π§ Linux OS Forensics β Digital Analysis on Linux Systems
π― Introduction: Differences Between Linux and Windows in Digital Forensics
In Windows systems, the Registry is the central source of information.\ In Linux, there is no registry; instead, the system relies on distributed configuration files throughout the filesystem.
π Therefore, in Linux forensics, the focus is on specific directories and paths that hold key evidence about system and user behavior.
π¨ Step 1: How to Handle a Linux Machine at the Crime Scene
π§° Possible Scenarios:
1. The Device is Provided as a Hard Drive Only
- Use the
ddtool to create a forensic image of the drive:
dd if=/dev/sdX of=/mnt/usb/linux_image.dd bs=4M conv=noerror,sync
2. The Device is Powered On and Accessible
-
Do not use
ddfrom the live system. -
Use a Live CD such as:
CAINE,SIFT,Kali. -
The goal: avoid writing to the original disk.
β οΈ Warning: Any write operation may corrupt the evidence.
3. The Device is Powered Off and Password is Unknown
- You can use Single User Mode to bypass the password, provided it is legally permissible.\ β [[05-What is Single User Mode]]
π Key Locations for Analysis in the Linux File System
1. /home/USERNAME/ β User Directory
Important Files:
| File | Purpose |
|---|---|
.bash_history |
User command history |
.bashrc |
Commands executed automatically at shell startup |
.profile / .bash_profile |
Environment setup and execution paths |
Helpful Commands:
cat ~/.bash_history
cat ~/.bashrc echo $PATH
π§ Note:\ These files may contain paths to malicious tools, autorun scripts, or external links.
2. /etc/passwd β User Information
Contains information about all users:
-
Username
-
UID
-
GID
-
Shell
-
Home Directory
Analyze File Content:
cat /etc/passwd
cat /etc/passwd | cut -f1 -d ":"
π The file may be difficult to read directly. Use tools like Excel or awk:
awk -F ':' '{print $1}' /etc/passwd
π Check for Unauthorized Users:
-
Some accounts are services, not actual users (e.g.,
www-data,sshd). -
Check the login shell.\ Real users typically have
/bin/bash, while service accounts often use/usr/sbin/nologin.
cat /etc/passwd | grep "nologin" | cut -f1 -d ":"
Example: List Only Real Users
awk -F ':' '$7 ~ /bash/' /etc/passwd
3. /var/log/ β Log Files
Contains records of key activities:
| File | Purpose |
|---|---|
auth.log / secure |
Authentication and login attempts |
syslog / messages |
General system activity |
kern.log |
Kernel activity |
apache2/, httpd/ |
Web server logs |
dpkg.log, yum.log |
Software installation logs |
π Inspect the directory:
ls -l /var/log/ cat /var/log/auth.log
π DF Insight:
Logs can help identify login attempts, script executions, and suspicious tools:
Track user commands
Discover cron jobs or auto-scripts
Detect installation of hacking tools like
netcat
4. /proc/ β Running Processes and System Info
A virtual directory that reflects real-time system status:
| Path | Description |
|---|---|
/proc/cpuinfo |
CPU information |
/proc/meminfo |
Memory info |
/proc/[PID]/ |
Details about a running process |
π DF Insight:
-
View active processes during live forensics.
-
Extract details from malicious process activity.
5. /etc/cron* β Scheduled Tasks (Cron Jobs)
To list scheduled jobs for users:
ls /etc/cron*
To check a userβs cron jobs manually:
crontab -l -u USERNAME
π DF Tip:\ You may find scripts used to maintain a backdoor.\ Look for suspicious auto-executing jobs that maintain access or launch malware.
6. /etc/fstab and /etc/mtab β Mounted Drives
-
fstab: Lists drives mounted at boot time.
-
mtab: Shows currently mounted drives.
Example:
cat /etc/fstab cat /etc/mtab
π DF Insight:\ Reveals external drives used and their mount locations.\ Helpful in identifying storage devices possibly containing tools or malicious data.
7. Environment Variables
Via:
-
.bashrc -
.profile -
Command
env
env
π DF Tip:\
Monitor strange environment variablesβthey may point to malicious libraries (e.g., LD_PRELOAD).
Pay close attention to any unfamiliar variables like LD_PRELOAD, which can be used to load malicious code.
π§ͺ Important Tips During Investigation
| Step | Tip |
|---|---|
| Working on a live system | Do not use dd directly; use Live CD to avoid changes |
| Connecting USB | Check /proc/ and /var/log/ for activity β avoid evidence tampering |
| File extraction | Use tools like foremost, photorec on the image file |
| Analyzing users | Focus on login shell, home directories, and command history |
| Analyzing services | Use /etc/passwd and verify login permissions |
β Conclusion
Linux system forensics is a delicate yet information-rich process.\ It requires:
-
Deep understanding of Linux system architecture
-
Awareness of where and how evidence is stored
-
Proper tools to avoid altering original data
π With this knowledge, a digital investigator can trace every step taken on the system and identify the perpetrator with well-documented and precise procedures.