Interesting spots you should not miss to look at
For the forensic investigation, you may want to mount a copy of the original image in another Linux machine. The steps below illustrate how to mount a raw image in a Debian Linux machine:
Step 1: attach the image to a loop device:
sudo losetup /dev/loop0 <raw_image_to_mount>
(if /dev/loop0 is already occupied, /dev/loopX can be used instead)
Then to verify that the image is attached using losetup -a
Step 2: Using kpartx (available to most Linux system) to map image partitions.
Each partition will be mapped to /dev/mapper/loop0pX (X is a number)
sudo kpartx -a /dev/loop0
Step 3: Mount mapped loopback as read-only
sudo mount -o ro /dev/mapper/loop0pX
Now lets start analysing:
Host and environment information:
/etc/host is the configuration file for local DNS name assignment.
/etc/resolv.conf is the configuration file for DNS. However, if the resolvconf program is used, the configuration for DNS is /etc/resolvconf/run/resolv.conf.
/etc/dnsmasq.conf is the configuration file for DNS forwarder server and DHCP server if it is implemented in the investigated host.
/etc/wpa_supplicant/*.conf contains SSID configuration to which the Linux machine will automatically connect when the wifi signal is in the vicinity.
There are three places to find this information:
(1) /var/log/auth.log records connections/authentication to the Linux host. The command “grep -v cron auth.log*|grep -v sudo|grep -i user” filters out most of the unnecessary data and leaves only information regarding connection/disconnection.
(2) /var/log/wtmp maintains the status of the system, system reboot time and user logins (providing time, username and IP address if available). For more information, please refer to this Wikipedia page.
(3) /var/log/btmp records failed login attempts.
Account and group: may provide more inside about permission of an interested user or find out whether any suspicious account was created. Those information are stored in /etc/passwd (user account), /etc/groups (group information). Furthermore, it is recommended to check the /etc/sudoers file as well since it describes what commands a user can run with privilege permission.
Mounted Disk: provides more inside how the Linux box is setup. Noticeably, attackers may mount a particular path to RAM; hence, it will not survive upon reboot.
- Cron jobs are often used for persistence. Cron jobs can be examined in /etc/crontab (system-wide crontab) and /var/spool/cron/crontabs/<username> (user-wide crontab)
- Bash Shell initialization: when starting a shell, it will first execute ~/.bashrc and ~/.bash_profilefor each user. /etc/bash.bashrc and /etc/profileare the system-wide versions of ~/.bashrc and ~/.bash_profile (If another shell is used, checked in documents of that shell for similar configuration files).
- Service start-up: System V (configuration files are in /etc/init.d/* and /etc/rd[0–6].d/*) , Upstart (configuration files are in /etc/init/*) and Systemd (configuration files are in /lib/systemd/system/* and /etc/systemd/system/*). For more information regarding service start-up, please refer to How To Configure a Linux Service to Start Automatically After a Crash or Reboot — Part 2: Reference
- RC (Run-control) is a traditional way with init to start services/programs when run level changes. Its configuration can be found at /etc/rc.local:
If a user uses Vim to open/edit a file, examining Vim log (~/.viminfo) would review a lot of information about opened files, search string, command lines and epoch time.
and recently accessed/modified/changed files by a user with find:
Example find command for files accessed/modified/changed by <username> in the last 7 days:
find ./ -type f -atime -7 -printf “%AY%Am%Ad%AH%AM%AS %h/%s/%f\n” -user <username>|sort -n
find ./ -type f -mtime -7 -printf “%TY%Tm%Td%TH%TM%TS %h — %s — %f\n” -user <username>|sort -n
find ./ -type f -ctime -7 -printf “%CY%Cm%Cd%CH%CM%CS %h — %s — %f\n” -user <username>|sort -n
MACB time stands for Modify — Access — Change — Birth (Creation time — only exists from EXT4). For MAC time, it can be viewed via the command “stat filename”. However, in order to view birth time or creation time, it requiresa bit more work as described in the debugfs-command-show-file-creation-time-in-linux article
Bash history: contains commands executed in the bash shell. it often recorded historical executions without timestamps. The bash history file for a user is located in his home folder ~/.bashrc and in /root/.bashrc for the root account. Hence, it is important to examine the bash histories of both users and root.
Execution with Sudo: is necessary when the execution requires root privilege. All executions with Sudo are recorded in:
Find recently accessed executable files by a user. The example below finds all executable files run in the last 7 days.
find . -type f -perm /111 -user thole -atime -7 -printf “%AY%Am%Ad%AH%AM%AS %h — %s — %f\n” |sort -n
/var/log/auth.log (/var/log/secure in RHEL/CentOS): This log contains all authentication events and Cron job session events (e.g. start, close etc.) for Debian. This may be the most important log to analyze.
/var/log/deamon.log: records events generated by background daemons. Usually, background processes/services offer invaluable logs to a user’s activities.
/var/log/syslog (/var/log/messages in RHEL/CentOS): contains general system messages. Particularly, it also contains cron job execution with its associated commands.
https://link.springer.com/content/pdf/10.1007%2F0-387-31163-7_19.pdf (Live acquisition)