Welcome to Scribd!

Forerense en Linux

Uploaded by

0% found this document useful (0 votes)

57 views18 pages

Linux forensics differs from Windows in that Linux has no registry, uses a different file system without creation dates, and stores most data as plain text files. Key areas to examine include configuration files in /etc, logs in /var/log, and each user's home directory to find web browsers, command history, and SSH files. Investigators should look for persistence mechanisms, backdoors, and other unusual files and directories that could indicate unauthorized activity.

Original Description:

Una guia metodica para el desarrollo de forense

Original Title

Forerense en linux

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pdf or txt

0% found this document useful (0 votes)

57 views18 pages

Forerense en Linux

Uploaded by

Kika Arteaga F

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pdf or txt

Jump to Page

You are on page 1of 18

Search inside document

Linux Forensics

(for Non-Linux Folks)

Hal Pomeranz
Deer Run Associates

What's Different About Linux?

No registry
Have to gather system info from scattered sources

Different file system

No file creation dates (until EXT4)
Important metadata zeroed when files deleted

Files/data are mostly plain text

Good for string searching & interpreting data

Accessing the File System

Can be complicated
Encryption, RAID, Logical Volume Mgmt,
Multiple partitions to mount
http://computer-forensics.sans.org/blog/2010/10/06/
http://deer-run.com/~hal/CEIC-dm-crypt-LVM2.pdf

What Should We Look At?

/etc

[%SystemRoot%/System32/config]

Primary system configuration directory

Separate configuration files/dirs for each app

/var/log

[Windows event logs]

Security logs, application logs, etc

Logs normally kept for about 4-5 weeks

/home/$USER

[%USERPROFILE%]

User data and user configuration information

Basic System Profiling

Linux distro name/version number:
/etc/*-release

Installation date:
Look at dates on /etc/ssh/ssh_host_*_key files

Computer name:
/etc/hostname (also log entries under /var/log)

IP address(es):
/etc/hosts
/var/lib/dhclient, /var/log/*

(static assignments)
(DHCP)

Default Time Zone

/etc/localtime stores default time zone data
Binary file format:
Use "zdump" on Linux
Look for matching file under /usr/share/zoneinfo

User Accounts
Basic user data in /etc/passwd
Any UID 0 account has admin privs

MD5 password hashes in /etc/shadow

(brute force with "John the Ripper")

/etc/sudoers may indicate users w/ admin privs

Group memberships in /etc/group

User Login History

/var/log/wtmp
Shows user, source, time, and duration of login
Need to use Linux "last" command to view

Other logs that may contain useful data:

/var/log/auth.log
/var/log/secure
/var/log/audit/audit.log

There's No Place Like $HOME

/home/<user> is common convention
Home dir for admin user is /root
"Hidden" files/dirs have names starting w/ "."
Contain app-specific configuration information
Sometimes executed at login
Possible back-door or persistence mechanism

Web Browser Artifacts

Firefox and Chrome are common browsers
File formats the same as Windows (SQLite DBs)
Files under user home directories:
Firefox: $HOME/.mozilla/firefox/*.default
Chrome: $HOME/.config/chromium/Default

Nautilus

Linux graphical file browser

Like Windows Explorer
Thumbnails: $HOME/.thumbnails
Recent files: $HOME/.recently-used.xbel

Command History
$HOME/.bash_history
Unfortunately not time-stamped by default
Can be modified/removed by user
Sudo history in:
/var/log/auth.log
/var/log/sudo.log

SSH
Standard remote access/file xfer mechanism
Useful files in $HOME/.ssh:
known_hosts hosts user connected to from here
authorized_keys public keys used for logins to here
id_rsa private keys used to log in elsewhere

Things to Watch Out For

Persistence mechanisms
Back doors
Other suspicious files and directories

Persistence Mechanisms
Service start-up scripts
/etc/inittab, /etc/init.d, /etc/rc.d
/etc/init.conf, /etc/init

Scheduled tasks ("cron jobs")

/etc/cron*
/var/spool/cron/*

(traditional)
(Upstart)

Back Doors
Deliberate malware/Trojan horse installs
In /etc/passwd and /etc/shadow:
Extra UID 0 accounts
"Application" accounts with active passwords

New $HOME/.ssh/authorized_keys entries

Back doors via [x]inetd
/etc/inetd.conf
/etc/xinetd.conf, /etc/xinetd.d

Also Watch Out For

Rogue "set-UID" files

Directories w/ names that start with "."
Regular files under /dev directory
Recently modified files
Large files

Wrapping Up
Any final questions?
Thanks for listening!

Hal Pomeranz
hal@deer-run.com

Twitter: @hal_pomeranz

http://www.deer-run.com/~hal/
http://computer-forensics.sans.org/blog/author/halpomeranz/
http://www.sans.org/security-training/instructors/Hal-Pomeranz

Linux Final Exam
Document17 pages
Linux Final Exam
Super Rage
100% (1)
Lecture 5
Document25 pages
Lecture 5
digital pe
No ratings yet
Linux FileSystem PDF
Document8 pages
Linux FileSystem PDF
nlly4u
No ratings yet
Unix: System Administration and Security
Document33 pages
Unix: System Administration and Security
anoop
100% (2)
Lecture 5
Document25 pages
Lecture 5
heloise maxine
No ratings yet
Unix File System
Document15 pages
Unix File System
Vamsi Krishna
No ratings yet
Chapter 7: Finding Files
Document22 pages
Chapter 7: Finding Files
Zain Alabeeden Alareji
No ratings yet
System and Network Administration Operating System Essentials
Document48 pages
System and Network Administration Operating System Essentials
Arsalan Jahani
No ratings yet
Linux File System
Document24 pages
Linux File System
Raj Shekar
100% (1)
Forensic Analysis of A Windows 2000 Server Operating System: Joshua Young CS585F - Fall 2002
Document63 pages
Forensic Analysis of A Windows 2000 Server Operating System: Joshua Young CS585F - Fall 2002
Khan Bahi
No ratings yet
Linux Privilege Escalation Overview
Document21 pages
Linux Privilege Escalation Overview
laihiala
No ratings yet
Manage Directories and Files in Linux: Objectives
Document11 pages
Manage Directories and Files in Linux: Objectives
Aziz Zouhir
No ratings yet
Linux File Architecture
Document10 pages
Linux File Architecture
Muhammad Aslam
No ratings yet
File System
Document30 pages
File System
Rishabh Chandila
No ratings yet
D1 - Exploiting Directory Permissions On MacOS - Csaba Fitzl PDF
Document69 pages
D1 - Exploiting Directory Permissions On MacOS - Csaba Fitzl PDF
momoomoz
No ratings yet
Operating System Essentials
Document33 pages
Operating System Essentials
Min Lwin
No ratings yet
File Systems
Document39 pages
File Systems
Ajeet Baboo
No ratings yet
Server Administration - System Component
Document34 pages
Server Administration - System Component
KsNoegroho
No ratings yet
P04 - What and Where Is The Evidence?: C331 - Digital Security and Forensics
Document57 pages
P04 - What and Where Is The Evidence?: C331 - Digital Security and Forensics
Salas Karin Salamida
No ratings yet
Log Files: Log Files Are Files That Contain Messages About The System, Including The Kernel
Document21 pages
Log Files: Log Files Are Files That Contain Messages About The System, Including The Kernel
Sougata Roy Chowdhury
No ratings yet
File System in Unix
Document31 pages
File System in Unix
Rishabh Chandila
No ratings yet
File Management
Document67 pages
File Management
Tharaka Methsara
No ratings yet
Fhs in Linux
Document3 pages
Fhs in Linux
Bianca Petrescu
No ratings yet
Module 5 - Managing Security & File Systems
Document24 pages
Module 5 - Managing Security & File Systems
Vaibhav Ravindra
No ratings yet
3.navigating Filesystem
Document28 pages
3.navigating Filesystem
Haimish tube
No ratings yet
Introduction To File Organization
Document30 pages
Introduction To File Organization
Jbkhun
No ratings yet
DFS Design and Implementation: Brent R. Hafner
Document40 pages
DFS Design and Implementation: Brent R. Hafner
Shweta panwar
No ratings yet
Ch. 2 ... Part - 4
Document15 pages
Ch. 2 ... Part - 4
V
No ratings yet
System Access and File System - Linux Administration
Document13 pages
System Access and File System - Linux Administration
Ben Ai Qwecy
No ratings yet
Linux Administrator Guide1
Document31 pages
Linux Administrator Guide1
Moe Thet Hnin
No ratings yet
Basic Linux
Document2 pages
Basic Linux
pkamal0111
100% (1)
Linux Directory Structure
Document15 pages
Linux Directory Structure
G.R.THIYAGU ; Oracle DBA
No ratings yet
6 Stages of Linux Boot Process (Startup Sequence)
Document11 pages
6 Stages of Linux Boot Process (Startup Sequence)
joshi.isha.ec
No ratings yet
Mist Linux - 26092018 PDF
Document101 pages
Mist Linux - 26092018 PDF
krishna mohan
No ratings yet
Techno of AWSV
Document1 page
Techno of AWSV
Ananda Shrestha
No ratings yet
Intro To Linux
Document34 pages
Intro To Linux
Niklaus Michaelson
No ratings yet
Linux Unix Day 2
Document64 pages
Linux Unix Day 2
Mayur Ingle
No ratings yet
Understanding UNIX
Document3 pages
Understanding UNIX
kk4953
No ratings yet
ISO 9001: 2008 Certified Company
Document50 pages
ISO 9001: 2008 Certified Company
Unni Krishnan
No ratings yet
Linux File System Structure
Document3 pages
Linux File System Structure
donald_f
No ratings yet
Digital Forensics: Computer Forensics
Document26 pages
Digital Forensics: Computer Forensics
baby app
No ratings yet
Understanding UNIX / Linux File System: What Is A File?
Document9 pages
Understanding UNIX / Linux File System: What Is A File?
Abhinav Madheshiya
No ratings yet
Chapter 5 File Management
Document37 pages
Chapter 5 File Management
Brian Mutuku
100% (2)
Linux Directory Structure Explained
Document3 pages
Linux Directory Structure Explained
Anonymous vcdqCTtS9
No ratings yet
Linux Directory Structure
Document5 pages
Linux Directory Structure
bomoarebun
No ratings yet
Linux File System
Document2 pages
Linux File System
Xanthopus
No ratings yet
DFS Design and Implementation
Document40 pages
DFS Design and Implementation
sanjeewa
No ratings yet
Lecture 2 Linux Standard File System
Document7 pages
Lecture 2 Linux Standard File System
sherkoasan5
No ratings yet
Actionable DFIR: High Level System Analysis To Get Answers Fast
Document21 pages
Actionable DFIR: High Level System Analysis To Get Answers Fast
Chad Graham
100% (2)
SCI4201 Lecture 4 - Data Acquistion
Document46 pages
SCI4201 Lecture 4 - Data Acquistion
onele mabhena
No ratings yet
Linux/Unix Introduction: Lets Understand
Document22 pages
Linux/Unix Introduction: Lets Understand
thesweetdevilguy
No ratings yet
Chapter 6 File System
Document9 pages
Chapter 6 File System
Daya Ram Budhathoki
No ratings yet
Lecture 1-Introduction
Document20 pages
Lecture 1-Introduction
samwel sitta
No ratings yet
File System
Document37 pages
File System
Zainab Hameed
No ratings yet
Linux Fundamentals HTB
Document14 pages
Linux Fundamentals HTB
mercyjoash5
No ratings yet
3 User Account in Linux
Document19 pages
3 User Account in Linux
Sanjay Yadav
No ratings yet
Week 11
Document78 pages
Week 11
manyagarg787
No ratings yet
06-Chap04-FileSystems-4slots (86 Slides)
Document86 pages
06-Chap04-FileSystems-4slots (86 Slides)
AN NINH NGUYEN
No ratings yet
39 - Physical Memory Forensics
Document53 pages
39 - Physical Memory Forensics
smithm007
No ratings yet
Series: Basic Linux Administration
Document18 pages
Series: Basic Linux Administration
lbchandran
No ratings yet
Best Free Open Source Data Recovery Apps for Mac OS English Edition
From Everand
Best Free Open Source Data Recovery Apps for Mac OS English Edition
Cyber Jannah Sakura
No ratings yet
Toshiba - L300 - (Invatec) - Schematics
Document63 pages
Toshiba - L300 - (Invatec) - Schematics
bcatlock
No ratings yet
MESSAGE - TYPE - X Dump AM888: Symptom
Document2 pages
MESSAGE - TYPE - X Dump AM888: Symptom
zaki Abadul Basit
No ratings yet
DS MCQ
Document13 pages
DS MCQ
bhagwatsachin
100% (1)
Spotlight On SQL Server Reporting and Trending Guide
Document48 pages
Spotlight On SQL Server Reporting and Trending Guide
Edson Cabrera
No ratings yet
Nqquery New
Document70 pages
Nqquery New
Jirayasmiley
No ratings yet
CS 332: Algorithms: Medians and Order Statistics Structures For Dynamic Sets
Document40 pages
CS 332: Algorithms: Medians and Order Statistics Structures For Dynamic Sets
Anonymous niE5VQOH
No ratings yet
Demonstration of Arcpy GIS Applications: By: Anmol Bhardwaj NHP, BBMB Chandigarh
Document38 pages
Demonstration of Arcpy GIS Applications: By: Anmol Bhardwaj NHP, BBMB Chandigarh
Praveen Kalura
No ratings yet
HiS700 HW Health Check Procedure v1
Document12 pages
HiS700 HW Health Check Procedure v1
johnnywalker2000
No ratings yet
IGCSE ICT Ch11 Filemanagement
Document28 pages
IGCSE ICT Ch11 Filemanagement
Essential Center
No ratings yet
Installation of JasperServer 4.2.1 With MySQL
Document8 pages
Installation of JasperServer 4.2.1 With MySQL
parveenkarthi
No ratings yet
HiOSL2e 06 Redundancy
Document63 pages
HiOSL2e 06 Redundancy
Christine Velasco
No ratings yet
Riak Handbook
Document166 pages
Riak Handbook
Andres Tuells Jansson
No ratings yet
Megaraid Sas 8888elp Raid Controller: Quick Installation Guide
Document3 pages
Megaraid Sas 8888elp Raid Controller: Quick Installation Guide
JRocha
No ratings yet
Sas Sugi
Document4 pages
Sas Sugi
Evarist Galois
No ratings yet
Chapter2 Managing Files From The Command Line
Document2 pages
Chapter2 Managing Files From The Command Line
Hassan Mohamed
No ratings yet
Server L10 Training Day1 - F
Document81 pages
Server L10 Training Day1 - F
bren john monserrat
No ratings yet
Win10 Install
Document5 pages
Win10 Install
n4me
No ratings yet
Limitations of Snmpv1 History of Snmpv2 - Hierarchies - Security Snmpv2 Protocol Operations Transport Independence Rfcs
Document24 pages
Limitations of Snmpv1 History of Snmpv2 - Hierarchies - Security Snmpv2 Protocol Operations Transport Independence Rfcs
coolparkinglot
No ratings yet
Ghetto Tech Preview - Ghettovcb-Restore - SH - Restoring VM'S Backed Up From Ghettovcb To Esx (I) 3.5 and 4.0+
Document8 pages
Ghetto Tech Preview - Ghettovcb-Restore - SH - Restoring VM'S Backed Up From Ghettovcb To Esx (I) 3.5 and 4.0+
rpnegro
No ratings yet
Brochure Oracle DBABrochure Oracle DBA Basics Non BSNL Basics Non BSNL
Document2 pages
Brochure Oracle DBABrochure Oracle DBA Basics Non BSNL Basics Non BSNL
Sushil
No ratings yet
Export Ssrs Report To PDF Landscape
Document2 pages
Export Ssrs Report To PDF Landscape
Victoria
No ratings yet
Micro 00
Document9 pages
Micro 00
Mustafa Alobaidi
No ratings yet
Web Scraping Project
Document1 page
Web Scraping Project
prerak sheth
No ratings yet
OSV Practical GTU Sem 4
Document96 pages
OSV Practical GTU Sem 4
John Patel
No ratings yet
Seminar On Zebu
Document24 pages
Seminar On Zebu
Sudeep Unnikrishnan
No ratings yet
Deploy and Manage Azure Compute Resources: Deploying A Virtual Machine
Document70 pages
Deploy and Manage Azure Compute Resources: Deploying A Virtual Machine
mahesh
No ratings yet
Telecommunication Network Lab Manual
Document45 pages
Telecommunication Network Lab Manual
Ashish Ranjan
75% (4)
4GL Programming Language
Document10 pages
4GL Programming Language
Ronit Singh
No ratings yet
BSIT Nov Dec 2012 2nd Cycle
Document59 pages
BSIT Nov Dec 2012 2nd Cycle
Piyush Priyank
No ratings yet