SlideShare a Scribd company logo

LinuxForensicsForNon-LinuxFolks.pdf

S
ssusere6dc9d

.

Data & Analytics
1 of 18
Download to read offline
Linux Forensics (for Non-Linux Folks) (for Non-Linux Folks) Hal Pomeranz Deer Run Associates
What's Different About Linux? • No registry – Have to gather system info from scattered sources • Different file system – No file creation dates (until EXT4) – No file creation dates (until EXT4) – Important metadata zeroed when files deleted • Files/data are mostly plain text – Good for string searching & interpreting data
Accessing the File System • Can be complicated • Encryption, RAID, Logical Volume Mgmt, … • Multiple partitions to mount http://computer-forensics.sans.org/blog/2010/10/06/ http://deer-run.com/~hal/CEIC-dm-crypt-LVM2.pdf
What Should We Look At? /etc [%SystemRoot%/System32/config] – Primary system configuration directory – Separate configuration files/dirs for each app /var/log [Windows event logs] /var/log [Windows event logs] – Security logs, application logs, etc – Logs normally kept for about 4-5 weeks /home/$USER [%USERPROFILE%] – User data and user configuration information
Basic System Profiling Linux distro name/version number: /etc/*-release Installation date: Look at dates on /etc/ssh/ssh_host_*_key files Look at dates on /etc/ssh/ssh_host_*_key files Computer name: /etc/hostname (also log entries under /var/log) IP address(es): /etc/hosts (static assignments) /var/lib/dhclient, /var/log/* (DHCP)
Default Time Zone • /etc/localtime stores default time zone data • Binary file format: – Use "zdump" on Linux – Look for matching file under /usr/share/zoneinfo – Look for matching file under /usr/share/zoneinfo
User Accounts • Basic user data in /etc/passwd Any UID 0 account has admin privs • MD5 password hashes in /etc/shadow (brute force with "John the Ripper") (brute force with "John the Ripper") • /etc/sudoers may indicate users w/ admin privs • Group memberships in /etc/group
User Login History • /var/log/wtmp – Shows user, source, time, and duration of login – Need to use Linux "last" command to view • Other logs that may contain useful data: – /var/log/auth.log – /var/log/secure – /var/log/audit/audit.log
There's No Place Like $HOME • /home/<user> is common convention • Home dir for admin user is /root • "Hidden" files/dirs have names starting w/ "." • "Hidden" files/dirs have names starting w/ "." – Contain app-specific configuration information – Sometimes executed at login – Possible back-door or persistence mechanism
Web Browser Artifacts • Firefox and Chrome are common browsers • File formats the same as Windows (SQLite DBs) • Files under user home directories: – Firefox: $HOME/.mozilla/firefox/*.default – Firefox: $HOME/.mozilla/firefox/*.default – Chrome: $HOME/.config/chromium/Default
Nautilus • Linux graphical file browser • Like Windows Explorer • Thumbnails: $HOME/.thumbnails • Recent files: $HOME/.recently-used.xbel • Recent files: $HOME/.recently-used.xbel
Command History • $HOME/.bash_history • Unfortunately not time-stamped by default • Can be modified/removed by user • Sudo history in: – /var/log/auth.log – /var/log/sudo.log
SSH • Standard remote access/file xfer mechanism • Useful files in $HOME/.ssh: known_hosts – hosts user connected to from here authorized_keys – public keys used for logins to here authorized_keys – public keys used for logins to here id_rsa – private keys used to log in elsewhere
Things to Watch Out For • Persistence mechanisms • Back doors • Other suspicious files and directories
Persistence Mechanisms • Service start-up scripts /etc/inittab, /etc/init.d, /etc/rc.d (traditional) /etc/init.conf, /etc/init (Upstart) • Scheduled tasks ("cron jobs") • Scheduled tasks ("cron jobs") /etc/cron* /var/spool/cron/*
Back Doors • Deliberate malware/Trojan horse installs • In /etc/passwd and /etc/shadow: – Extra UID 0 accounts – "Application" accounts with active passwords – "Application" accounts with active passwords • New $HOME/.ssh/authorized_keys entries • Back doors via [x]inetd /etc/inetd.conf /etc/xinetd.conf, /etc/xinetd.d
Also Watch Out For… • Rogue "set-UID" files • Directories w/ names that start with "." • Regular files under /dev directory • Recently modified files • Recently modified files • Large files
Wrapping Up • Any final questions? • Thanks for listening! Hal Pomeranz Hal Pomeranz hal@deer-run.com Twitter: @hal_pomeranz http://www.deer-run.com/~hal/ http://computer-forensics.sans.org/blog/author/halpomeranz/ http://www.sans.org/security-training/instructors/Hal-Pomeranz

Recommended

Unix File System
Unix File SystemUnix File System
Unix File Systemstudent(MCA)
 
File system discovery
File system discovery File system discovery
File system discovery DevMix
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Ch10 file system interface
Ch10 file system interfaceCh10 file system interface
Ch10 file system interfaceWelly Dian Astika
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
 
9781111306366 ppt ch11
9781111306366 ppt ch119781111306366 ppt ch11
9781111306366 ppt ch11Dr. Ahmed Al Zaidy
 
File Management & Access Control
File Management & Access Control File Management & Access Control
File Management & Access Control YuvrajWadavale
 

Recommended

Unix File System
Unix File SystemUnix File System
Unix File Systemstudent(MCA)
 
File system discovery
File system discovery File system discovery
File system discovery DevMix
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Ch10 file system interface
Ch10 file system interfaceCh10 file system interface
Ch10 file system interfaceWelly Dian Astika
 
CNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsCNIT 121: 13 Investigating Mac OS X Systems
CNIT 121: 13 Investigating Mac OS X SystemsSam Bowne
 
CNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsCNIT 152: 13 Investigating Mac OS X Systems
CNIT 152: 13 Investigating Mac OS X SystemsSam Bowne
 
9781111306366 ppt ch11
9781111306366 ppt ch119781111306366 ppt ch11
9781111306366 ppt ch11Dr. Ahmed Al Zaidy
 
File Management & Access Control
File Management & Access Control File Management & Access Control
File Management & Access Control YuvrajWadavale
 
File system
File systemFile system
File systemNavin Royal Achakkagari
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded LinuxEmertxe Information Technologies Pvt Ltd
 
Os6
Os6Os6
Os6gopal10scs185
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 
3. introduction of centos
3. introduction of centos3. introduction of centos
3. introduction of centosMohd yasin Karim
 
ITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemSneh Prabha
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF LinuxOmkar Walavalkar
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IOHelpWithAssignment.com
 
Javase7 1641812
Javase7 1641812Javase7 1641812
Javase7 1641812Vinay H G
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Lab 5 Linux File Structure and Hierarchy.pptx
Lab 5 Linux File Structure and Hierarchy.pptxLab 5 Linux File Structure and Hierarchy.pptx
Lab 5 Linux File Structure and Hierarchy.pptxCiceer Ghimirey
 
Surviving OS X as a Windows Admin
Surviving OS X as a Windows AdminSurviving OS X as a Windows Admin
Surviving OS X as a Windows AdminDell World
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Linux Basics
Linux BasicsLinux Basics
Linux BasicsLokesh C
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profitssusera432ea1
 
5263802.ppt
5263802.ppt5263802.ppt
5263802.pptBoyapati chandra Giri
 
File system and Deadlocks
File system and DeadlocksFile system and Deadlocks
File system and DeadlocksRohit Jain
 
linuxtl05.pptx
linuxtl05.pptxlinuxtl05.pptx
linuxtl05.pptxShinwa Hasan
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 
Access Methods and File System Mounting.pptx
Access Methods and File System Mounting.pptxAccess Methods and File System Mounting.pptx
Access Methods and File System Mounting.pptxlaiba29012
 
Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingNeil Barnes
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 

More Related Content

Similar to LinuxForensicsForNon-LinuxFolks.pdf

CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsSam Bowne
 
ITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemSneh Prabha
 
Javase7 1641812
Javase7 1641812Javase7 1641812
Javase7 1641812Vinay H G
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Lab 5 Linux File Structure and Hierarchy.pptx
Lab 5 Linux File Structure and Hierarchy.pptxLab 5 Linux File Structure and Hierarchy.pptx
Lab 5 Linux File Structure and Hierarchy.pptxCiceer Ghimirey
 
Surviving OS X as a Windows Admin
Surviving OS X as a Windows AdminSurviving OS X as a Windows Admin
Surviving OS X as a Windows AdminDell World
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSCsaba Fitzl
 
Linux Basics
Linux BasicsLinux Basics
Linux BasicsLokesh C
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profitssusera432ea1
 
File system and Deadlocks
File system and DeadlocksFile system and Deadlocks
File system and DeadlocksRohit Jain
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file systemTaaanu01
 
Access Methods and File System Mounting.pptx
Access Methods and File System Mounting.pptxAccess Methods and File System Mounting.pptx
Access Methods and File System Mounting.pptxlaiba29012
 

Similar to LinuxForensicsForNon-LinuxFolks.pdf (20)

File system
File systemFile system
File system
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
 
Os6
Os6Os6
Os6
 
CNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X SystemsCNIT 152 13 Investigating Mac OS X Systems
CNIT 152 13 Investigating Mac OS X Systems
 
3. introduction of centos
3. introduction of centos3. introduction of centos
3. introduction of centos
 
ITFT_File system interface in Operating System
ITFT_File system interface in Operating SystemITFT_File system interface in Operating System
ITFT_File system interface in Operating System
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF Linux
 
Systems Programming - File IO
Systems Programming - File IOSystems Programming - File IO
Systems Programming - File IO
 
Javase7 1641812
Javase7 1641812Javase7 1641812
Javase7 1641812
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Lab 5 Linux File Structure and Hierarchy.pptx
Lab 5 Linux File Structure and Hierarchy.pptxLab 5 Linux File Structure and Hierarchy.pptx
Lab 5 Linux File Structure and Hierarchy.pptx
 
Surviving OS X as a Windows Admin
Surviving OS X as a Windows AdminSurviving OS X as a Windows Admin
Surviving OS X as a Windows Admin
 
Exploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOSExploiting Directory Permissions on macOS
Exploiting Directory Permissions on macOS
 
Linux Basics
Linux BasicsLinux Basics
Linux Basics
 
Poking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And ProfitPoking The Filesystem For Fun And Profit
Poking The Filesystem For Fun And Profit
 
5263802.ppt
5263802.ppt5263802.ppt
5263802.ppt
 
File system and Deadlocks
File system and DeadlocksFile system and Deadlocks
File system and Deadlocks
 
linuxtl05.pptx
linuxtl05.pptxlinuxtl05.pptx
linuxtl05.pptx
 
Linux standard file system
Linux standard file systemLinux standard file system
Linux standard file system
 
Access Methods and File System Mounting.pptx
Access Methods and File System Mounting.pptxAccess Methods and File System Mounting.pptx
Access Methods and File System Mounting.pptx
 

Recently uploaded

Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingNeil Barnes
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...Florian Roscheck
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...dajasot375
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationshipsccctableauusergroup
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...soniya singh
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationBoston Institute of Analytics
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsappssapnasaifi408
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPramod Kumar Srivastava
 
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts ServiceCall Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Servicejennyeacort
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystSamantha Rae Coolbeth
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxEmmanuel Dauda
 

Recently uploaded (20)

Brighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data StorytellingBrighton SEO | April 2024 | Data Storytelling
Brighton SEO | April 2024 | Data Storytelling
 
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...From idea to production in a day – Leveraging Azure ML and Streamlit to build...
From idea to production in a day – Leveraging Azure ML and Streamlit to build...
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
High Class Call Girls Noida Sector 39 Aarushi 🔝8264348440🔝 Independent Escort...
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health Classification
 
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /WhatsappsBeautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
Beautiful Sapna Vip Call Girls Hauz Khas 9711199012 Call /Whatsapps
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptxPKS-TGC-1084-630 - Stage 1 Proposal.pptx
PKS-TGC-1084-630 - Stage 1 Proposal.pptx
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts ServiceCall Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
Call Girls In Noida City Center Metro 24/7✡️9711147426✡️ Escorts Service
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
 
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
Russian Call Girls Dwarka Sector 15 💓 Delhi 9999965857 @Sabina Modi VVIP MODE...
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data Analyst
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
Customer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptxCustomer Service Analytics - Make Sense of All Your Data.pptx
Customer Service Analytics - Make Sense of All Your Data.pptx
 

LinuxForensicsForNon-LinuxFolks.pdf

  • 1. Linux Forensics (for Non-Linux Folks) (for Non-Linux Folks) Hal Pomeranz Deer Run Associates
  • 2. What's Different About Linux? • No registry – Have to gather system info from scattered sources • Different file system – No file creation dates (until EXT4) – No file creation dates (until EXT4) – Important metadata zeroed when files deleted • Files/data are mostly plain text – Good for string searching & interpreting data
  • 3. Accessing the File System • Can be complicated • Encryption, RAID, Logical Volume Mgmt, … • Multiple partitions to mount http://computer-forensics.sans.org/blog/2010/10/06/ http://deer-run.com/~hal/CEIC-dm-crypt-LVM2.pdf
  • 4. What Should We Look At? /etc [%SystemRoot%/System32/config] – Primary system configuration directory – Separate configuration files/dirs for each app /var/log [Windows event logs] /var/log [Windows event logs] – Security logs, application logs, etc – Logs normally kept for about 4-5 weeks /home/$USER [%USERPROFILE%] – User data and user configuration information
  • 5. Basic System Profiling Linux distro name/version number: /etc/*-release Installation date: Look at dates on /etc/ssh/ssh_host_*_key files Look at dates on /etc/ssh/ssh_host_*_key files Computer name: /etc/hostname (also log entries under /var/log) IP address(es): /etc/hosts (static assignments) /var/lib/dhclient, /var/log/* (DHCP)
  • 6. Default Time Zone • /etc/localtime stores default time zone data • Binary file format: – Use "zdump" on Linux – Look for matching file under /usr/share/zoneinfo – Look for matching file under /usr/share/zoneinfo
  • 7. User Accounts • Basic user data in /etc/passwd Any UID 0 account has admin privs • MD5 password hashes in /etc/shadow (brute force with "John the Ripper") (brute force with "John the Ripper") • /etc/sudoers may indicate users w/ admin privs • Group memberships in /etc/group
  • 8. User Login History • /var/log/wtmp – Shows user, source, time, and duration of login – Need to use Linux "last" command to view • Other logs that may contain useful data: – /var/log/auth.log – /var/log/secure – /var/log/audit/audit.log
  • 9. There's No Place Like $HOME • /home/<user> is common convention • Home dir for admin user is /root • "Hidden" files/dirs have names starting w/ "." • "Hidden" files/dirs have names starting w/ "." – Contain app-specific configuration information – Sometimes executed at login – Possible back-door or persistence mechanism
  • 10. Web Browser Artifacts • Firefox and Chrome are common browsers • File formats the same as Windows (SQLite DBs) • Files under user home directories: – Firefox: $HOME/.mozilla/firefox/*.default – Firefox: $HOME/.mozilla/firefox/*.default – Chrome: $HOME/.config/chromium/Default
  • 11. Nautilus • Linux graphical file browser • Like Windows Explorer • Thumbnails: $HOME/.thumbnails • Recent files: $HOME/.recently-used.xbel • Recent files: $HOME/.recently-used.xbel
  • 12. Command History • $HOME/.bash_history • Unfortunately not time-stamped by default • Can be modified/removed by user • Sudo history in: – /var/log/auth.log – /var/log/sudo.log
  • 13. SSH • Standard remote access/file xfer mechanism • Useful files in $HOME/.ssh: known_hosts – hosts user connected to from here authorized_keys – public keys used for logins to here authorized_keys – public keys used for logins to here id_rsa – private keys used to log in elsewhere
  • 14. Things to Watch Out For • Persistence mechanisms • Back doors • Other suspicious files and directories
  • 15. Persistence Mechanisms • Service start-up scripts /etc/inittab, /etc/init.d, /etc/rc.d (traditional) /etc/init.conf, /etc/init (Upstart) • Scheduled tasks ("cron jobs") • Scheduled tasks ("cron jobs") /etc/cron* /var/spool/cron/*
  • 16. Back Doors • Deliberate malware/Trojan horse installs • In /etc/passwd and /etc/shadow: – Extra UID 0 accounts – "Application" accounts with active passwords – "Application" accounts with active passwords • New $HOME/.ssh/authorized_keys entries • Back doors via [x]inetd /etc/inetd.conf /etc/xinetd.conf, /etc/xinetd.d
  • 17. Also Watch Out For… • Rogue "set-UID" files • Directories w/ names that start with "." • Regular files under /dev directory • Recently modified files • Recently modified files • Large files
  • 18. Wrapping Up • Any final questions? • Thanks for listening! Hal Pomeranz Hal Pomeranz hal@deer-run.com Twitter: @hal_pomeranz http://www.deer-run.com/~hal/ http://computer-forensics.sans.org/blog/author/halpomeranz/ http://www.sans.org/security-training/instructors/Hal-Pomeranz