SlideShare une entreprise Scribd logo

Forensic artifacts in modern linux systems

G
Gol D Roger

Forensic artifacts in modern linux systems

Technologie
1  sur  24
Télécharger pour lire hors ligne
Forensic Artifacts in Modern Linux Systems Prof. Dr. Bruce Nikkel M Division of Computer Science September 10, 2018
Purpose and Scope of Workshop Describe things of forensic interest, show how to find and extract data from:M hacked/compromised Linux servers M criminal operated Linux servers (Command and Control) M abused/misused Linux desktop systems (suspect users, victim users) M seized and imaged systems (dead disk forensics) M focus on modern Linux system artifacts (systemd, etc.) M focus on artifacts independent of Linux distribution *Not* the focus of this workshop: M using Linux as an analysis platform (most of this analysis can also be done with encase/ftk/xways) M how to use Linux based forensic tools M live Linux system analysis and memory forensics M Linux based mobile devices (Android) M Application artifacts (browser, email, office, etc) This is not exhaustive, there are many OS artifacts not covered here (obscure/rare artifacts, distro specific artifacts, etc.) Bern University of Applied Sciences 2/24
Overview of Workshop High level overview of workshop topics (from a forensic/investigative perspective): M partitions and filesystems M mbr/uefi, grub, initrd/initramfs M linux file/directory layout M systemd: boot/shutdown, services, scheduled tasks M installed software and packages M log files and systemd journal M swap, cache, and persistent data M system and user configuration M desktop artifacts M encryption and steganography M conclusion Workshop format: mix of theory/slides and demonstrations Example disk images are shown as either "image.dd" or "/dev/sda" Bern University of Applied Sciences 3/24
Partitions and Filesystems Examples of typical storage devices:M SATA drives: /dev/sda M NVME drives: /dev/nvme0n1 M MMC/SD cards: /dev/mmcblk0 M (Virtual Machine: /dev/vda) Examples of typical partition devices: M /dev/sda1 M /dev/nvme0n1p1 M /dev/mmcblk0p1 M (/dev/vda1) Most common partition schemes are DOS and GPT M disktype /dev/sda M mmls image.dd M UEFI systems have GPT layout and use a system partition with a FAT filesystem for EFI boot files Bern University of Applied Sciences 4/24
Partitions and Filesystems Some examples of filesystems used by modern Linux:M typical for installation: ext4, btrfs, xfs M many others supported: fat, ntfs, ext2, ext3 M network filesystems: nfs, samba/cifs, sshfs M pseudo filesystems: proc, sys, dev Interesting artifacts about an EXT4 filesystem: M when the filesystem was created M last mounted, last written, last checked M number of times mounted M last repaired M tune2fs -l /dev/sda1 M fsstat /dev/sda1 Network and Virtual filesystems are interesting in live system analysis, less for dead disk analysis (but we can try to find out some things, like when/where they were mounted) Bern University of Applied Sciences 5/24
Partitions and Filesystems The SleuthKit ("TSK") has filesystem analysis tools for:M listing and extracting files, inodes, blocks M identifying and extracting deleted files M building timelines (MACB timestamps) M extracting slack and unallocated areas for analysis M other filesystem artifacts (journaling filesystems,etc.) All the TSK commands grouped by function: M Partition/volume analysis: mmcat, mmls, mmstat, fsstat, img_cat, img_stat M Analyzing by blocks/sectors: blkcalc, blkcat, blkls, blkstat M Analyzing by inodes: icat, ifind, ils, istat, tsk_recover M Analyzing by filename: fcat, ffind, fls, fiwalk M Journaling filesystems: jcat, jls, usnjls M Timelines: mactime, tsk_gettimes M Search and sort: jpeg_extract, sigfind, sorter, srch strings, tsk_comparedir, hfind, tsk_loaddb These commands work on: attached devices, raw images (dd), and forensic images (EnCase/FTK). Bern University of Applied Sciences 6/24
MBR/UEFI, Grub, initrd/initramfs MBR - 512 byte boot sector, jumps to next stage loaderM can analyze boot sector for possible malware (boot sector viruses are rare today) M dd if=image.dd of=bootsector.dd bs=512 count=1 UEFI - FAT system partition with files, more intelligent boot loading M look for unusual efi binaries M if you have access to mainboard, get UEFI variables stored in NVRAM Grub artifacts (GRand Unified Bootloader) M /boot/grub/grub.cfg or /boot/grub2/grub.cfg M /etc/grub.d/* or /etc/default/grub M can show list of previous OS installations, kernel parameters used, etc. Kernel ramdisk (initrd or initramfs) M debian: lsinitramfs -l /initrd.img M fedora: lsinitrd -v /boot/initramfs-4.16.11-100.fc26.x86_64.img M arch: lsinitcpio -v /boot/initramfs-linux.img M suse: lsinitrd /boot/initrd M if root filesystem is encrypted, may have interesting cleartext info Bern University of Applied Sciences 7/24
Linux File System Layout Directories of interest to forensic investigators: M bootstrap configuration /boot (efi partition mounted on /boot/efi) M system configs: /etc M logs, cache, state: /var (especially /var/lib and /var/log) M user data: /home and /root Some directories are mountpoints for pseudo filesystems: M /proc, /sys, /dev, /run M not very useful for dead disk forensics Other tips: M be aware of hidden files/dirs (filenames starting with ".") M the "FILES" section of manpages can indicate items of potential interest M use forensic timelines to identify ’busy’ directories Bern University of Applied Sciences 8/24
Systemd Boot/Shutdown, Services, Scheduled Tasks SystemdM modern Linux system and service manager M very consistent across distributions M manages starting, stopping, restarting of daemons Systemd configuration common locations: M defaults: /usr/lib/systemd/ or /lib/systemd/ M custom: /etc/systemd/ M user: ~/.config/systemd These directories contain systemd unit files, that configure or control: M services and daemons M sockets and devices M mount points, automount points M swap files and swap partitions M start-up targets M timers (scheduled jobs), watched file system paths Provides forensic trace information about the system and user configuration Bern University of Applied Sciences 9/24
Systemd Boot/Shutdown, Services, Scheduled tasks Examples of things to look for as a forensic investigator: M overview of services started on boot M proxy and relay daemons M strange services that could be backdoors or malcious code M vpn tunnels (new: wireguard vpn, this is growing in popularity, look for /etc/wireguard/, the wg0 interface, or systemd wireguard files) M service units for: bitcoin, torrent, tor, tunneled protocols, etc. Scheduled jobs: M traditional cron jobs: /var/spool/cron, /var/spool/anacron, /etc/cron.*/*, and /etc/crontab M traditional at jobs (one time execution): /var/spool/at M systemd timers (*.timer files) M user and system jobs are separate (for cron and systemd) Note: there are over 150 manpages describing systemd and various relevant files Bern University of Applied Sciences 10/24
Installed Software and Packaging Most popular packaging formats (not consistent across distributions):M rpm (redhat and suse) M apt/deb (debian/ubuntu, etc.) M pacman/tar (arch, manjaro) The interesting forensic artifacts in packaging systems are: M list of installed software packages (package databases) M removed software packages (install logs, previously downloaded packages) M install and removal timestamps Other packaging systems growing in popularity: M snap/snappy M flatpacks Backups and archive files (ok, not packages, but...): M tar snar files have a list of deleted, changed, created files from backups M tar --show-snapshot-field-ranges Bern University of Applied Sciences 11/24
Installed Software and Packaging Debian based systems M logs: /var/log/apt/* M database: /var/lib/dpkg/* (especially the ’status’ file) Redhat and SuSe based systems M logs: /var/log/dnf.rpm.log* M database: /var/lib/rpm/* Arch pacman based systems M arch also has "AUR" or Arch User Repository user M database: /var/lib/pacman/local/*/* M logs: paclog command, /var/log/pacman.log Note: users can bypass the packaging system and copies any files anywhere (’make install’ for example). Bern University of Applied Sciences 12/24
Log Files and Systemd Journal Programs and daemons typically log to one of three places:M traditional syslog (/var/log/messages or /var/log/syslog) M systemd journal M self written log files (usually in /var/log/*) Traditional Linux logging: M logs can be different levels of verbosity (debug, informational, etc.) M a running linux kernel has a ring buffer log (dmesg) M applications may separate error logs from transaction logs M syslog messages are sent to a syslog daemon and saved to files Systemd journal has features that are interesting for investigators: M better recording of logs during early system initialization M stderr output of a daemon is captured M logs are stored in a structured binary format that can be filtered, searched, or exported M Forward Secure Sealing (FSS) preserves integrity of the logs (like a forensic chain of custody) Bern University of Applied Sciences 13/24
Log Files and Systemd Journal Journalctl data and commands: M location: /var/log/journal/$RANDOMSTRING/* M system logs: system@* M user logs (with UID): user-1000@* M journalctl --root=/location/of/forensic/image/mount/ M journalctl --file=user-1000@ M journalctl --directory=/some/directory/with/journal/ Journalctl tips: M logged boots: journalctl --list-boots M kernel messages: journalctl --dmesg M time periods: journalctl --since=2018-09-05 --until=2018-09-06 M more verbose: journalctl -ax M search with "/", n-next, N-previous Bern University of Applied Sciences 14/24
Log Files and Systemd Journal What you might find in the logs and systemd journal: M attached and mounted USB drives M network interfaces and MAC addresses (NetworkManager) M dhcp results with IPs addresses (NetworkManager) M evidence of malicious activity and attacks (failed logins) M successful logins (local and remote) and user sessions M reboots, boots, daemon start/stop/restart M virtual network interface creation (vpns/tunnels) M application/daemon errors and messages M user activity (pgp/gpg agent activity) M notebook Lid close/open, power cable plugin Files in /var/log/* are disappearing from use, so learn journalctl Some systems may not keep a persistent copy of the journal across boots Most systems still have utmp/wtmp files: last -f /var/log/wtmp Bern University of Applied Sciences 15/24
Cache, Swap and Persistent data Desktop systems using NetworkManager cache interesting things: M /var/lib/NetworkManager/* M dhcp leases and timestamps M observed wifi bss ids Desktop systems with Bluetooth cache interesting things: M /var/lib/bluetooth/* M paired bluetooth devices M file timestamps reveal previous pairing activty Lots of really great info in /var/lib, often with timestamps: M depending on the software installed, all kinds of interesting system persistence and cached data M example: switching from charging to discharging (/var/lib/upower/*) M (hint, convert epoch timestamps to human time: date -d @1535347485) Bern University of Applied Sciences 16/24
Cache, Swap and Persistent data Temporary files and directoriesM /tmp and /var/tmp may contain files M (but may be deleted after boot or logout) M swapfile or swap partition (see /etc/fstab) If swap is the size of ram or larger, it can be used for hibernation: M a hibernating system has a complete memory dump saved to disk M check the end of journal to see if the system went into hibernation M can be extracted with forensic tools (icat, dd, etc.) M memory analysis can be done to find many artifacts: running processes, established network connections, possibly keys and passwords Printers and printed pages M attached and configured printers: /etc/cups/* M print jobs from cupsd: /var/cache/cups/* M /var/spool/cups/* and /var/log/cups/* Large amounts of cached user data in /home/user/.cache, this contains application data (photo thumbnails for example) Bern University of Applied Sciences 17/24
System and User Configuration System and kernel:M LSB (Linux Standards Base): /etc/lsb-release or o/etc/os-release M kernel version: file vmlinuz M kernel config/parameters grub.cfg and /etc/sysctl.* M kernel modules: /etc/modprobe*, /etc/modules, /etc/modules-load* M startup services/daemons (systemd units) Systemd network config: M default: /usr/lib/systemd/network/ or /lib/systemd/network M custom: /etc/systemd/network/ M also distro specific (debian /etc/network/interfaces) Crashed programs M system may need to be configured to save core files M /var/lib/systemd/coredump M this is a memory dump of a process: established network connections, possibly keys and passwords M manpage core(5) Bern University of Applied Sciences 18/24
System and User Configuration Users and groupsM traditionally in /etc/passwd and /etc/group M some systems may use ldap M UID and GID analyzed as filesystem meta data M (Sleuthkit: mactime -p /etc/passwd -g /etc/group) M users and groups may refer to people or processes M difference between system and application activity is not always clear M difference between system and user activity is not always clear OS and user configuration files M traditional Unix/Linux files in /etc M gconf/dconf, systemd units M dot files ~/.* M dot files ~/.config/* M user customized shells (.bashrc) and shell history M each distro may have additional configuration artifacts that are interesting Bern University of Applied Sciences 19/24
Desktop Artifacts Freedesktop.org (formerly known as: X Desktop Group or XDG) M XDG documentation and specifications at freedesktop.org M Provides compatibility across distros and desktop environments M KDE and Gnome most popular DEs Key directories interesting to forensic investigators: M systemd unit files for XDG: /etc/xdg/systemd M $XDG_DATA_HOME, default ~/.local/share M $XDG_CONFIG_HOME, default ~/.config M $XDG_CACHE_HOME, default ~/.cache M contains user’s GUI data and configuration M (there are also system-wide equivalent defaults) Bern University of Applied Sciences 20/24
Desktop Artifacts Interesting things we find here:M autostarting GUI apps ~/.config/autostart/* M contents of user’s desktop: ~/Desktop (contains Desktop entry files) M recently opened docs: ~/.recently-used or ~/local/share/recently-used.xbel M thumbnails ~/.cache/thumbnails M "Trash" ~/.local/share/Trash or ~/.Trash M User override default apps: ~/.config/mimeapps.list M application downloads: ~/Downloads Other notes M often 2 sets of timestamps: filesystem (MACB) and timestamps inside the files M These directories and filenames may vary depending on the desktop and XDG variables M X11 vs Wayland? These both operate below the XDG/freedesktop.org Environment, so it should (mostly) not matter Bern University of Applied Sciences 21/24
Encryption and Steganography Forensic examiners will find different types of encryption: M application file encryption - protected PDF, office docs, etc M individual file containers - GPG, Encrypted Zip M directories - ecryptfs, ext4 encrypted sub-directories M volumes - TrueCrypt/Veracrypt M block devices - Linux LUKS M drive hardware - OPAL/SED Decrypting requires: M password or passphrase M cryptographic key string or key file M smartcard or hard token The forensic challenge is to find the decryption key (some tools: John the Ripper, HashCat, bulk_extractor, $5 wrench) Bern University of Applied Sciences 22/24
Encryption and Steganography Steganography is considered a part of anti-forensics M It hides data in non-obvious places M least significant bits of color, sound, etc. M tries to hide data in different slack areas M Veracrypt allows hiding volumes inside volumes Some tools: M stegdetect M stegsnow M openstego M busysteg M gsteg M photocrypt Bern University of Applied Sciences 23/24
Conclusion M Thanks for listening! M If you know some additional Linux forensic artifacts not mentioned, please send them to me, I’ll add them to my slides. M Law Enforcement: You are welcome to contact me at BFH for Linux analysis support. M Contact details: bruce.nikkel@bfh.ch M These slides are available at: digitalforensics.ch Bern University of Applied Sciences 24/24

Recommandé

Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 

Recommandé

Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Digital Forensic ppt
Digital Forensic pptDigital Forensic ppt
Digital Forensic pptSuchita Rawat
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsPrince Boonlia
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basicsamiable_indian
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeApplied Forensic Research Sciences
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Unix 3 en
Unix 3 enUnix 3 en
Unix 3 enSimonas Kareiva
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchyDr. C.V. Suresh Babu
 

Contenu connexe

Tendances

Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration TestingMohammed Adam
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 

Tendances (20)

Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensics
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Nessus Basics
Nessus BasicsNessus Basics
Nessus Basics
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Network Penetration Testing
Network Penetration TestingNetwork Penetration Testing
Network Penetration Testing
 
First Responder Officer in Cyber Crime
First Responder Officer in Cyber CrimeFirst Responder Officer in Cyber Crime
First Responder Officer in Cyber Crime
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security Platform
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 

Similaire à Forensic artifacts in modern linux systems

Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubDevang Garach
 
Kqueue : Generic Event notification
Kqueue : Generic Event notificationKqueue : Generic Event notification
Kqueue : Generic Event notificationMahendra M
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemKunalKewat1
 
Root file system
Root file systemRoot file system
Root file systemBindu U
 
2 - SystemComponents.ppt
2 - SystemComponents.ppt2 - SystemComponents.ppt
2 - SystemComponents.pptTekalignTaye
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemSadia Bashir
 
84640411 study-of-unix-os
84640411 study-of-unix-os84640411 study-of-unix-os
84640411 study-of-unix-oshomeworkping3
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsShu-Yu Fu
 
Lamp1
Lamp1Lamp1
Lamp1Reka
 
Lamp
LampLamp
LampReka
 
linux file sysytem& input and output
linux file sysytem& input and outputlinux file sysytem& input and output
linux file sysytem& input and outputMythiliA5
 
Unix operating system architecture with file structure
Unix operating system architecture with file structure Unix operating system architecture with file structure
Unix operating system architecture with file structure amol_chavan
 

Similaire à Forensic artifacts in modern linux systems (20)

Unix 3 en
Unix 3 enUnix 3 en
Unix 3 en
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
UNIX Operating System ppt
UNIX Operating System pptUNIX Operating System ppt
UNIX Operating System ppt
 
Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and Github
 
Kqueue : Generic Event notification
Kqueue : Generic Event notificationKqueue : Generic Event notification
Kqueue : Generic Event notification
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
 
Root file system
Root file systemRoot file system
Root file system
 
2 - SystemComponents.ppt
2 - SystemComponents.ppt2 - SystemComponents.ppt
2 - SystemComponents.ppt
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
 
84640411 study-of-unix-os
84640411 study-of-unix-os84640411 study-of-unix-os
84640411 study-of-unix-os
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
TLPI Chapter 14 File Systems
TLPI Chapter 14 File SystemsTLPI Chapter 14 File Systems
TLPI Chapter 14 File Systems
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp1
Lamp1Lamp1
Lamp1
 
Lamp
LampLamp
Lamp
 
linux file sysytem& input and output
linux file sysytem& input and outputlinux file sysytem& input and output
linux file sysytem& input and output
 
Unix operating system architecture with file structure
Unix operating system architecture with file structure Unix operating system architecture with file structure
Unix operating system architecture with file structure
 
Linux training
Linux trainingLinux training
Linux training
 
Introduction to unix
Introduction to unixIntroduction to unix
Introduction to unix
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
 

Plus de Gol D Roger

Seizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceSeizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceGol D Roger
 
Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Gol D Roger
 
8 0-os file-system management
8 0-os file-system management8 0-os file-system management
8 0-os file-system managementGol D Roger
 
8 1-os file system implementation
8 1-os file system implementation8 1-os file system implementation
8 1-os file system implementationGol D Roger
 
Desktop Forensics: Windows
Desktop Forensics: WindowsDesktop Forensics: Windows
Desktop Forensics: WindowsGol D Roger
 
Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Gol D Roger
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security Gol D Roger
 
IT Passport Examination.
IT Passport Examination.IT Passport Examination.
IT Passport Examination.Gol D Roger
 
Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Gol D Roger
 
windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2Gol D Roger
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfeGol D Roger
 
10 things group policy preferences does better
10 things group policy preferences does better10 things group policy preferences does better
10 things group policy preferences does betterGol D Roger
 

Plus de Gol D Roger (14)

Seizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceSeizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret Service
 
Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02
 
8 0-os file-system management
8 0-os file-system management8 0-os file-system management
8 0-os file-system management
 
8 1-os file system implementation
8 1-os file system implementation8 1-os file system implementation
8 1-os file system implementation
 
Deep Web
Deep WebDeep Web
Deep Web
 
Desktop Forensics: Windows
Desktop Forensics: WindowsDesktop Forensics: Windows
Desktop Forensics: Windows
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security
 
IT Passport Examination.
IT Passport Examination.IT Passport Examination.
IT Passport Examination.
 
Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2
 
windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
 
10 things group policy preferences does better
10 things group policy preferences does better10 things group policy preferences does better
10 things group policy preferences does better
 

Dernier

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Dernier (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Forensic artifacts in modern linux systems

  • 1. Forensic Artifacts in Modern Linux Systems Prof. Dr. Bruce Nikkel M Division of Computer Science September 10, 2018
  • 2. Purpose and Scope of Workshop Describe things of forensic interest, show how to find and extract data from:M hacked/compromised Linux servers M criminal operated Linux servers (Command and Control) M abused/misused Linux desktop systems (suspect users, victim users) M seized and imaged systems (dead disk forensics) M focus on modern Linux system artifacts (systemd, etc.) M focus on artifacts independent of Linux distribution *Not* the focus of this workshop: M using Linux as an analysis platform (most of this analysis can also be done with encase/ftk/xways) M how to use Linux based forensic tools M live Linux system analysis and memory forensics M Linux based mobile devices (Android) M Application artifacts (browser, email, office, etc) This is not exhaustive, there are many OS artifacts not covered here (obscure/rare artifacts, distro specific artifacts, etc.) Bern University of Applied Sciences 2/24
  • 3. Overview of Workshop High level overview of workshop topics (from a forensic/investigative perspective): M partitions and filesystems M mbr/uefi, grub, initrd/initramfs M linux file/directory layout M systemd: boot/shutdown, services, scheduled tasks M installed software and packages M log files and systemd journal M swap, cache, and persistent data M system and user configuration M desktop artifacts M encryption and steganography M conclusion Workshop format: mix of theory/slides and demonstrations Example disk images are shown as either "image.dd" or "/dev/sda" Bern University of Applied Sciences 3/24
  • 4. Partitions and Filesystems Examples of typical storage devices:M SATA drives: /dev/sda M NVME drives: /dev/nvme0n1 M MMC/SD cards: /dev/mmcblk0 M (Virtual Machine: /dev/vda) Examples of typical partition devices: M /dev/sda1 M /dev/nvme0n1p1 M /dev/mmcblk0p1 M (/dev/vda1) Most common partition schemes are DOS and GPT M disktype /dev/sda M mmls image.dd M UEFI systems have GPT layout and use a system partition with a FAT filesystem for EFI boot files Bern University of Applied Sciences 4/24
  • 5. Partitions and Filesystems Some examples of filesystems used by modern Linux:M typical for installation: ext4, btrfs, xfs M many others supported: fat, ntfs, ext2, ext3 M network filesystems: nfs, samba/cifs, sshfs M pseudo filesystems: proc, sys, dev Interesting artifacts about an EXT4 filesystem: M when the filesystem was created M last mounted, last written, last checked M number of times mounted M last repaired M tune2fs -l /dev/sda1 M fsstat /dev/sda1 Network and Virtual filesystems are interesting in live system analysis, less for dead disk analysis (but we can try to find out some things, like when/where they were mounted) Bern University of Applied Sciences 5/24
  • 6. Partitions and Filesystems The SleuthKit ("TSK") has filesystem analysis tools for:M listing and extracting files, inodes, blocks M identifying and extracting deleted files M building timelines (MACB timestamps) M extracting slack and unallocated areas for analysis M other filesystem artifacts (journaling filesystems,etc.) All the TSK commands grouped by function: M Partition/volume analysis: mmcat, mmls, mmstat, fsstat, img_cat, img_stat M Analyzing by blocks/sectors: blkcalc, blkcat, blkls, blkstat M Analyzing by inodes: icat, ifind, ils, istat, tsk_recover M Analyzing by filename: fcat, ffind, fls, fiwalk M Journaling filesystems: jcat, jls, usnjls M Timelines: mactime, tsk_gettimes M Search and sort: jpeg_extract, sigfind, sorter, srch strings, tsk_comparedir, hfind, tsk_loaddb These commands work on: attached devices, raw images (dd), and forensic images (EnCase/FTK). Bern University of Applied Sciences 6/24
  • 7. MBR/UEFI, Grub, initrd/initramfs MBR - 512 byte boot sector, jumps to next stage loaderM can analyze boot sector for possible malware (boot sector viruses are rare today) M dd if=image.dd of=bootsector.dd bs=512 count=1 UEFI - FAT system partition with files, more intelligent boot loading M look for unusual efi binaries M if you have access to mainboard, get UEFI variables stored in NVRAM Grub artifacts (GRand Unified Bootloader) M /boot/grub/grub.cfg or /boot/grub2/grub.cfg M /etc/grub.d/* or /etc/default/grub M can show list of previous OS installations, kernel parameters used, etc. Kernel ramdisk (initrd or initramfs) M debian: lsinitramfs -l /initrd.img M fedora: lsinitrd -v /boot/initramfs-4.16.11-100.fc26.x86_64.img M arch: lsinitcpio -v /boot/initramfs-linux.img M suse: lsinitrd /boot/initrd M if root filesystem is encrypted, may have interesting cleartext info Bern University of Applied Sciences 7/24
  • 8. Linux File System Layout Directories of interest to forensic investigators: M bootstrap configuration /boot (efi partition mounted on /boot/efi) M system configs: /etc M logs, cache, state: /var (especially /var/lib and /var/log) M user data: /home and /root Some directories are mountpoints for pseudo filesystems: M /proc, /sys, /dev, /run M not very useful for dead disk forensics Other tips: M be aware of hidden files/dirs (filenames starting with ".") M the "FILES" section of manpages can indicate items of potential interest M use forensic timelines to identify ’busy’ directories Bern University of Applied Sciences 8/24
  • 9. Systemd Boot/Shutdown, Services, Scheduled Tasks SystemdM modern Linux system and service manager M very consistent across distributions M manages starting, stopping, restarting of daemons Systemd configuration common locations: M defaults: /usr/lib/systemd/ or /lib/systemd/ M custom: /etc/systemd/ M user: ~/.config/systemd These directories contain systemd unit files, that configure or control: M services and daemons M sockets and devices M mount points, automount points M swap files and swap partitions M start-up targets M timers (scheduled jobs), watched file system paths Provides forensic trace information about the system and user configuration Bern University of Applied Sciences 9/24
  • 10. Systemd Boot/Shutdown, Services, Scheduled tasks Examples of things to look for as a forensic investigator: M overview of services started on boot M proxy and relay daemons M strange services that could be backdoors or malcious code M vpn tunnels (new: wireguard vpn, this is growing in popularity, look for /etc/wireguard/, the wg0 interface, or systemd wireguard files) M service units for: bitcoin, torrent, tor, tunneled protocols, etc. Scheduled jobs: M traditional cron jobs: /var/spool/cron, /var/spool/anacron, /etc/cron.*/*, and /etc/crontab M traditional at jobs (one time execution): /var/spool/at M systemd timers (*.timer files) M user and system jobs are separate (for cron and systemd) Note: there are over 150 manpages describing systemd and various relevant files Bern University of Applied Sciences 10/24
  • 11. Installed Software and Packaging Most popular packaging formats (not consistent across distributions):M rpm (redhat and suse) M apt/deb (debian/ubuntu, etc.) M pacman/tar (arch, manjaro) The interesting forensic artifacts in packaging systems are: M list of installed software packages (package databases) M removed software packages (install logs, previously downloaded packages) M install and removal timestamps Other packaging systems growing in popularity: M snap/snappy M flatpacks Backups and archive files (ok, not packages, but...): M tar snar files have a list of deleted, changed, created files from backups M tar --show-snapshot-field-ranges Bern University of Applied Sciences 11/24
  • 12. Installed Software and Packaging Debian based systems M logs: /var/log/apt/* M database: /var/lib/dpkg/* (especially the ’status’ file) Redhat and SuSe based systems M logs: /var/log/dnf.rpm.log* M database: /var/lib/rpm/* Arch pacman based systems M arch also has "AUR" or Arch User Repository user M database: /var/lib/pacman/local/*/* M logs: paclog command, /var/log/pacman.log Note: users can bypass the packaging system and copies any files anywhere (’make install’ for example). Bern University of Applied Sciences 12/24
  • 13. Log Files and Systemd Journal Programs and daemons typically log to one of three places:M traditional syslog (/var/log/messages or /var/log/syslog) M systemd journal M self written log files (usually in /var/log/*) Traditional Linux logging: M logs can be different levels of verbosity (debug, informational, etc.) M a running linux kernel has a ring buffer log (dmesg) M applications may separate error logs from transaction logs M syslog messages are sent to a syslog daemon and saved to files Systemd journal has features that are interesting for investigators: M better recording of logs during early system initialization M stderr output of a daemon is captured M logs are stored in a structured binary format that can be filtered, searched, or exported M Forward Secure Sealing (FSS) preserves integrity of the logs (like a forensic chain of custody) Bern University of Applied Sciences 13/24
  • 14. Log Files and Systemd Journal Journalctl data and commands: M location: /var/log/journal/$RANDOMSTRING/* M system logs: system@* M user logs (with UID): user-1000@* M journalctl --root=/location/of/forensic/image/mount/ M journalctl --file=user-1000@ M journalctl --directory=/some/directory/with/journal/ Journalctl tips: M logged boots: journalctl --list-boots M kernel messages: journalctl --dmesg M time periods: journalctl --since=2018-09-05 --until=2018-09-06 M more verbose: journalctl -ax M search with "/", n-next, N-previous Bern University of Applied Sciences 14/24
  • 15. Log Files and Systemd Journal What you might find in the logs and systemd journal: M attached and mounted USB drives M network interfaces and MAC addresses (NetworkManager) M dhcp results with IPs addresses (NetworkManager) M evidence of malicious activity and attacks (failed logins) M successful logins (local and remote) and user sessions M reboots, boots, daemon start/stop/restart M virtual network interface creation (vpns/tunnels) M application/daemon errors and messages M user activity (pgp/gpg agent activity) M notebook Lid close/open, power cable plugin Files in /var/log/* are disappearing from use, so learn journalctl Some systems may not keep a persistent copy of the journal across boots Most systems still have utmp/wtmp files: last -f /var/log/wtmp Bern University of Applied Sciences 15/24
  • 16. Cache, Swap and Persistent data Desktop systems using NetworkManager cache interesting things: M /var/lib/NetworkManager/* M dhcp leases and timestamps M observed wifi bss ids Desktop systems with Bluetooth cache interesting things: M /var/lib/bluetooth/* M paired bluetooth devices M file timestamps reveal previous pairing activty Lots of really great info in /var/lib, often with timestamps: M depending on the software installed, all kinds of interesting system persistence and cached data M example: switching from charging to discharging (/var/lib/upower/*) M (hint, convert epoch timestamps to human time: date -d @1535347485) Bern University of Applied Sciences 16/24
  • 17. Cache, Swap and Persistent data Temporary files and directoriesM /tmp and /var/tmp may contain files M (but may be deleted after boot or logout) M swapfile or swap partition (see /etc/fstab) If swap is the size of ram or larger, it can be used for hibernation: M a hibernating system has a complete memory dump saved to disk M check the end of journal to see if the system went into hibernation M can be extracted with forensic tools (icat, dd, etc.) M memory analysis can be done to find many artifacts: running processes, established network connections, possibly keys and passwords Printers and printed pages M attached and configured printers: /etc/cups/* M print jobs from cupsd: /var/cache/cups/* M /var/spool/cups/* and /var/log/cups/* Large amounts of cached user data in /home/user/.cache, this contains application data (photo thumbnails for example) Bern University of Applied Sciences 17/24
  • 18. System and User Configuration System and kernel:M LSB (Linux Standards Base): /etc/lsb-release or o/etc/os-release M kernel version: file vmlinuz M kernel config/parameters grub.cfg and /etc/sysctl.* M kernel modules: /etc/modprobe*, /etc/modules, /etc/modules-load* M startup services/daemons (systemd units) Systemd network config: M default: /usr/lib/systemd/network/ or /lib/systemd/network M custom: /etc/systemd/network/ M also distro specific (debian /etc/network/interfaces) Crashed programs M system may need to be configured to save core files M /var/lib/systemd/coredump M this is a memory dump of a process: established network connections, possibly keys and passwords M manpage core(5) Bern University of Applied Sciences 18/24
  • 19. System and User Configuration Users and groupsM traditionally in /etc/passwd and /etc/group M some systems may use ldap M UID and GID analyzed as filesystem meta data M (Sleuthkit: mactime -p /etc/passwd -g /etc/group) M users and groups may refer to people or processes M difference between system and application activity is not always clear M difference between system and user activity is not always clear OS and user configuration files M traditional Unix/Linux files in /etc M gconf/dconf, systemd units M dot files ~/.* M dot files ~/.config/* M user customized shells (.bashrc) and shell history M each distro may have additional configuration artifacts that are interesting Bern University of Applied Sciences 19/24
  • 20. Desktop Artifacts Freedesktop.org (formerly known as: X Desktop Group or XDG) M XDG documentation and specifications at freedesktop.org M Provides compatibility across distros and desktop environments M KDE and Gnome most popular DEs Key directories interesting to forensic investigators: M systemd unit files for XDG: /etc/xdg/systemd M $XDG_DATA_HOME, default ~/.local/share M $XDG_CONFIG_HOME, default ~/.config M $XDG_CACHE_HOME, default ~/.cache M contains user’s GUI data and configuration M (there are also system-wide equivalent defaults) Bern University of Applied Sciences 20/24
  • 21. Desktop Artifacts Interesting things we find here:M autostarting GUI apps ~/.config/autostart/* M contents of user’s desktop: ~/Desktop (contains Desktop entry files) M recently opened docs: ~/.recently-used or ~/local/share/recently-used.xbel M thumbnails ~/.cache/thumbnails M "Trash" ~/.local/share/Trash or ~/.Trash M User override default apps: ~/.config/mimeapps.list M application downloads: ~/Downloads Other notes M often 2 sets of timestamps: filesystem (MACB) and timestamps inside the files M These directories and filenames may vary depending on the desktop and XDG variables M X11 vs Wayland? These both operate below the XDG/freedesktop.org Environment, so it should (mostly) not matter Bern University of Applied Sciences 21/24
  • 22. Encryption and Steganography Forensic examiners will find different types of encryption: M application file encryption - protected PDF, office docs, etc M individual file containers - GPG, Encrypted Zip M directories - ecryptfs, ext4 encrypted sub-directories M volumes - TrueCrypt/Veracrypt M block devices - Linux LUKS M drive hardware - OPAL/SED Decrypting requires: M password or passphrase M cryptographic key string or key file M smartcard or hard token The forensic challenge is to find the decryption key (some tools: John the Ripper, HashCat, bulk_extractor, $5 wrench) Bern University of Applied Sciences 22/24
  • 23. Encryption and Steganography Steganography is considered a part of anti-forensics M It hides data in non-obvious places M least significant bits of color, sound, etc. M tries to hide data in different slack areas M Veracrypt allows hiding volumes inside volumes Some tools: M stegdetect M stegsnow M openstego M busysteg M gsteg M photocrypt Bern University of Applied Sciences 23/24
  • 24. Conclusion M Thanks for listening! M If you know some additional Linux forensic artifacts not mentioned, please send them to me, I’ll add them to my slides. M Law Enforcement: You are welcome to contact me at BFH for Linux analysis support. M Contact details: bruce.nikkel@bfh.ch M These slides are available at: digitalforensics.ch Bern University of Applied Sciences 24/24