9781284226065_PPT_CH09.pdf

Full Transcript

CHAPTER 9 Linux Forensics Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Learning Objective(s) and Key Concepts Key Concepts ▪ Summarize various types of digital forensics. ▪ Linux operating system and file systems ▪ What to look for in Linux system logs ▪ Forensically interesting Linux directories ▪ Important Linux shell commands ▪ How to undelete files from Linux Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Learning Objective(s) History of Linux Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com 100s of Linux distros 1987 Minix 1972 UNIX released 1991 Linux 1983 GNU 1969 UNIX created Linux Shells Bourne-again shell (Bash) C shell (csh) Korn shell (ksh) Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Bourne shell (sh) Basic Linux Shell Commands (Cont.) Explanation and Example ls The ls command lists the contents of the current directory Example: ls Common Flags ls -l displays file or directory, size, modified date and time, file or folder name and owner of file, and its permission ls -a shows even hidden files ls -ls shows the files in order of size cp The cp command copies one file to another directory Example: cp filename.txt directoryname cp -R is used if you are copying two directories rather than files and want all the contents to be copied as well Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Linux Command Basic Linux Shell Commands (Cont.) Explanation and Example mkdir The mkdir command creates a new directory Example: mkdir directoryname mkdir -p will create parent directories as needed Example: mkdir -p /directory1/directorytwo/directory3 cd The cd command is used to change directories Example: cd directoryname cd.. will go up one level in the directory tree cd / goes directly to the root directory cd ~ moves to the home directory of the current user rm The rm command is used to delete or remove a file Example: rm filename rm -i will prompt before any removal -r removes directories and contents recursively Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Linux Command Basic Linux Shell Commands (Cont.) Explanation and Example rmdir The rmdir command is used to remove or delete entire directories Example: rmdir directoryname mv The mv command is used to move a file. Example: mv myfile.txt myfolder ps The ps command lists all currently running processes that the user has started Any program or daemon is a process Example: ps ps -a lists all processes for all users, not just the current user ps -aux provides details for each process, such as process ID, percentage of memory used, etc. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Linux Command Basic Linux Shell Commands (Cont.) Explanation and Example pstree The pstree command shows all processes (whether started by the current user or not) in a tree format, clearly showing which process started which other processes. This is definitely of interest forensically top The top command lists all currently running processes, whether the user started them or not. It also lists more detail on the processes Example: top fsck This is a file system check. The fsck command can check to see whether a given partition is in good working condition Example: fsck /dev/hda1 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Linux Command Basic Linux Shell Commands (Cont.) Explanation and Example fdisk The fdisk command lists the various partitions Example: fdisk-l mount The mount command mounts a partition, allowing you to work with it Example: mount /dev/fd0 /mnt/floppy lsof This command lists open files. This is helpful in forensics to see not only what files are open but also the processes which opened them lsattr This command lists file attributes on a Linux second extended file system Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Linux Command GNU Network Object Model Environment (GNOME) ▪ GNOME Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com K Desktop Environment (KDE)/Plasma ▪ K Desktop Environment (KDE)/Plasma Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Other Linux GUIs Enlightenment Cinnamon Lightweight X11 Desktop Environment (LXDE) Originally developed in 1994 for UNIX systems Based on HP’s Visual User Environment (VUE) Released in 1997 Designed for graphics developers Based on GNOME Frequently seen in Linux Mint Easy to learn and use A lightweight desktop Default environment for LXLE Linux, Artix, and Knoppix Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Common Desktop Environment (CDE) Linux Boot Process BIOS MBR GRUB LILO Kernel Initializes devices Real mode to protected mode INIT Runlevels Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com POST Typical Default Active Services Directory Run Level Description 0 /etc/rc.d/rc0.d Halt 1 /etc/rc.d/rc1.d Single-user mode 2 /etc/rc.d/rc2.d Not used (user-definable) 3 /etc/rc.d/rc3.d Full multiuser mode without GUI 4 /etc/rc.d/rc4.d Not used (user-definable) 5 /etc/rc.d/rc5.d Full multiuser mode with GUI 6 /etc/rc.d/rc6.d Reboot Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Mode Logical Volume Management On a single system (like a single desktop or server), primary role is to allow: The resizing of partitions The creation of backups by taking snapshots of the logical volumes Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com An abstraction layer that provides volume management for the Linux kernel Linux Distributions ▪ Open-source operating system Red Hat Enterprise Linux (RHEL) Ubuntu Mint Fedora OpenSUSE Debian CentOS Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Popular distributions Linux File Systems ▪ Extended File System (ext) ▪ Ext4 supports volumes up to 1 exabyte and single files up to 16 terabytes ▪ Ext3 and Ext4 support three types of journaling ▪ Journal (most secure) ▪ Ordered ▪ Writeback (least secure) ▪ Supports journaling ▪ Performs well when hard disk has large number of smaller files ▪ Berkeley Fast File System ▪ Also known as Unix File System ▪ Developed at UC-Berkeley for Linux ▪ Uses a bitmap to track free clusters, indicating availability Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Current version is 4 (Ext4) ▪ Reiser File System Linux Logs Contents /var/log/fail.log Failed user logins /var/log/kern.log Messages from the operating system’s kernel /var/log/lpr.log Items that have been printed /var/log/mail.* Email activity /var/log/mysql.* MySQL database server activity /var/log/apache2/* Apache web server activity /var/log/lighttpd/* Lighttpd web server activity /var/log/apport.log Application crashes Intrusion detection system logs Suspicious traffic Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Log Viewing Logs ▪ Text editor in GUI ▪ ▪ ▪ ▪ dmesg | lpr # tail -f /var/log/lpr.log # less /var/log/ lpr.log # more -f /var/log/ lpr.log ▪ Search for a log for binary data ▪ grep [[:cntrl:]] /var/log/*log ▪ Search for empty logs: ▪ ls –al /var/log/* Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Any of these commands work from the shell: Linux Directories Directories are also important places to seek out evidence in an investigation Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Key directories are important to the functioning of every operating system The /root Directory ▪ Home directory for the root user ▪ Linux root user is equivalent to Windows Administrator Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Contains data for the administrator The /bin Directory ▪ The /bin directory Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Linux Directories (Cont.) ▪ The /sbin directory ▪ The /etc folder ▪ Contains configuration files, such as for web servers, boot loaders, security software, and many other applications ▪ An attractive target for hackers Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Similar to /bin ▪ Contains binary files not intended for the average computer user The /etc/inittab File ▪ Sets boot-up process and operation label run_level action:a process boot bootwait initdefault sysinit Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Example: init level for the system startup Linux Directories (Cont.) ▪ The /dev directory ▪ Interfaces to devices ▪ All devices should have a device file in /dev ▪ Device naming conventions: ▪ hd = hard drive ▪ fd = floppy drive ▪ cd = CD ▪ Examples: ▪ Main hard drive can be /dev/hd0 ▪ Floppy drive would be /dev/fd0 ▪ Many devices are mounted in /mnt ▪ Drives must be mounted prior to use ▪ Checking this directory lets you know what is currently mounted in the system ▪ The /boot directory ▪ Contains files critical for booting ▪ Boot loader (LILO or GRUB) looks in this directory ▪ Kernel images commonly located in /boot Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Contains device files ▪ The /mnt directory Linux Directories (Cont.) ▪ The /usr directory ▪ The /tmp directory ▪ Contains files that are needed temporarily ▪ Can find data regarding what has been happening most recently on the system ▪ Files stored here get removed immediately on system reboot ▪ Must be searched live ▪ Made available for programs that require temporary files ▪ Files remain for 30 days by default ▪ /var/backups ▪ Contains backups of various system files, such as /etc/shadow and /etc/inet.conf ▪ Files usually named with a.bak extension or a number, such as.0,.1, etc. ▪ /var/spool ▪ Contains the print queue Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Contains subdirectories for individual users ▪ /var/tmp The /proc Directory ▪ The /proc directory Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The /run Directory ▪ The /run directory Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Temporary File System (tmpfs) ▪ A Linux file system whose content reside only in memory ▪ Once a tmpfs mount is unmounted, the entire file system is wiped ▪ Capture data here before the system is shut down ▪ Captured using memory capture command: ▪ volatility –profile=Linuxthisx86 –f /root/lime-tmpfs linux_tmpfs Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Files and directories mounted by tmpfs are never written to the local disc Shell Commands for Forensics ▪ Linux has hundreds of shell commands ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ The dmesg command The fsck command The grep command The history command The mount command The ps command The pstree command The pgrep command ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ The top command The kill command The file command The su command The who command The finger command The dd command The ls command Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Some can be very useful in forensic investigations The dmesg Command ▪ The dmesg command Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The pstree Command ▪ The pstree command Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com The file Command ▪ The file command Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Shell Commands for Forensics (Cont.) ▪ Finding executables ▪ Checking scheduled tasks ▪ crontab -latqsystemctl list-timers --all ▪ Finding oddities ▪ Files or directories that have no user or group find / \( -nouser -o -nogroup \) -exec ls -lg {} \; ▪ Files modified or created in the last day find / -mtime -1 ▪ List any hidden directories find / -type d -name ".*" Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ find / -type f -exec file -p '{}' \; | grep ELF ▪ find /tmp -type f -exec file -p '{}' \; | grep ELF Undeleting Linux Files: Manually Use grep or similar command Example: grep -b ‘search-text’ /dev/partition > file.txt Use command-line editor to view file Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Move system to single-user mode Kali Linux Forensics ▪ > ▪ Can use as quality control tool to complement OSForensics, FTK, or Encase ▪ Kali Forensics Tools ▪ Includes Autopsy, a web-based graphical user interface for the command-line tool Sleuth Kit Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Has a number of forensics tools Kali Linux Forensics (Cont.) ▪ Autopsy command window Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Kali Linux Forensics (Cont.) ▪ Autopsy web interface Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Kali Linux Forensics (Cont.) ▪ Autopsy new case Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Kali Linux Forensics (Cont.) ▪ Autopsy new host Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Kali Linux Forensics (Cont.) ▪ Autopsy verify the hash Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Kali Linux Forensics (Cont.) ▪ Autopsy image is added Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Forensics Tools for Linux ▪ Create a forensic image of the machine ▪ Mount the image as if it were a virtual machine using a tool like ForensicsExplorer ▪ Creates a read-only forensic image ▪ Can navigate to needed folders and logs ▪ Can execute shell commands and gather information on the target system Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ Verify the image using an appropriate hashing algorithm More Linux Forensics ▪ Documenting ▪ ▪ ▪ ▪ ▪ ▪ ▪ dcat dls dcalc dstat mmls locate xargs Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ The cat command: cat /etc/os-release cat /etc/hostname cat /etc/timezone ▪ Advanced commands: Summary ▪ Linux operating system and file systems ▪ Forensically interesting Linux directories ▪ Important Linux shell commands ▪ How to undelete files from Linux Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com ▪ What to look for in Linux system logs