In the last few weeks, I had to analyze Linux images as part of a computer forensics course. For the course, a participant got a case description (attempted murder, illegal pornography, …) and had to find answers to different questions. Examples for this are: “What happened during 19 pm and 3 am on this computer”, “Are there any traces of illegal activities on the hard drive?”, etc..
Apart from the analysis of the partitions (to find hidden sections and partitions), I had to search for log files on an Ubuntu system. You might find this trivial if you know Linux systems and regularly set up such systems. I wrote down a few standard procedures and locations for finding traces.
Locations
/etc
contains system configuration, as well as configurations for any application. You can find out how interesting applications are set-up and where the app saves its log files.
/home
contains user data, like personal files (documents, music, downloads, etc) as well as personal settings for different applications.
/root
is the user data for the root account. Usually root never logs in directly (at least, it should not), but in certain circumstances, an attacker could gain root access and login as root.
/var/log
contains all system logs, as well as some log files for other applications (apache for example).
Log files
Log files are important for forensics. The best log files contain time stamps and all relevant information to determine the happenings on the computer. But there are also logs which simply contain metadata or hardware and software information. Here are the most important files:
Linux distribution
/etc/lsb-release
and /etc/os-release
contain Linux distribution information. Here is an example lsb-release file:
DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=17.2
DISTRIB_CODENAME=rafaela
DISTRIB_DESCRIPTION=”Linux Mint 17.2 Rafaela”
So this is a quick way to identify the OS.
Installation date
The filesystem saves a “Created” field in its superblock (where all the metadata is stored) and can be read with the tune2fs tool. You can mount the image as loop device (more on this here) and use the following command to find the creation date of the filesystem:
tune2fs -d /dev/loop0
Computer name and hosts file
The host name can be found in the /etc/hostname
file. Other interesting hosts can be found in /etc/hosts
.
User accounts and passwords
All user accounts can be found in /etc/passwd
. The (encrypted) login passwords are found in the /etc/shadow
file. Note that the root account always has the [tooltip tip=”User ID”]UID[/tooltip] 0.
Login history
You can get exact information on which user logged into the system, with times and IP address. The /var/log/wtmp
file is a binary file, so you can not simply read it in a text editor, but you can use the last command to output the data.
last -f /var/log/wtmp
In the /var/log
directory, there can also be a btmp
and utmp
file, which can also be examined with the previous command. They contain bad logins and the current status of logged users, respectively.
It is possible that there is only one or two of these files in the system.
Another interesting file for logins is the /var/log/auth.log
file. It logs SSH connections to the system, as well as the use of the sudo command.
Command history
Whenever you input something into a terminal or any bash command line, the command gets saved to the ~/.bash_history
file in your user profile. By default, it does not contain any timestamps, so it is only useful in determining what was changed.
Another important location is the bash history for the root user, which is located at /root/.bash_history
. It will only contain data if someone ever logged in as root (or used sudo -i
).
SSH
The SSH log files (located in ~/.ssh can be useful to determine if any external system had access to the computer. The most interesting file is the authorized_keys
file, which contains entries for any computer that can easily access the system, without requiring any password. Also check the /root/.ssh
folder for such entries!
Scheduled tasks
Cron jobs are scheduled tasks which are executed in predefined intervals. Any tasks can be found in the /etc/cron*
and /var/spool/cron*
folders
Web browser logs
Web browsers save a lot of user data, such as link history, cookies and form data. The most popular browsers on Linux are Firefox and Chrome/Chromium. The user data of these browsers are found in the following locations:
~/.mozilla/firefox/
~/.config/chromium/
Hey there! If you use any other Linux distro and the files are not there or have different locations, write a comment below!
Kudos to the dedicated professionals in the field of computer forensics. They are the real heroes in the fight against cyber threats.