Intro
While Windows forensics is widely covered via several courses and articles, there are fewer resources introducing it to the Linux Forensics world. OS forensics is the art of finding evidence/artifacts left by systems, apps and user's activities to answer a specific question.
Since there are several Linux distributions and the article can’t cover all of them. All artifacts below are presented for Debian.
Full CheatSheet Path:
Phase | Description |
Quick Risk Audit Process | Automated tools and commands provide us a decent image of the OS and its vulnerabilities. |
Users & Groups | Users and groups activity mapping and forensics. |
System Configuration | Configuration deployed in the system. |
User Activities | File MACB and mounted points made by the user. |
Log Analysis | Logins, Failed logins to services such as SSH, Telnet, etc. |
Persistence Mechanisms | Mapping most of the persistence mechanisms possible at Linux OS. |
Forensics Tools | Imaging tools helping to create a forensic image and perform a further investigation. |
Phase 0 - Quick Risk Audit Process
The risk audit process is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.
✔️ Hunting for passwords
✔️ Hunting for SSH keys
✔️ LinPeas
LinPEAS is a script that searches for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The goal of this script is to search for possible Privilege Escalation Paths.
✔️ LinuxSmartEnumaration
This shell script will show relevant information about the security of the local Linux system, helping to escalate privileges.
Phase 1 - Users & Groups
As an Incident Responder, it is very important to investigate the user account’s activity. It helps you understand the logged-in users, the existing users, usual or unusual logins, failed login attempts, permissions, access by sudo etc.
Users
✔️Users list
To identify whether there is an account in your system that may seem suspicious:
✔️User's creation date
The’ Setuid’ option in Linux is unique file permission. So, on a Linux system when a user wants to make a change of password, they can run the ‘passwd’ command:
✔️UID-0 users
:0: is used to display ‘UID 0’ files in /etc/passwd file:
✔️Temporary users
To Identify and display whether an attacker created any temporary user:
Groups
✔️Groups list
The group file displays the information of the groups used by the user:
✔️sudoers group
Phase 2 - System Configuration
✔️Network configurations
Configuration files for network setup:
✔️OS information
Determines OS release information:
✔️Hostname
✔️Time zone
Phase 3 - User Activities
✔️Recently accesses/modified/changed files
Find recently accessed/modified/changed files by a user with find:
✔️Bash History
contains commands executed in the bash shell. it often recorded historical executions without timestamps:
✔️Mounted points
To check if there is an unknown mount on your system:
Phase 4 - Log Analysis
To identify any curious SSH & telnet or other services logins or authentication in the system, you can go to /var/log/ directory and then search for:
✔️Log entries
✔️auth.log (SSH/TELNET/Sudo Logs)
✔️deamon.log
Records events generated by background daemons. Usually, background processes/services offer invaluable logs to a user’s activities.
✔️syslog
Contains general system messages. Particularly, it also contains cron job execution with its associated commands.
✔️wtmp
BSD operating systems that keeps a history of all logins and logouts.
✔️btmp
The btmp log keeps track of failed login attempts.
✔️Application logs
Other application logs (if available) also provide a lot of fruitful information assisting a forensic case. Some of those logs to name are apache2, httpd, samba, MySQL etc.
Phase 5 - Persistence Mechanisms
On Linux, just like Windows, malware once loaded wants to stay loaded. On Windows systems, this is usually done with a variety of registry mechanisms. For Linux, it’s often done using the crontab scheduling facility or a malicious service running on the system.
✔️Services
The services in the Linux system can be classified into system and network services. System services include the status of services, cron, etc and network services include file transfer, domain name resolution, firewalls, etc. As an incident responder, you identify if there is any anomaly in the services.
✔️Processes
To get a dynamic and a real-time visual of all the processes running in the Linux system, a summary of the information of the system and the list of processes and their ID numbers or threads managed by Linux Kernel, we will use:
✔️Scheduled Tasks and jobs
✔️DNS Resolves
To resolve DNS configuration issues and to avail a list of keywords with values that provide the various types of resolver information, we will use:
✔️Firewall Rules
To check and manage the IPv4 packet filtering and NAT in Linux systems we will use:
✔️Network Connections
Imaging Tools
FMEM
fmem (http://hysteria.sk/~niekt0/fmem/fmem_current.tgz) is a kernel module to create a new device called /dev/fmem to allow direct access to the whole memory. So you'll need to compile the module on the machine where you are planning to acquire the memory or compiling it on a similar kernel version. In the case of forensic analysis, you usually don't want to modify too much the state of the operating system, so it's highly recommended to prepare your fmem kernel modules in advance.
LIME
Lime (http://code.google.com/p/lime-forensics/) is an alternative solution to acquire memory from Linux. Lime supports the more recent version of Linux Kernel. As the technique to expose and acquire memory is less intrusive, forensic acquisition might be more accurate.
Comments