 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 2 pstree
  • 45. Page 45 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 3 Takes the name you provide and returns the ID for that process; can work with partial names Answer choices: a. pgrep b. dd c. grep d. file
  • 46. Page 46 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 3 pgrep
  • 47. Page 47 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 4 Lists the processes in the order of how much CPU time the process is utilizing Answer choices: a. ps b. ls c. su d. top
  • 48. Page 48 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 4 top
  • 49. Page 49 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 5 A criminal changes a file extension. This command can identify the file. Answer choices: a. history b. ls c. file d. mount
  • 50. Page 50 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 5 file
  • 51. Page 51 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 6 Halts a running process based on the process ID (PID) you provide Answer choices: a. kill b. dmesg c. ps d. finger
  • 52. Page 52 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 6 kill
  • 53. Page 53 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 7 Invokes the super user mode Answer choices: a. who b. grep c. finger d. su
  • 54. Page 54 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 7 su
  • 55. Page 55 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Command 8 Provides information about a specific user Answer choices: a. finger b. who c. su d. grep
  • 56. Page 56 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Answer 8 finger
  • 57. Page 57 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Kali Linux Has a number of forensics tools Can use as quality control tool to complement OSForensics, FTK, or Encase Includes Autopsy, a web-based graphical user interface for the command-line tool Sleuth Kit
  • 58. Page 58 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy
  • 59. Page 59 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy (Cont.)
  • 60. Page 60 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy (Cont.)
  • 61. Page 61 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Autopsy (Cont.)
  • 62. Page 62 System Forensics, Investigation, and Response © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary Linux file systems What to look for in Linux system logs Forensically interesting Linux directories Important Linux shell commands How to undelete files from Linux