National Forensic Sciences University

Delhi Campus

LINUX FORENSICS
Prateek Saini MDFIS-
01
Hardik Kundra MDFIS-02
Shreyas Patel MDFIS-03
Ajay Singh MDFIS-
04
Reet Chauhan MDFIS-05
Gautham Karun MDFIS-06
 ROADMAP

01 Overview of digital forensics 04 Filesystem forensic analysis

02 Overview of linux 05 Linux Swap analysis

03 Extracting evidence from 06 Linux Logs

storage devices and
filesystems
 AN OVERVIEW OF DIGITAL
FORENSICS:
 The history of digital forensics is short compared to other scientific disciplines.
 There have been several “eras” in Digital Forensics.
 Pre-Y2K era was mostly about various police organisations around the world discovering
the importance of Digital forensics.
 During 2000-2010 , the Importance of Digital Forensics grew
as we saw Incidents like 9/11.
 In the years since 2010, multiple events have shifted the
focus toward investigating and collecting evidence from
cyber attacks and data breaches.
 Now the focus of Digital Forensics has shifted to the
Investigation of Advanced Persistent Threats (APT) as we
saw Stuxnet, Vault7 Leaks etc.
OVERVIEW OF
LINUX
 INTRODUCTION TO
LINUX:
 Linus Torvalds created the Linux kernel, which adopted the concepts and
philosophy of Unix.
 The kernel is the heart of a Linux system. It provides the interface between the
user programs (called user-space or user-land)
and the hardware.
 Overall, The Kernel is responsible for Memory,
CPU and process management, Hardware
Device Drivers, Filesystems and storage,
Network hardware and protocols, Security
Policy enforcement, Human Interface and
peripheral devices.
 MORE ABOUT LINUX:
 Devices – A Linux device is a special file, typically located in /dev/ that provides access to
device drivers in the kernel. Most Linux forensic tools are designed to operate directly on
forensically acquired image files, however some tools operate only on device files and hence
the collection of these files is essential.
 Systemd - An initialization system, it has become a de facto system layer between the
kernel and user-land.Systemd has the potential to provide many forensic artifacts and trace
evidence that can be of interest to a digital investigator.
 Command Line - The shell is a program that provides a command line interpreter used to
interface with people or shell scripts. Modern System users may never need to use a
command line interface like bash, nevertheless it is of significant importance.
 The shell is important from a Digital Forensics perspective as it saves history of commands
that a user has entered and other information about processes.
 LINUX DISTRIBUTORS:
 Technically, only the Linux kernel is the actual Operating System. However the term Linux is used
to describe various distros or Distributions.
 The Most Common distributions include Debian, SUSE, Red Hat, Arch.
 The Typical Components that make up a distro today are :
1) Boot Media (ISO IMAGES for CD,DVD or USB stick)
2) Installer scripts and tools
3) Package management system
4) Configuration management
5) Precompiled packages (compiling from source optional)
6) Preconfigured desktop environments
7) Documentation (online or in paper book form)
8) Updates and security advisories
9) Support forums and user mailing lists.
 FORENSIC ANALYSIS OF LINUX
 Performing a forensic examination of a Linux system has many similarities to doing so on Windows

SYSTEMS:
or macOS systems. Some examples of forensic tasks common to all three include:
• Partition table analysis (MSDOS or GPT)
• Understanding user desktop activity
• Looking for photo and video directories
• Looking for recent documents
• Attempting to recover deleted files from the filesystem or recycle bins
• Building timelines to reconstruct events
• Analyzing thumbnail images, clipboard data, and desktop information
• Finding configuration files, logs, and cache
• Analyzing installed software
 The main operating system differences are the locations and formats of the forensic artifacts on the
drive image. Linux filesystems are different, file locations are different, and file formats can be
different.
EXTRACTING EVIDENCE
FROM STORAGE
DEVICES AND
FILE SYSTEMS
ANALYSIS OF PARTITION
TABLE:
 Storage media are organised using a partition scheme. different partition
schemes: MBR, GPT, BSD etc.
 Partitions define partition tables which provide informations like partition
type, size, offset etc. different partitions: /boot/, /(root), /usr/ etc.
 Different partition types: 0x83 linux, 0x85 linux extended, 0x82 linux swap
etc.
 A misleading or incorrect partition type indicates an attempt to hide or
obfuscate information.
 On linux, /dev/ directory have partition informations. the block devices in
/dev/ directory are represented as /dev/sda, /dev/sdb, /dev/nvme0n1 etc.
 Some linux tools available to analyse partition tables are mmls and distype
LOGICAL VOLUME MANAGER:

 Volume management helps to organize and manage physical drives, and allow
flexibility to create logical drives that contain partitions and filesystems.
 Key concepts of LVM are physical volume, volume group, logical volume, physical
extents and logical extents.
 LVM do not require a partition table hence PV can directly be created on raw disk
 LVM partition header: 8B LVM ID, 8B sector where label resides, 4B CRC checksum,
4B byte offset, 8B LVM type, 16B PV UUID
 The lvm2 software package has number of tools that manage LVM and perform
forensic analysis on it.
 Some other tools are: pvdisplay, lvdisplay, TSK etc.
 LINUX SOFTWARE
RAIDS:
 RAID (reduntant array of independent disks) is a concept of configuring a
group of disks to work parallel for reliability and performance.
 Concepts of RAID:
a. Mirror: two disks that are mirror images of each other.
b. Striped: stripes of data spread across multiple disks for performance.
c. Parity: an extra bit used for error detection and/or correction.
 Different levels of RAID are RAID 0,1,2...6,10 AND JBOD.
 RAID capability in linux can be provided by md, LVM or built in to the
filesystem.
 RAID system has a superblock that contain information about device and
array. This superblock could be examined with a hex editor or mdadm
command
FILESYSTEM
FORENSIC
ANALYSIS
LINUX FILESYSTEM
CONCEPTS:
 In Unix and Linux, everything is a file, including hardware devices, processors,
networking etc.
 Partition of drive have filesystems in the sector 0. A filesystem uses a contiguous group
of sectors to form block and collection of these blocks form the data content of files.
 Each file is assigned with a unique inode number which, with other metadata, are stored
in inode table.
 The allocation state of blocks and inodes is stored in a bitmap and updated when files
are created or deleted.
 Traditional filesystems have read/write abilities, performance optimization and fault
tolerance. Modern filesystems have additional features like journaling or using extents.
FORENSIC ARTIFACTS IN LINUX
FILESYSTEM:
 The first step is to identify the filesystem which can be done by the bytes at the beginning called
signature. Tools to identify the type are: disktype or TSK's fsstat.
 The filesystem metadata that hold forensic interest are: Label or volume name specified by the
system owner; Unique ID (UUID/GUID); Timestamps; Size and number of block; Number of mounts
and last mount point; FS features and configurations.
 The files metadata that hold forensic interest are: POSIX filetype; Permissions and ownerships;
Multiple timestamps (MACB); sizes and blocks; flags and attributes.
 The storage content forensic artifacts are: Sector; Block; Extent and Unallocated Block.
 When a file is deleted, it is unlinked and associated data blocks are flagged unallocated. This may
hold important data.
 Additional slack where the data could exist are: Volume slack; File slack; RAM and memory slack;
and Inter-partition gaps.
LIST AND EXTRACT DATA:

 Filesystem forensic analysis should be able to recover files and file fragments; and
read data from partition device file and extracted partition image.
 forensic tools can be used to:
a. list all known files
b. extract a file based on inode number
c. extract a file based on filename
d. extract filesystem blocks
e. extract all unallocated filesystem
f. extract all file slackspace
g. extract one drive sector
LINUX SWAP
ANALYSIS
 SWAP IDENTIFICATION AND
ANALYSIS:
 Swapping is the process where memory is copied to the preconfigured space on
the hard disk, called swap space, to free up that page of memory.
 The kernel must be told what swap areas to use which is done at boot time.
 The partitions can be extracted for examination or analyzed in place using a
sector offset determined from the partition table.
 Swap partitions can also be configured using systemd.
 A swap partition (or file) can be identified by a 10­-character signature string.
 SWAPSPACE2 OR SWAP-SPACE
 HIBERNATION:
 If a swap partition or file is greater than or equal to the size of the system’s physical
memory, the physical memory can be suspended to disk for hibernation.
 With the entire contents of memory saved to disk, the OS can be halted and the machine
powered off. When the machine powers back on, the bootloader is run and the kernel is
started. If the kernel finds a hibernated state, it will start the resume process to bring back
the system’s last running state.
 From a forensics perspective, hibernation is useful because the entire contents of memory
are saved to disk and can be analyzed.
 A swap partition may contain a hibernation memory image (S1SUSEND) which can be
analysed using forensic tools or hex-editor to get some sensitive information like
passwords, keys etc.
LINUX
LOGS
 LINUX
LOGS:
 Linux logs give you a visual history of everything that’s been happening in the heart of a Linux
operating system. So, if anything goes wrong, they give a useful overview of events in order to help
you, the administrator, seek out the culprits
 Linux log files should be easy to decipher since they’re stored in text form under the /var/log directory
and subdirectory. They cover all kinds of things, like system, kernel, package managers, MySQL and
more.
 Linux provides a centralized repository of log files that can be located under the /var/log directory.
 The log files generated in a Linux environment can typically be classified into four
different categories:
- Application Logs
- Event Logs
- Service Logs
- System Logs
 LOGS TO BE
MONITOR:
When working with log files, it is advised that an analyst should have a lead of what to look for and
search for related events in log files. A full review of logs is possible but tedious and time-consuming
due to a large number of logs. For forensics purpose, I personally spend more time on the following
logs:
 /var/log/messages - Shows general messages and info regarding the system. Basically a data log
of all activity throughout the global system. This is the first log file that the Linux administrators
should check if something goes wrong.
 /var/log/auth.log - Keep authentication logs for both successful or failed logins, and authentication
processes. Storage depends on system type. If you’re looking for anything involving the user
authorization mechanism, you can find it in this log file.
 /var/log/boot.log – Contains information about start-up messages and boot info. The system
initialization script, /etc/init.d/bootmisc.sh, sends all bootup messages to this log file. This is the
repository of booting related information and messages logged during system startup process.
 /var/log/kern.log – keeps in Kernel logs and warning info. Also useful to fix problems with
custom kernels. Kernel logs can be helpful to troubleshoot a custom-built kernel.
 /var/log/faillog - records info on failed logins. Hence, handy for examining potential security
breaches like login credential hacks and brute-force attacks.
 /var/log/maillog or /var/log/mail.log - All mail server related logs are stored here. Find
information about postfix, smtpd, MailScanner, SpamAssassain or any other email related
services running on the mail server.
 /var/log/yum.log - It contains the information that is logged when a new package is installed
using the yum command. Check the messages logged here to see whether a package was
correctly installed or not.
 /var/log/mysqld.log or /var/log/mysql.log - As the name suggests, this is the MySQL log
file. All debug, failure and success messages related to the [mysqld] and [mysqld_safe]
daemon are logged to this file.
RedHat, CentOS and Fedora stores MySQL logs under /var/log/mysqld.log, while Debian and
Ubuntu maintains the log in /var/log/mysql.log directory.
While monitoring and analyzing all
the log files generated by the
system can be a difficult task, you
can make use of a centralized log
monitoring tool to simplify the
process.
Needless to say though, monitoring
Linux logs manually is hard.
The one such widely used tool to
monitor linux logs is Nagios.
Nagios provides complete
monitoring of Linux operating
systems and distributions – including
operating system metrics, service
state, process state, file system
usage, and more.
 REFERENCES:

01 Practical Linux Forensic

THAN
by Bruce Nikkel

02 https://tho-le.medium.com/linux-
forensics-some-useful-artifacts-

K YOU
74497dca1ab2

03 https://www.eurovps.com/blog/
important-linux-log-files-you-
must-be-monitoring/