Linux Forensics

What is Linux?
Just like Windows, iOS, and Mac OS, Linux is an operating system. In fact, one
of the most popular platforms on the planet, Android, is powered by the Linux
operating system. An operating system is software that manages all of the
hardware resources associated with your desktop or laptop. To put it simply,
the operating system manages the communication between your software
and your hardware. Without the operating system (OS), the software wouldn’t
function.
Popular Linux distributions include:

 LINUX MINT
 MANJARO
 DEBIAN
 UBUNTU
 ANTERGOS
 SOLUS
 FEDORA
 ELEMENTARY OS
 OPENSUSE

And don’t think the server has been left behind. For this arena, you can turn
to:

 Red Hat Enterprise Linux

 Ubuntu Server
 Centos
 SUSE Enterprise Linux

OS forensics is the art of finding evidence/artefacts left by systems, apps and

user's activities to answer a specific question.
Since there are several Linux distributions and the article can’t cover all of them.
All artefacts below are presented for Debian.
 File systems of Linux
Open-source Linux aims at implementing, testing and using different types of file systems. The most
popular formats for Linux include:

Ext
Ext2, Ext3, Ext4 are simply different versions of the "native" Linux Ext file
system. This type falls under active developments and improvements.

Ext3 is just an extension of Ext2 that uses transactional file writing

operations with a journal.

Ext4 is a further development of Ext3, extended with the support of

optimized file allocation information (extents) and extended file attributes.
This FS is frequently used as a "root" one for most Linux installations.

ReiserFS
An alternative Linux file system optimized for storing a huge number of
small files. It has good search capabilities and enables compact allocation
of files by storing their tails or simply very small items along with
metadata in order to avoid using large FS blocks for this purpose.
However, this format is no longer actively developed and supported.

XFS
XFS file system was considered as high-speed JFS, which is developed for
parallel I/O processing. NASA still using this file system with its high
storage server (300+ Terabyte server).
Btrfs
Btrfs stands for the B tree file system. It is used for fault tolerance,
repair system, fun administration, extensive storage configuration, and
more. It is not a good suit for the production system.

Swap File System

The swap file system is used for memory paging in Linux operating
system during the system hibernation. A system that never goes in
hibernate state is required to have swap space equal to its RAM size.
 Points of Interest
As a forensics analyst, what should you pay attention to?

Users & Groups

As an Incident Responder, it is very important to investigate the user
account’s activity. It helps you understand the logged-in users, the existing
users, usual or unusual logins, failed login attempts, permissions, access
by sudo etc.
Users

To identify whether there is an account in your system that may seem suspicious:
Users list

User's creation date

UID-0 users
:0: is used to display ‘UID 0’ files in /etc./passwd file:
Temporary users
To Identify and display whether an attacker created any temporary user:

Groups

The group file displays the information of the groups used by the user:

Groups list

Sudoers group

System Configuration
Network configurations
Configuration files for network setup:

OS information
Determines OS release information:

Hostname

Time zone
 User Activities
Ps
The command PS is the short notation for “process status”. The command is
used to view the list of processes running in the system. It provides a snapshot
of the current processes along with detailed information of user Id, CPU usage,
memory usage, command name, etc. Investigators can check for the tree to
determine any suspicious processes and dependencies.

Mounted points
To check if there is an unknown mount on your system:

History

Log Analysis
Log files are records of all the activities performed over an operating system.
Linux log files store information about the system’s kernel and the services
running in the system. In Linux OS, different log files hold different
information, which helps the investigators to analyze various issues during a
security incident.

Log entries

Auth.log (SSH/TELNET/Sudo Logs)

Syslog
Contains general system messages. Particularly, it also contains cron job execution
with its associated commands.

Wtmp
BSD operating systems that keeps a history of all logins and logouts.

Persistence Mechanisms
On Linux, just like Windows, malware once loaded wants to stay loaded. On
Windows systems, this is usually done with a variety of registry mechanisms. For
Linux, it’s often done using the crontab scheduling facility or a malicious service
running on the system.

Services
The services in the Linux system can be classified into system and network services.
System services include the status of services, cron, etc and network services
include file transfer, domain name resolution, firewalls, etc.

Processes
To get a dynamic and a real-time visual of all the processes running in the Linux
system, a summary of the information of the system and the list of processes and
their ID numbers or threads managed by Linux Kernel, we will use:

Scheduled Tasks and jobs

Firewall Rules
To check and manage the IPv4 packet filtering and NAT in Linux systems we will
use:

Network Connections