Linux Forensics

Published

August 27, 2024

Modified

August 27, 2024

Incident Handling

Understanding the incident with questions like this:

What happened?
What seemed unusual?
When did you notice it?
Which host involved
What’s the purpose of the system
Who has access to them?
How are these systems set up?
What have you done to fix it?

Notification & Triage

Potential vulnerability is validated (with co-worker) …incident is declared
Communicate to group leader, department head, and IT security

Live Responds

Logon activities

# Check users who are currently logged in
w
lastlog
cat /var/log/lastlog
last -f /var/log/wtmp
last -f /var/log/btmp
grep -v cron /var/log/auth.log* | grep -v sudo | grep -i user
grep -v cron /var/log/auth.log* | grep -v sudo | grep -i Accepted
grep -v cron /var/log/auth.log* | grep -v sudo | grep -i failed
grep -v cron /var/log/auth.log* | grep -v sudo | grep -i "login:session"
cat /var/log/{secure,auth.log}

Review activities

# Check command history 
history
# Check all files with "history" in their name in the user's home directory
cat /home/$USER/.*_history
# Check the command history  (specific to bash shell)
cat /home/$USER/.bash_history
# Check the command history for the root user (specific to bash shell)
cat /root/.bash_history
# Check the MySQL command history for the root user
cat /root/.mysql_history
# Check the FTP command history 
cat /home/$USER/.ftp_history
# Check the SFTP command history 
cat /home/$USER/.sftp_history
# Check the VIM editor history 
# Check the history of commands entered in the 'less' pager 
cat /home/$USER/.lesshst
# Check the Git configuration 
# List recent Git activity logs 
ls /home/$USER/.git/logs
# List Mozilla Firefox profiles, check history and downloads
ls /home/$USER/.mozilla/firefox
# List Google Chrome profiles, check history and downloads
ls /home/$USER/.config/google-chrome
# Search for relevant commands in the authentication logs excluding cron jobs
grep -v cron /var/log/auth.log* | grep -i -e "command=" -e "su:" -e "groupadd" -e "useradd" -e "passwd"

Review accounts

# Identify potentially active user accounts
cat /etc/passwd | grep bash
cat /etc/passwd | grep sh
cat /etc/passwd | grep dash
# Sort user accounts by their UID to detect anomalies
sort -nk3 -t: /etc/passwd
# Find files belonging to non-existent users (indicators of unauthorized access)
find / -nouser -print
# Extract password hashes for forensic analysis
cat /etc/shadow
# Examine group information for user privilege analysis
cat /etc/group
# Review sudo configuration for potential privilege escalation
cat /etc/sudoers
# Check for additional sudo configurations for backdoors
cat /etc/sudoers.d/*
# Investigate SSH authentication keys for potential unauthorized access
cat /home/$USER/.ssh/authorized_keys
# Analyze SSH known hosts for suspicious connections
cat /home/$USER/.ssh/known_hosts
# Review recently used files for user activity
cat /home/$USER/.recently-used.xbel

Log Entries

# Show system messages
cat /var/log/messages
# Show user authentication logs
cat /var/log/auth.log
# Show authentication log for EL systems
cat /var/log/secure
# Show system boot log.
cat /var/log/boot.log
# Show kernel ring buffer log
cat /var/log/dmesg
# Show kernel log
cat /var/log/kern.log

Network Settings

# Show all network interfaces
ifconfig -a
# Show active network connections.
netstat -antup
# Show all iptables rules
iptables -L -n -v
# Show routing table
route -n
# Show listening ports and established connections.
ss -tuln

Triage Script

CatScale ¹

# run the script 
git clone https://github.com/WithSecureLabs/LinuxCatScale.git ; cd LinuxCatScale
chmod +x ./Cat-Scale.sh
sudo ./Cat-Scale.sh

Output data collected saved to a compressed archive …copy data from the node…

# includes a tool properly extract the archive 
./Extract-Cat-Scale.sh

Alternative: Unix-like Artifacts Collector (UAC) ²

Data Preservation

Better procedure to preserver data for later forensic analysis

Is dd of local storage devices enough (from a live device?)
..or offline (after shutdown) …from a live boot to memory

dd if=/dev/sda1 of=/evidence/image.dd bs=4096 conv=sync,noerror
# conversion will continue even with read errors...
# if there is an error, null fill the rest of the block

Patched GNU dd for forensic acquisition of data: dc3dd & dcfldd

dcfldd if=/dev/sdb1 conv=sync,noerror hash=sha256 hashlog=hash.log
of=/evidence/image.dd
# hash the input data as it is being transferred, helping to ensure data integrity

Footnotes

CatScale, GitHub
https://github.com/WithSecureLabs/LinuxCatScale
https://labs.withsecure.com/tools/cat-scale-linux-incident-response-collection ↩︎
Unix-like Artifacts Collector, GitHub
https://github.com/tclahr/uac
https://tclahr.github.io/uac-docs/↩︎

--- title: Linux Forensics date: 2024/08/27 date-modified: 2024/08/27 toc-expand: 3 --- ## Incident Handling Understanding the incident with questions like this: * What happened? * What seemed unusual? * When did you notice it? * Which host involved * What’s the purpose of the system * Who has access to them? * How are these systems set up? * What have you done to fix it? Notification & Triage * Potential vulnerability is validated (with co-worker) …incident is declared * Communicate to group leader, department head, and IT security ## Live Responds ### Logon activities ```bash # Check users who are currently logged in w lastlog cat /var/log/lastlog last -f /var/log/wtmp last -f /var/log/btmp grep -v cron /var/log/auth.log* | grep -v sudo | grep -i user grep -v cron /var/log/auth.log* | grep -v sudo | grep -i Accepted grep -v cron /var/log/auth.log* | grep -v sudo | grep -i failed grep -v cron /var/log/auth.log* | grep -v sudo | grep -i "login:session" cat /var/log/{secure,auth.log} ``` ### Review activities ```bash # Check command history history # Check all files with "history" in their name in the user's home directory cat /home/$USER/.*_history # Check the command history (specific to bash shell) cat /home/$USER/.bash_history # Check the command history for the root user (specific to bash shell) cat /root/.bash_history # Check the MySQL command history for the root user cat /root/.mysql_history # Check the FTP command history cat /home/$USER/.ftp_history # Check the SFTP command history cat /home/$USER/.sftp_history # Check the VIM editor history # Check the history of commands entered in the 'less' pager cat /home/$USER/.lesshst # Check the Git configuration # List recent Git activity logs ls /home/$USER/.git/logs # List Mozilla Firefox profiles, check history and downloads ls /home/$USER/.mozilla/firefox # List Google Chrome profiles, check history and downloads ls /home/$USER/.config/google-chrome # Search for relevant commands in the authentication logs excluding cron jobs grep -v cron /var/log/auth.log* | grep -i -e "command=" -e "su:" -e "groupadd" -e "useradd" -e "passwd" ``` ### Review accounts ```bash # Identify potentially active user accounts cat /etc/passwd | grep bash cat /etc/passwd | grep sh cat /etc/passwd | grep dash # Sort user accounts by their UID to detect anomalies sort -nk3 -t: /etc/passwd # Find files belonging to non-existent users (indicators of unauthorized access) find / -nouser -print # Extract password hashes for forensic analysis cat /etc/shadow # Examine group information for user privilege analysis cat /etc/group # Review sudo configuration for potential privilege escalation cat /etc/sudoers # Check for additional sudo configurations for backdoors cat /etc/sudoers.d/* # Investigate SSH authentication keys for potential unauthorized access cat /home/$USER/.ssh/authorized_keys # Analyze SSH known hosts for suspicious connections cat /home/$USER/.ssh/known_hosts # Review recently used files for user activity cat /home/$USER/.recently-used.xbel ``` ### Log Entries ```bash # Show system messages cat /var/log/messages # Show user authentication logs cat /var/log/auth.log # Show authentication log for EL systems cat /var/log/secure # Show system boot log. cat /var/log/boot.log # Show kernel ring buffer log cat /var/log/dmesg # Show kernel log cat /var/log/kern.log ``` ### Network Settings ```bash # Show all network interfaces ifconfig -a # Show active network connections. netstat -antup # Show all iptables rules iptables -L -n -v # Show routing table route -n # Show listening ports and established connections. ss -tuln ``` ## Triage Script CatScale [^cEfGq] [^cEfGq]: CatScale, GitHub <https://github.com/WithSecureLabs/LinuxCatScale> <https://labs.withsecure.com/tools/cat-scale-linux-incident-response-collection> ```bash # run the script git clone https://github.com/WithSecureLabs/LinuxCatScale.git ; cd LinuxCatScale chmod +x ./Cat-Scale.sh sudo ./Cat-Scale.sh ``` Output data collected saved to a compressed archive …copy data from the node… ```bash # includes a tool properly extract the archive ./Extract-Cat-Scale.sh ``` Alternative: Unix-like Artifacts Collector (UAC) [^77M94] [^77M94]: Unix-like Artifacts Collector, GitHub <https://github.com/tclahr/uac> <https://tclahr.github.io/uac-docs/> ## Data Preservation Better procedure to preserver data for later forensic analysis - Is `dd` of local storage devices enough (from a live device?) - ..or offline (after shutdown) ...from a live boot to memory ```bash dd if=/dev/sda1 of=/evidence/image.dd bs=4096 conv=sync,noerror # conversion will continue even with read errors... # if there is an error, null fill the rest of the block ``` Patched GNU `dd` for forensic acquisition of data: [`dc3dd`](https://packages.fedoraproject.org/pkgs/dc3dd/dc3dd/) & [`dcfldd`](https://packages.fedoraproject.org/pkgs/dcfldd/dcfldd) ```bash dcfldd if=/dev/sdb1 conv=sync,noerror hash=sha256 hashlog=hash.log of=/evidence/image.dd # hash the input data as it is being transferred, helping to ensure data integrity ```