Please remember that volatile information will disappear once the system is shut down. This is why we need to be quick in obtaining this information. Doing this in Linux might be more challenging as Linux does not contain a Registry like Windows. This means we must gather information from different sources around the OS. Again, this is why understanding the Linux filesystem structure is essential! Also, Linux has a lot of different filesystem options (Ext2, Ext3, Ext4, ResiserFS, XFS, JFS, Btrfs), and each of these filesystems can function differently in how they handle file creation and file deletion.
Linux is a powerful OS that can be configured in endless permutations, so we need to understand its configuration. To do this, we should start by profiling the system and learning about its configuration. Video demonstrations have been provided to show how to collect this information.
Please remember that there are many Linux distros available. One of the first things we should do is determine what type of distro we are looking at. This can be done by looking at files in /etc:
/etc/*-release
/etc/issue
Determining the hostname of the system can help with documentation purposes and also when viewing other system log files.
Commands used:
cat /etc/*-release
cat /proc/version
lsb_release -a
hostnamectl
It is important to understand the system's current time and the timezone it is configured for. This can help us create our timeline of events, as the system's time might not be correctly configured. Also, ensure you note the current time so that if there is any difference, it is known.
Commands used:
date +%Z
timedatectl
To help with our timeline of events we can start be determine when the OS was initially installed. This is a quick and easy command to do.
Commands used:
stat /
fsname=$(df / | tail -1 | cut -f1 -d' ')
sudo tune2fs -l $fsname | grep 'created'
Obtaining a list of running processes can help us understand what the system was doing at that moment. We might be able to analyze the list of processes to either validate or find evidence of wrong doing.
Commands used:
top
htop (must install)
ps aux (show every process)
ps -ejH (process tree)
Understanding the network configuration is important. You have already profiled the system's hardware, so you should understand if the system has multiple NICs. If so, we should obtain the network configuration for each NIC. We should also ensure we document the systems routing table, DNS information, ARP cache, open ports, and firewall rules.
Commands used:
ip address
ip route
iwconfig
sudo ss -tulpn
nmap
sudo ufw status
sudo ufw show added
sudo iptables -L
The Linux kernel version should be obtained as it provides details about the Linux OS and distro, security risks and tool compatibility (it should tell you the architecture of the system).
Commands used:
Uname -r
Look in /boot
The currently logged-in users should be documented. This can help the investigation by understanding who was logged in and what they were doing. When documenting current users, you should also ensure to document the following:
All usernames
UIDs
Group membership
Login Times
Home Directories
Sudo privileges
Account activity
SSH Keys
History
Commands used:
cat /etc/passwd
cat /etc/shadow
cat /etc/sudoers
lastlog
last -f
/var/log/btmp
/var/log/utmp
/var/log/wtmp
Current logged in users:
who
w
finger
pinky