adam's notes

Linux Forensics

Linux Basics

Linux Shell

  • Linux has many different shells
    • each designed for a different purpose
  • most common shells:
    • Bourne shell (sh)
      • original default shell for Unix
    • Bourne-again shell (Bash)
      • most common shell in Linux
    • C shell (csh)
      • shell with a C-like syntax
    • Korn shell (ksh)
      • compatible with Bash but also incorporates true programming capabilities

Graphical User Interfaces

  • Gnu Network Object Model Environment (GNOME)
    • very common GUI for Linux
    • built on GTK+
  • K Desktop Environment (KDE)
    • another very common GUI
    • uses X Windows System for windowing functions
    • features
      • KRunner: search tool
      • Dolphin: file manager
      • Spectacle: screenshot tool
    • built on the Qt framework
      • a multiplatform GUI framework written in C++
  • Common Desktop Environment (CDE)
    • originally developed for Unix systems
    • based on HP’s Visual User Environment (VUE)
  • Enlightenment
    • desktop created for graphics developers
  • Cinnamon
    • desktop based on GNOME
    • used in Linux Mint
  • LXDE (Lightweight X11 Desktop Environment)
    • low resource desktop
    • default desktop for LXLE Linux, Artix, and Knoppix

Linux Boot Process

    • on embedded systems, boot begins with loading the bootstrap environment
      • is a special program that is stored in a special section of flash memory
    • on PC, boot begins in the BIOS at address 0xFFFF0
      • modern systems use UEFI instead of BIOS
  2. power-on self-test (POST)
  3. BIOS/UEFI locates the master boot record (MBR) and passes control to it
    • located on the first sector of the bootable disk
    • marks the end of the first stage of the boot process
  4. MBR loads up a boot loader program
    • e.g., LILO (Linux Loader) or GRUB (Grand Unified Bootloader)
    • GRUB is more modern and more widely used
    • GRUB v2 works with BIOS and UEFI
    • 2 boot loaders in Linux
      • first boot loader is small (512 bytes)
        • job is to load the second-stage boot loader
      • second boot loader is responsible for loading the Linux kernel
        • is loaded into RAM
        • when executed, a splash screen is displayed
  5. Linux image is loaded into RAM
  6. second-stage boot loader passes control to the kernel image
    • kernel image is decompressed and initialized
  7. second-stage boot loader loads the kernel image
    • called kernel stage of the boot process
    • kernel initializes devices connected to the system
    • switches CPU from real mode to protected mode
    • loads compressed kernel and calls decompress_kernel() function
    • may see “Uncompressing Linux…”
    • start_kernel() function is called
    • kernel displays a large number of messages on the screen as it initializes the various hardware items and processes
  8. first program starts after kernel intialization
    • in PC-based Linux, this is called init
    • kernel_thread() function is called to start init
    • kernel goes into an idle loop and becomes an idle threat with PID 0
    • init() begins high-level system initialization
  9. inspects the /etc/inittab file to determine the appropriate run level
  10. based on the run level, the init process then executes the appropriate startup script
    • located in subdirectories of /etc/rc.d
    • default boot run level is set in /etc/inittab with the initdefault variable

Logical Volume Management

Logical Volume Manager (LVM) is an abstraction layer that provides volume management for the Linux Kernel.

  • primary role is to
    • allow the resizing of partitions
    • ability to create backups by taking snapshots of the logical volumes

Linux File Systems

Ext

  • latest version is Ext 4
    • supports volume size of up to 1 exabyte (1 billion gigabytes)
    • supports single file sizes of up to 16 terabytes
  • Ext 3 is first to support journaling
  • 3 journaling types
    • journal
      • most secure and safe level
      • metadata and file contents are written to the journal before being written to the main file system
    • ordered
      • only metadata is written to the journal
      • changes to files are not journaled until they have been committed to the disk
    • writeback
      • only metadata is written to the journal
        • may be written before or after it is committed
  • Ext 4 added checksums in the journal to prevent errors

The Reiser File System

  • ReiserFS
  • supports journaling
  • performs very well when the hard drive has a large number of smaller files

The Berkeley File System

  • aka the Unix File System
  • developed at Berkeley for use with Linux
  • uses a bitmap to track free clusters, indicating which cluster are available

Linux Logs

  • logs interesting for forensic investigation
  • /var/log/faillog
    • contains failed user logins
  • /var/log/kern.log
    • used for messages from the operating system’s kernel
    • more likely to show systemwide problems
  • /var/log/lpr.log
    • printer log
    • can give a record of any items that have been printed from this machine
  • /var/log/mail.*
    • the mail server log
  • /var/log/apache2/*
    • if running Apache web server, then this shows related activity
  • /var/log/lighttpd/*
    • if running Lighttpd web server, then this shows related activity
  • /var/log/apport.log
    • records application crashes

Viewing Logs

  • to view a log, can use:
    • a variety of shell commands
    • GUI text editor
  • dmesg command is preferred way
    • dmesg | lpr
  • or can use
    • tail -f [log]
    • less
    • more -f
  • searching:
    • grep
  • find logs that have nothing in them:
    • ls -al /var/log/*

Linux Directories

  • key directories:
    • /root
      • home directory of the root user
      • root in Linux is same as administrator in Windows
    • /bin
      • holds binary or compiled files
        • means programs
    • /sbin
      • contains binary files that are not intended for average computer user
    • /etc
      • contains configuration files
    • /etc/inittab
      • boot-up process and operations config
    • /dev
      • contains device files
      • all hard drives start with hd
    • /mnt
      • devices are mounted here
    • /boot
      • contains files critical to booting
      • boot loader looks in this directory
      • common to keep kernel images in here
    • /usr
      • contains the subdirectories for individual users
    • /tmp
      • contains files that are needed temporarily
      • may find data on what has been happening most recently on the system
      • files here get removed on system reboot
      • this must be searched live
    • /var
      • contains many logs
    • /var/tmp
      • made available for programs that require temporary files or directories that are preserved between system reboots
      • by default, files stay here for 30 days
    • /var/backups
      • contains backups of various system files
      • files typically named with a .bak extension
    • /var/spool
      • contains print queue
      • history of being a place hackers like to hide files and communications
    • /proc
      • created in memory and keeps information about currently running processes
      • not really stored on a hard disk
    • /run
      • contains information about run-time variable data
      • cleared during boot process
      • formerly data was located in /var/run
        • some distros symlink these

Tmpfs

Tmpfs (temporary file system) is a Linux file system whose contents reside only in memory.

  • files here are never written to the local disk
  • once a tmpfs mount is unmounted, the entire file system is wiped
  • used to implement shared memory through /dev/shm
  • tmpfs is normally captured using memory capture
    • volatility --profile=Linuxthisx86 -f /root/lime-tmpfslinux_tmpfs

Shell Commands For Forensics

  • dmesg
    • used to view all the messages displayed during the boot process
    • recommended to pipe the output to a file
  • fsck
    • file system check
    • used to perform a file system health check on hard drives
    • using a file system utility has the potential to erase some data, especially hidden in slack space
      • so try all other forensic methods before this
  • grep
    • allows searching for a wide range of parameters
  • history
    • allows you to see the commands that have previously been entered
    • by default, returns last 500 shell commands
    • can find history files for specific users
      • find / -name .*history
  • mount
    • used to mount a new file system
  • ps
    • shows the currently running processes for the current user
  • pstree
    • similar to ps but shows all the processes in the form of a tree structure
    • shows which processes initiated other processes
  • pgrep
    • takes the name you provide it and returns the PID for that process
    • can work with partial names
  • top
    • similar to ps, except it lists the processes in the order of how much CPU time the process is utilizing
  • kill
    • used to halt a processes by PID
  • file
    • can tell you what a file is regardless of whether it has been renamed or had its extension changed
  • su
    • invokes super-user mode to get temporary root privileges
  • who
    • tells you all the users currently logged in to the system
  • finger
    • used to get back information regarding a specific user
  • dd
    • can be used to make a forensic copy of a drive
    • can also make a physical image of what is live in memory
    • Linux physical memory is accessible via two files:
      • /dev/mem
      • /proc/kcore
    • to make image of memory:
      • dd if=/dev/mem of=/evidence/image.memory1
  • ls
    • lists contents of the current directory
  • Finding executables
    • Linux uses ELF file format for executables
    • allows you to combine that info with the find command to find executables in places they should not be (i.e., /tmp)
      • find / -type f -exec file -p '{}' \; | grep ELF
  • Checking scheduled tasks
    • crontab -latqsystemctl list-timers --all
  • Finding oddities
    • files or directories that have no user or group:
      • find / \( -nouser -o -nogroup \) -exec ls -lg {} \;
    • files modified or created in the last day
      • find / -mtime -l
    • list any hidden directories
      • find / -type d -name ".*"

Can You Undelete in Linux

  • when you refer to a file by name,
    • the OS uses the filename to lookup the corresponding inode
    • which enables the system to obtain the information it needs about the file
  • inode is a data structure that stores all information about a file except the filename and its actual data

Manual Method

  • in Linux, a file is deleted when its internal inode link count reaches zero
  • to retrieve a deleted file:
    1. Move the system to single-user mode
      • init command
    2. Several methods than can be used:
      1. using grep:
        • grep -b 'search-text' /dev/partition > file.txt
        • or grep -a -B[size before] -A[size after] 'text' /dev/[your partition] > file.txt
    3. use a command-line text editor to view the file

Forensics Tools for Linux

  • ForensicExplorer
    • allows you to mount any forensic image as a virtual machine
    • is read-only image
    • this is often the best approach to forensically examine a Linux machine

Graph View

Backlinks