In the last few weeks, I had to analyze Linux images as part of a computer forensics course. For the course, a participant got a case description (attempted murder, illegal pornography, …) and had to find answers to different questions. Examples for this are: “What happened during 19 pm and 3 am on this computer”, “Are there any traces of illegal activities on the hard drive?”, etc..

Apart from the analysis of the partitions (to find hidden sections and partitions), I had to search for log files on an Ubuntu system. You might find this trivial if you know Linux systems and regularly set up such systems. I wrote down a few standard procedures and locations for finding traces.

Locations

/etc contains system configuration, as well as configurations for any application. You can find out how interesting applications are set-up and where the app saves its log files.
/home contains user data, like personal files (documents, music, downloads, etc) as well as personal settings for different applications.
/root is the user data for the root account. Usually root never logs in directly (at least, it should not), but in certain circumstances, an attacker could gain root access and login as root.
/var/log contains all system logs, as well as some log files for other applications (apache for example).

Log files

Log files are important for forensics. The best log files contain time stamps and all relevant information to determine the happenings on the computer. But there are also logs which simply contain metadata or hardware and software information. Here are the most important files:

Linux distribution

/etc/lsb-release and /etc/os-release contain Linux distribution information. Here is an example lsb-release file:

DISTRIB_ID=LinuxMint
DISTRIB_RELEASE=17.2
DISTRIB_CODENAME=rafaela
DISTRIB_DESCRIPTION=”Linux Mint 17.2 Rafaela”

So this is a quick way to identify the OS.

Installation date

The filesystem saves a “Created” field in its superblock (where all the metadata is stored) and can be read with the tune2fs tool. You can mount the image as loop device (more on this here) and use the following command to find the creation date of the filesystem:
tune2fs -d /dev/loop0

Computer name and hosts file

The host name can be found in the /etc/hostname file. Other interesting hosts can be found in /etc/hosts.

User accounts and passwords

All user accounts can be found in /etc/passwd. The (encrypted) login passwords are found in the /etc/shadow file. Note that the root account always has the [tooltip tip=”User ID”]UID[/tooltip] 0.

Login history

You can get exact information on which user logged into the system, with times and IP address. The /var/log/wtmp file is a binary file, so you can not simply read it in a text editor, but you can use the last command to output the data.
last -f /var/log/wtmp

In the /var/log directory, there can also be a btmp and utmp file, which can also be examined with the previous command. They contain bad logins and the current status of logged users, respectively.

It is possible that there is only one or two of these files in the system.

Another interesting file for logins is the /var/log/auth.log file. It logs SSH connections to the system, as well as the use of the sudo command.

Command history

Whenever you input something into a terminal or any bash command line, the command gets saved to the ~/.bash_history file in your user profile. By default, it does not contain any timestamps, so it is only useful in determining what was changed.

Another important location is the bash history for the root user, which is located at /root/.bash_history. It will only contain data if someone ever logged in as root (or used sudo -i).

SSH

The SSH log files (located in ~/.ssh can be useful to determine if any external system had access to the computer. The most interesting file is the authorized_keys file, which contains entries for any computer that can easily access the system, without requiring any password. Also check the /root/.ssh folder for such entries!

Scheduled tasks

Cron jobs are scheduled tasks which are executed in predefined intervals. Any tasks can be found in the /etc/cron* and /var/spool/cron* folders

Web browser logs

Web browsers save a lot of user data, such as link history, cookies and form data. The most popular browsers on Linux are Firefox and Chrome/Chromium. The user data of these browsers are found in the following locations:
~/.mozilla/firefox/
~/.config/chromium/

Hey there! If you use any other Linux distro and the files are not there or have different locations, write a comment below!