This document provides an overview of a workshop on forensic artifacts in modern Linux systems. It will cover topics such as partitions and filesystems, boot loaders, the Linux file system layout, systemd configuration for services and scheduled tasks, installed software and packages, log files and the systemd journal. The workshop format will involve both presentations and demonstrations of analyzing disk images and artifacts. It is aimed at forensic investigators and showing what can be discovered from compromised, criminal, or seized Linux systems.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
in presentation we will describe the difference between standalone wincollect & manages wincollect for IBM QRadar.
the information in this presentation can be used by anyone :)
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Welcome to the Live Memory Forensics class!
This is an introduction to live memory forensics
It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
in presentation we will describe the difference between standalone wincollect & manages wincollect for IBM QRadar.
the information in this presentation can be used by anyone :)
Ultimately, in a forensic examination, we are investigating the action of a Person
Almost every event or action on a system is the result of a user either doing something
Many events change the state of the Operating System (OS)
OS Forensics helps understand how system changes correlate to events resulting from the action of somebody in the real world
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
Reliance on forensic investigation of information systems has become a daily requirement for law enforcement and security practitioners around the world.
Effective evidence collection and analysis is the foundation of any investigation; identification of suspects, motives and methods demand the acquisition of the largest amount information that evidence can provide us. Anti-Forensics – Real world identification, analysis and prevention will discuss how criminals, attackers, non-enlightened investigators all have the ability to impact the amount useful information we have at our disposal. Michael will show the audience real world scenarios detailing how Anti-forensics tools are used to
hide and destroy incriminating evidence, outlining common anti-forensic techniques. This will be followed by discussion of hands-on identification and prevention
practices used to raise awareness around current academic research and identify potential solutions for practitioners and law enforcement organizations.
Cloud Forensics...this presentation shows you the current state of progress and challenges that stand today in the world of CLOUD FORENSICS.Based on lots of Google search and whites by Josiah Dykstra and Alan Sherman.The presentation builds right from basics and compares the conflicting requirements between traditional and Clod Forensics.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Welcome to the Live Memory Forensics class!
This is an introduction to live memory forensics
It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Basics of Linux Commands, Git and GithubDevang Garach
Teachers Day 2020 - Basics of Linux Commands, Git and Github
History of Linux? (Fast Forward)
Brief overview of Linux OS files/ folders system
Basics Commands on Linux (Useful in daily routine)
What is Git? How to use?
Difference between Git and GitHub
How can we host HTML based website,
and to get github.io domain, Free of cost ₹ 0/-
It is an overview about the Linux operating system and more beneficial to the students of BSCIT and BSCCS and other computerr related courses. It will provide you all the main points of about Linux in short and sweet language.
It is the File system that is contained on the same partition on which the "Root directory" is located. It is the File system on which all the other file systems are mounted
A File Structure should be according to a required format that the operating system can understand.
A file has a certain defined structure according to its type.
A text file is a sequence of characters organized into lines.
A source file is a sequence of procedures and functions.
An object file is a sequence of bytes organized into blocks that are understandable by the machine.
File Type
File type refers to the ability of the operating system to distinguish different types of file such as text files source files and binary files etc. Many operating systems support many types of files. Operating system like MS-DOS and UNIX have the following types of files −
Ordinary files
These are the files that contain user information.
These may have text, databases or executable program.
The user can apply various operations on such files like add, modify, delete or even remove the entire file.
Directory files
These files contain list of file names and other information related to these files.
Special files
These files are also known as device files.
These files represent physical device like disks, terminals, printers, networks, tape drive etc.
Linux administration classes in mumbai
best Linux administration classes in mumbai with job assistance.
our features are:
expert guidance by it industry professionals
lowest fees of 5000
practical exposure to handle projects
well equiped lab
after course resume writing guidance
Similar to Forensic artifacts in modern linux systems (20)
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Forensic artifacts in modern linux systems
1. Forensic Artifacts in Modern Linux Systems
Prof. Dr. Bruce Nikkel
M
Division of Computer Science September 10, 2018
2. Purpose and Scope of Workshop
Describe things of forensic interest, show how to find and extract data from:M
hacked/compromised Linux servers
M
criminal operated Linux servers (Command and Control)
M
abused/misused Linux desktop systems (suspect users, victim users)
M
seized and imaged systems (dead disk forensics)
M
focus on modern Linux system artifacts (systemd, etc.)
M
focus on artifacts independent of Linux distribution
*Not* the focus of this workshop:
M
using Linux as an analysis platform (most of this analysis can also be done
with encase/ftk/xways)
M
how to use Linux based forensic tools
M
live Linux system analysis and memory forensics
M
Linux based mobile devices (Android)
M
Application artifacts (browser, email, office, etc)
This is not exhaustive, there are many OS artifacts not covered here
(obscure/rare artifacts, distro specific artifacts, etc.)
Bern University of Applied Sciences 2/24
3. Overview of Workshop
High level overview of workshop topics (from a forensic/investigative
perspective):
M
partitions and filesystems
M
mbr/uefi, grub, initrd/initramfs
M
linux file/directory layout
M
systemd: boot/shutdown, services, scheduled tasks
M
installed software and packages
M
log files and systemd journal
M
swap, cache, and persistent data
M
system and user configuration
M
desktop artifacts
M
encryption and steganography
M
conclusion
Workshop format: mix of theory/slides and demonstrations
Example disk images are shown as either "image.dd" or "/dev/sda"
Bern University of Applied Sciences 3/24
4. Partitions and Filesystems
Examples of typical storage devices:M
SATA drives: /dev/sda
M
NVME drives: /dev/nvme0n1
M
MMC/SD cards: /dev/mmcblk0
M
(Virtual Machine: /dev/vda)
Examples of typical partition devices:
M
/dev/sda1
M
/dev/nvme0n1p1
M
/dev/mmcblk0p1
M
(/dev/vda1)
Most common partition schemes are DOS and GPT
M
disktype /dev/sda
M
mmls image.dd
M
UEFI systems have GPT layout and use a system partition with a FAT
filesystem for EFI boot files
Bern University of Applied Sciences 4/24
5. Partitions and Filesystems
Some examples of filesystems used by modern Linux:M
typical for installation: ext4, btrfs, xfs
M
many others supported: fat, ntfs, ext2, ext3
M
network filesystems: nfs, samba/cifs, sshfs
M
pseudo filesystems: proc, sys, dev
Interesting artifacts about an EXT4 filesystem:
M
when the filesystem was created
M
last mounted, last written, last checked
M
number of times mounted
M
last repaired
M
tune2fs -l /dev/sda1
M
fsstat /dev/sda1
Network and Virtual filesystems are interesting in live system analysis, less for
dead disk analysis (but we can try to find out some things, like when/where
they were mounted)
Bern University of Applied Sciences 5/24
6. Partitions and Filesystems
The SleuthKit ("TSK") has filesystem analysis tools for:M
listing and extracting files, inodes, blocks
M
identifying and extracting deleted files
M
building timelines (MACB timestamps)
M
extracting slack and unallocated areas for analysis
M
other filesystem artifacts (journaling filesystems,etc.)
All the TSK commands grouped by function:
M
Partition/volume analysis: mmcat, mmls, mmstat, fsstat, img_cat,
img_stat
M
Analyzing by blocks/sectors: blkcalc, blkcat, blkls, blkstat
M
Analyzing by inodes: icat, ifind, ils, istat, tsk_recover
M
Analyzing by filename: fcat, ffind, fls, fiwalk
M
Journaling filesystems: jcat, jls, usnjls
M
Timelines: mactime, tsk_gettimes
M
Search and sort: jpeg_extract, sigfind, sorter, srch
strings, tsk_comparedir, hfind, tsk_loaddb
These commands work on: attached devices, raw images (dd), and forensic
images (EnCase/FTK).
Bern University of Applied Sciences 6/24
7. MBR/UEFI, Grub, initrd/initramfs
MBR - 512 byte boot sector, jumps to next stage loaderM
can analyze boot sector for possible malware (boot sector viruses are rare
today)
M
dd if=image.dd of=bootsector.dd bs=512 count=1
UEFI - FAT system partition with files, more intelligent boot loading
M
look for unusual efi binaries
M
if you have access to mainboard, get UEFI variables stored in NVRAM
Grub artifacts (GRand Unified Bootloader)
M
/boot/grub/grub.cfg or /boot/grub2/grub.cfg
M
/etc/grub.d/* or /etc/default/grub
M
can show list of previous OS installations, kernel parameters used, etc.
Kernel ramdisk (initrd or initramfs)
M
debian: lsinitramfs -l /initrd.img
M
fedora: lsinitrd -v /boot/initramfs-4.16.11-100.fc26.x86_64.img
M
arch: lsinitcpio -v /boot/initramfs-linux.img
M
suse: lsinitrd /boot/initrd
M
if root filesystem is encrypted, may have interesting cleartext info
Bern University of Applied Sciences 7/24
8. Linux File System Layout
Directories of interest to forensic investigators:
M
bootstrap configuration /boot (efi partition mounted on /boot/efi)
M
system configs: /etc
M
logs, cache, state: /var (especially /var/lib and /var/log)
M
user data: /home and /root
Some directories are mountpoints for pseudo filesystems:
M
/proc, /sys, /dev, /run
M
not very useful for dead disk forensics
Other tips:
M
be aware of hidden files/dirs (filenames starting with ".")
M
the "FILES" section of manpages can indicate items of potential interest
M
use forensic timelines to identify ’busy’ directories
Bern University of Applied Sciences 8/24
9. Systemd Boot/Shutdown, Services, Scheduled Tasks
SystemdM
modern Linux system and service manager
M
very consistent across distributions
M
manages starting, stopping, restarting of daemons
Systemd configuration common locations:
M
defaults: /usr/lib/systemd/ or /lib/systemd/
M
custom: /etc/systemd/
M
user: ~/.config/systemd
These directories contain systemd unit files, that configure or control:
M
services and daemons
M
sockets and devices
M
mount points, automount points
M
swap files and swap partitions
M
start-up targets
M
timers (scheduled jobs), watched file system paths
Provides forensic trace information about the system and user configuration
Bern University of Applied Sciences 9/24
10. Systemd Boot/Shutdown, Services, Scheduled tasks
Examples of things to look for as a forensic investigator:
M
overview of services started on boot
M
proxy and relay daemons
M
strange services that could be backdoors or malcious code
M
vpn tunnels (new: wireguard vpn, this is growing in popularity, look for
/etc/wireguard/, the wg0 interface, or systemd wireguard files)
M
service units for: bitcoin, torrent, tor, tunneled protocols, etc.
Scheduled jobs:
M
traditional cron jobs: /var/spool/cron, /var/spool/anacron,
/etc/cron.*/*, and /etc/crontab
M
traditional at jobs (one time execution): /var/spool/at
M
systemd timers (*.timer files)
M
user and system jobs are separate (for cron and systemd)
Note: there are over 150 manpages describing systemd and various relevant files
Bern University of Applied Sciences 10/24
11. Installed Software and Packaging
Most popular packaging formats (not consistent across distributions):M
rpm (redhat and suse)
M
apt/deb (debian/ubuntu, etc.)
M
pacman/tar (arch, manjaro)
The interesting forensic artifacts in packaging systems are:
M
list of installed software packages (package databases)
M
removed software packages (install logs, previously downloaded packages)
M
install and removal timestamps
Other packaging systems growing in popularity:
M
snap/snappy
M
flatpacks
Backups and archive files (ok, not packages, but...):
M
tar snar files have a list of deleted, changed, created files from backups
M
tar --show-snapshot-field-ranges
Bern University of Applied Sciences 11/24
12. Installed Software and Packaging
Debian based systems
M
logs: /var/log/apt/*
M
database: /var/lib/dpkg/* (especially the ’status’ file)
Redhat and SuSe based systems
M
logs: /var/log/dnf.rpm.log*
M
database: /var/lib/rpm/*
Arch pacman based systems
M
arch also has "AUR" or Arch User Repository user
M
database: /var/lib/pacman/local/*/*
M
logs: paclog command, /var/log/pacman.log
Note: users can bypass the packaging system and copies any files anywhere
(’make install’ for example).
Bern University of Applied Sciences 12/24
13. Log Files and Systemd Journal
Programs and daemons typically log to one of three places:M
traditional syslog (/var/log/messages or /var/log/syslog)
M
systemd journal
M
self written log files (usually in /var/log/*)
Traditional Linux logging:
M
logs can be different levels of verbosity (debug, informational, etc.)
M
a running linux kernel has a ring buffer log (dmesg)
M
applications may separate error logs from transaction logs
M
syslog messages are sent to a syslog daemon and saved to files
Systemd journal has features that are interesting for investigators:
M
better recording of logs during early system initialization
M
stderr output of a daemon is captured
M
logs are stored in a structured binary format that can be filtered, searched,
or exported
M
Forward Secure Sealing (FSS) preserves integrity of the logs (like a
forensic chain of custody)
Bern University of Applied Sciences 13/24
14. Log Files and Systemd Journal
Journalctl data and commands:
M
location: /var/log/journal/$RANDOMSTRING/*
M
system logs: system@*
M
user logs (with UID): user-1000@*
M
journalctl --root=/location/of/forensic/image/mount/
M
journalctl --file=user-1000@
M
journalctl --directory=/some/directory/with/journal/
Journalctl tips:
M
logged boots: journalctl --list-boots
M
kernel messages: journalctl --dmesg
M
time periods: journalctl --since=2018-09-05 --until=2018-09-06
M
more verbose: journalctl -ax
M
search with "/", n-next, N-previous
Bern University of Applied Sciences 14/24
15. Log Files and Systemd Journal
What you might find in the logs and systemd journal:
M
attached and mounted USB drives
M
network interfaces and MAC addresses (NetworkManager)
M
dhcp results with IPs addresses (NetworkManager)
M
evidence of malicious activity and attacks (failed logins)
M
successful logins (local and remote) and user sessions
M
reboots, boots, daemon start/stop/restart
M
virtual network interface creation (vpns/tunnels)
M
application/daemon errors and messages
M
user activity (pgp/gpg agent activity)
M
notebook Lid close/open, power cable plugin
Files in /var/log/* are disappearing from use, so learn journalctl
Some systems may not keep a persistent copy of the journal across boots
Most systems still have utmp/wtmp files: last -f /var/log/wtmp
Bern University of Applied Sciences 15/24
16. Cache, Swap and Persistent data
Desktop systems using NetworkManager cache interesting things:
M
/var/lib/NetworkManager/*
M
dhcp leases and timestamps
M
observed wifi bss ids
Desktop systems with Bluetooth cache interesting things:
M
/var/lib/bluetooth/*
M
paired bluetooth devices
M
file timestamps reveal previous pairing activty
Lots of really great info in /var/lib, often with timestamps:
M
depending on the software installed, all kinds of interesting system
persistence and cached data
M
example: switching from charging to discharging (/var/lib/upower/*)
M
(hint, convert epoch timestamps to human time: date -d @1535347485)
Bern University of Applied Sciences 16/24
17. Cache, Swap and Persistent data
Temporary files and directoriesM
/tmp and /var/tmp may contain files
M
(but may be deleted after boot or logout)
M
swapfile or swap partition (see /etc/fstab)
If swap is the size of ram or larger, it can be used for hibernation:
M
a hibernating system has a complete memory dump saved to disk
M
check the end of journal to see if the system went into hibernation
M
can be extracted with forensic tools (icat, dd, etc.)
M
memory analysis can be done to find many artifacts:
running processes, established network connections, possibly keys and
passwords
Printers and printed pages
M
attached and configured printers: /etc/cups/*
M
print jobs from cupsd: /var/cache/cups/*
M
/var/spool/cups/* and /var/log/cups/*
Large amounts of cached user data in /home/user/.cache, this contains
application data (photo thumbnails for example)
Bern University of Applied Sciences 17/24
18. System and User Configuration
System and kernel:M
LSB (Linux Standards Base): /etc/lsb-release or o/etc/os-release
M
kernel version: file vmlinuz
M
kernel config/parameters grub.cfg and /etc/sysctl.*
M
kernel modules: /etc/modprobe*, /etc/modules, /etc/modules-load*
M
startup services/daemons (systemd units)
Systemd network config:
M
default: /usr/lib/systemd/network/ or /lib/systemd/network
M
custom: /etc/systemd/network/
M
also distro specific (debian /etc/network/interfaces)
Crashed programs
M
system may need to be configured to save core files
M
/var/lib/systemd/coredump
M
this is a memory dump of a process: established network connections,
possibly keys and passwords
M
manpage core(5)
Bern University of Applied Sciences 18/24
19. System and User Configuration
Users and groupsM
traditionally in /etc/passwd and /etc/group
M
some systems may use ldap
M
UID and GID analyzed as filesystem meta data
M
(Sleuthkit: mactime -p /etc/passwd -g /etc/group)
M
users and groups may refer to people or processes
M
difference between system and application activity is not always clear
M
difference between system and user activity is not always clear
OS and user configuration files
M
traditional Unix/Linux files in /etc
M
gconf/dconf, systemd units
M
dot files ~/.*
M
dot files ~/.config/*
M
user customized shells (.bashrc) and shell history
M
each distro may have additional configuration artifacts that are interesting
Bern University of Applied Sciences 19/24
20. Desktop Artifacts
Freedesktop.org (formerly known as: X Desktop Group or XDG)
M
XDG documentation and specifications at freedesktop.org
M
Provides compatibility across distros and desktop environments
M
KDE and Gnome most popular DEs
Key directories interesting to forensic investigators:
M
systemd unit files for XDG: /etc/xdg/systemd
M
$XDG_DATA_HOME, default ~/.local/share
M
$XDG_CONFIG_HOME, default ~/.config
M
$XDG_CACHE_HOME, default ~/.cache
M
contains user’s GUI data and configuration
M
(there are also system-wide equivalent defaults)
Bern University of Applied Sciences 20/24
21. Desktop Artifacts
Interesting things we find here:M
autostarting GUI apps ~/.config/autostart/*
M
contents of user’s desktop: ~/Desktop (contains Desktop entry files)
M
recently opened docs: ~/.recently-used or ~/local/share/recently-used.xbel
M
thumbnails ~/.cache/thumbnails
M
"Trash" ~/.local/share/Trash or ~/.Trash
M
User override default apps: ~/.config/mimeapps.list
M
application downloads: ~/Downloads
Other notes
M
often 2 sets of timestamps: filesystem (MACB) and timestamps inside the
files
M
These directories and filenames may vary depending on the desktop and
XDG variables
M
X11 vs Wayland? These both operate below the XDG/freedesktop.org
Environment, so it should (mostly) not matter
Bern University of Applied Sciences 21/24
22. Encryption and Steganography
Forensic examiners will find different types of encryption:
M
application file encryption - protected PDF, office docs, etc
M
individual file containers - GPG, Encrypted Zip
M
directories - ecryptfs, ext4 encrypted sub-directories
M
volumes - TrueCrypt/Veracrypt
M
block devices - Linux LUKS
M
drive hardware - OPAL/SED
Decrypting requires:
M
password or passphrase
M
cryptographic key string or key file
M
smartcard or hard token
The forensic challenge is to find the decryption key
(some tools: John the Ripper, HashCat, bulk_extractor, $5 wrench)
Bern University of Applied Sciences 22/24
23. Encryption and Steganography
Steganography is considered a part of anti-forensics
M
It hides data in non-obvious places
M
least significant bits of color, sound, etc.
M
tries to hide data in different slack areas
M
Veracrypt allows hiding volumes inside volumes
Some tools:
M
stegdetect
M
stegsnow
M
openstego
M
busysteg
M
gsteg
M
photocrypt
Bern University of Applied Sciences 23/24
24. Conclusion
M
Thanks for listening!
M
If you know some additional Linux forensic artifacts not mentioned, please
send them to me, I’ll add them to my slides.
M
Law Enforcement: You are welcome to contact me at BFH for Linux
analysis support.
M
Contact details: bruce.nikkel@bfh.ch
M
These slides are available at: digitalforensics.ch
Bern University of Applied Sciences 24/24
