Important Files & More

Other Important Elements

While doing an investigation on a Linux OS there are also other important things to keep an eye out for or directories that should be investigated. This section contains a lot of various information that should be analyzed.

Files in /etc

The /etc directory contains configuration files, which should be viewed and analyzed. These files will include information about system configuration, start-up scripts, and services, and they will differ depending on what is installed and configured on the system.

Files in /home

The /home directory contains user files that should be viewed and analyzed. Make sure you look and search for any hidden directories or files!

Files in /var/log

Recall that in Module 4, we covered log files. This is a great time to review that information! Linux stores log files in /var/log, so these files should be analyzed and understood as they could contain important details about the case.

Other important logs that should be viewed are:

/var/log/auth.log

/var/log/sudo.log

Web Browsers

The common browsers used in Linux are Firefox and Chrome (or a derivative of it called Chromium). These file formats are the same as Windows (SQLite DBs), but the files are under user home directories:

Firefox: $HOME/.mozilla/firefox/*.default
Chrome: $HOME/.config/chromium/Default

Environmental Variables

Viewing environmental variables is vital to an investigation because it can help provide details about the system's configuration. Environmental variables contain information about user settings, configuration, and the runtime environment. The $PATH variable details which directories are searched for executable files and where potential software is being launched. Users can also create variables, so we should investigate why this might have created or manipulated them. If you need a refresher on these, please review this ICS 231 content.

Cron Jobs

A cronjob is a task scheduled to always run at a specific time. We should look for these to understand what the system is configured to do and what it is automatically configured to run. Also, a persistent backdoor could be launched in a cronjob! To view cronjobs, you should look at the following locations:

ls –la /etc/cron*
ls –la /var/spool/cron/*
crontab -l –u %username%

The passwd File

We looked at this file for user account information but will revisit it for different information. This time, we want to double-check the /etc/passwd file for any extra UID (User ID) accounts with a value of 0. The root user is the only user in a Linux system with a UID of 0. If another account has a UID of 0, they are also root! That is not a good thing! We must also look for service accounts with passwords or an active login shell. Most service accounts will have /bin/false or /sbin/nologin or /usr/sbin/nologin as their active shell. Also, service accounts will have a UID below 1000. Another item to check with service accounts is if they have a configured home directory. Service accounts will generally have /dev/null as a home directory. This is where the power of grep and awk comes in handy!

Find and print all UID less than 1000

Command :

awk -F : '$3 < 1000 {print "User ID Less than 1000:" $1,$3}' /etc/passwd

Search /etc/password for the keyword nologin

Command:

grep nologin /etc/passwd

Search for accounts with a /home directory

Command:

grep /home /etc/password

Hidden Files & Direcories

Remember that a hidden file or directory in Linux starts with a period (.). When conducting your investigation, make sure you are looking for any hidden file or directory!

Commands:

To find files: find /path/to/search -type f -iname ".*" -ls

To find directories: find /path/to/search -type d -iname ".*" -ls

Files in /dev

The /dev directory contains special device files that provide access to drives, other peripheral devices, or anything that requires I/O. Due to its nature, regular files should not be stored in this directory. If a regular file is stored in this directory, it should be investigated as to who, why, and when it was placed in /dev. If a file permission starts with a c or b or l this specifics that it is either a character special file, block special file, or symbolic link.

Using finds type:

f: regular file
d: directory
l: symbolic link
c: character devices
b: block devices

Command: find /dev -not -type c -not -type b -not -type l -ls

This command will display everything that is not a character device, block device, or symbolic link. Notice that in the image below, only directories are returned (this is the first character in the permission as it has a d). These directories should be investigated.

Searching for files

Depending on when the incident happened you should look for any modified files based on when the incident occurred. Also, it is always a good idea to look for larger files, any file containing 777 as the permissions, and any file set with SUID. A file configured with 777 permissions can be read, written, and executed by any user. This is not a good thing! Also, a larger file might be evidence that someone has been collecting data and is planning or has copied that data off the system. The contents of this file should be examined. Finally, a file with SUID permissions can run that executable and assume the owner's privileges. A file owned by root and SUID could be a security issue waiting to happen or has already occurred!

Determine what is installed

Linux boasts an excellent package management system, with Debian and Red Hat-based distributions managing it differently. It's crucial to comprehend the installed software via the package manager and its versions, as specific versions might pose security vulnerabilities. This understanding aids forensic investigators in determining the sequence of events and identifying potential vulnerabilities exploited.

Google Sites

Report abuse