*nix Forensics: Techniques for Analyzing *nix Artifacts
Introduction
Forensic analysis on Unix-like (Linux/Unix) systems involves examining various artifacts that provide insights into system activities, user actions, and potential security incidents. This tutorial covers key techniques for analyzing important *nix artifacts, including logs, user activities, and file system metadata.
1. Log Files
System Logs
System logs record various system activities and are crucial for forensic investigations.
- Location: Common log files are stored in
/var/log/
.- syslog: General system log.
- auth.log: Authentication and authorization logs.
- dmesg: Kernel ring buffer messages.
- Analysis: Use tools like
grep
,less
, andawk
to parse and analyze log entries.
Example:
grep "authentication failure" /var/log/auth.log
Audit Logs
Audit logs track detailed user activities and system changes.
- Location: Audit logs are typically found in
/var/log/audit/audit.log
. - Analysis: Use
ausearch
andaureport
for analyzing audit logs.
Example:
ausearch -m USER_LOGIN
2. User Activity
User Accounts and Activity
Examining user accounts and their activities can reveal unauthorized access or suspicious behavior.
- /etc/passwd: Contains user account information.
- /etc/shadow: Stores password hashes (root access required).
- .bash_history: Command history for users.
Example:
cat /home/username/.bash_history
Last Login Information
Retrieve the last login times for users.
Example:
lastlog
3. File System Analysis
File Metadata
Analyzing file metadata provides information about file creation, modification, and access times.
- stat: Display detailed file information.
- find: Search for files based on metadata criteria.
Example:
stat /path/to/file
find / -type f -mtime -1
Inode Information
Inodes store metadata about files.
- ls -i: Display inode number.
- debugfs: Low-level filesystem debugger.
Example:
ls -i /path/to/file
debugfs -R 'stat <inode>' /dev/sdX1
4. Process and Memory Analysis
Active Processes
Identify running processes and their details.
- ps: Display information about active processes.
- top: Real-time process monitoring.
- pstree: Display process tree.
Example:
ps aux
top
Memory Dumps
Capture and analyze memory dumps for forensic analysis.
- dd: Create a memory dump.
- volatility: Analyze memory dumps.
Example:
dd if=/dev/mem of=/path/to/memory.dump
volatility -f /path/to/memory.dump --profile=Linux check
5. Network Analysis
Network Connections
Monitor and analyze network connections and activities.
- netstat: Display network connections, routing tables, interface statistics.
- ss: Utility to investigate sockets.
- tcpdump: Capture and analyze network traffic.
Example:
netstat -tuln
ss -pl
tcpdump -i eth0
6. Data Recovery
Recover Deleted Files
Use specialized tools to recover deleted files.
- extundelete: Recover deleted files from ext3/ext4 file systems.
- photorec: File recovery tool for various file systems.
Example:
extundelete /dev/sdX1 --restore-file /path/to/file
photorec /dev/sdX1
Conclusion
*nix forensics requires a combination of knowledge about the file system, user activities, system logs, and network behavior. By employing the techniques outlined above, forensic analysts can effectively investigate and uncover vital information during security incidents.
Resources
These techniques will help you gather and analyze forensic evidence from Unix-like systems, aiding in thorough and accurate investigations.