Linux Filesystems & Hardware

Flavors of Linux

Linux has different distributions (distros), and some are specialized for specific purposes. This is why it is essential to have a basic understanding of the Linux distro realm. Linux has distros for desktop systems, some for running on a server, and some that are only meant to run as a live system (think booting from a USB drive).

Timeline of Development

This image shows the number of Linux distributions and where they all started. Debian, Slackware, and Red Hat Linux were some of the major distros when Linux first started in the early 1990s. Many distros can be traced back to one of those distros!

Even though Linux has about a 1.5% market share as of May 2024 as a desktop OS, it is an extremely popular OS to run on servers, with an almost 63% market share in 2023.

With such a large number of servers running Linux, it is vital to have a basic understanding of this OS, as a forensic investigation might involve analyzing a server that has been compromised or used maliciously.

List of Linux distributions. (2024, May 11). In Wikipedia. https://en.wikipedia.org/wiki/List_of_Linux_distributions

Boot Process

This is the process of loading the OS into system memory. A bootloader is typically used to help load the OS into system memory. Grub is a prevalent one that Linux uses. Once Grub is launched, the boot process will take over. Here are the next steps taken to start the Linux OS:

The next step is the Linux Kernel is loaded
Once the Kernel is loaded, it locates init in /sbin and executes it
After init starts up, it reads its initialization file in /etc/inittab
init will start all required background processes based on the run level
Services are started next
These are started based on scripts found in either
- /etc/init.d/
- /etc/rc.d/
inittab takes back control and starts the required process in the new run level
The system is now booted

FileSytem structure

The Linux filesystem structure is very different than what is normally seen in Windows. This is why it is important to do a quick review.

/root -- the super-user's directory
/boot -- this is where kernels are stored
/etc -- system configuration files
/home -- user directories and files are stored
/mnt -- general purpose mount point
/proc -- contains kernel data
/sys -- kernels view of hardware
/dev -- special device files
/bin & /sbin -- executables/binary files are stored
/lib -- libraries are store
/usr/bin & /usr/sbin -- more executables/binary files are stored
/usr/lib -- more library files

Linux Forensics

During this course we have already been introduced to a lot of commands that can be used to conduct a forensic investigation using Linux. We will now have to flip a switch and think about finding evidence within a Linux system for a forensic investigation. This means you might be using Linux to investigate a Linux system!

Linux ToolKit

You will want to create your toolkit containing items and utilities you are familiar with and capable of using. This will need to be done so you do not need to install any items on the live system. Again, you want to avoid manipulating the data! This toolkit should be saved on an external drive or a remote system. Sometimes, things can be tricky, and the CPU's architecture differs! Some of the most common CPU architectures are:

x86 is an older architecture that has mostly been replaced by x64. Think of those as your AMD or Intel-based CPUs. This is only a 32-bit CPU.
x64, which has replaced x86 and is a 64-bit CPU.
ARM is commonly used in mobile devices and embedded systems.
ARM64 has replaced ARM; we commonly see this in laptops (Apple's M1/M2/M3 CPUs), servers, and IoT devices.

Remember that a binary compiled to run on an x86/x64 CPU will not work on an ARM64 CPU! You should create multiple toolkit versions for different CPU architectures, which can be done by cross-compiling. Cross-compiling is the process of compiling code on one platform to run on a different platform. For example, you compile the dd3d code on a computer with an x64 CPU to run a system with an ARM64 CPU.

What do you think your toolkit should be? This is a small suggestion for what it should include.

mount
nc/netcat
dd/dd3d/dcfldd
dmesg
grep
strings
The Sleuthkit/Autopsy

System Hardware

One of the first items you should do with a Linux system is understand the hardware configuration. You need to determine the number of drives, type of drives, network interface cards, memory and more! In the video demonstration I provide several commands that can be used to help do a hardware profile of a Linux system.

Commands used:

lspci - show pci information
lsusb - show usb information
lsblk - show block devices and partitions
lscpu - show cpu information
lshw - lists hardware -
free - shows total memory and swap
inxi -Fx
hwinfo and hwinfo --short
sudo blkid
sudo fdisk -l

Google Sites

Report abuse