Oct 31, 2021
Performing Simple Linux Forensics and Monitoring
Linux is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds (Wikipedia).
As one of the most used operating systems in the world, Linux can also be seen as an “easy target” for the attackers to perform such malicious things or even digital crime acts.
Linux Forensics and Monitoring
Similar to Windows Forensics and Monitoring, Linux Forensics and Monitoring includes activities such as performing access, file, folder, metadata, and event logs analysis, also the operating system performance itself. These approaches can help forensics track down digital evidences.
The tools to perform Linux forensics and monitoring ranges widely, you can use Kali Linux or Puppy Linux in the shape of a Virtual Box.
Who, Timedatectl, Top, and Ps
The who command lets us display all the users currently logged in to our Linux operating system. This way, we can track how many users are using the OS and their information.
From the image above, it can be seen that only one user: christovito is logged in to the Linux OS.
On the other hand, the timedatectl command lets us display the information about current settings of the system clock and RTC, including whether network time synchronization is active or not.
The top command is used to display all the active Linux processes. It provides a dynamic real-time view of the running system. Usually, this command shows the summary information of the system and the list of processes or threads which are currently managed by the Linux kernel.
As you can view, the top command provides information about the process ID and the users (in this case, christovito and root) as well as the percentage of CPU and memory used. With this information, we can detect which processes may slow down the whole system, should they take up a lot of CPU or memory percentage. In that case, we can kill those particular processes by inputing the k command, and then the process ID (PID).
Besides top, as a multitasking and multiprocessing system, another way to display or view information related to the processes running in a Linux system is inputing the ps command, short for process status.
The ps command only shows the process running under the logged in user account from the current terminal. To view the more detailed process status of all running process in our system regardless from where they have been executed, we use the ps -aux command.
Furthermore, to select only processess committed by a particular user, we can use the ps -G <user> command.
Lastly, to see the linking tree of processes of our system, we can use the ps -e - -forest command. It will show a tree-like display to show the flow of a process.
Locate
The locate command will display the path of all files and directories that matches the search pattern.
For example, I want to see the location of a C-language file called cekcatur.c, which resides in the Documents directory. By the locate command, it will show you the exact path to the location of the file.
Furthermore, to list down all the files of all directories, we can simply use the ls command.
We can view hidden files that won’t be shown by the plain ls command by using the ls -a command. The hidden files can be identified by looking at all the files starting with ‘ . ‘ (dot).
This can be a powerful approach if the attackers is not smart enough to hide the files to remove their traces.
Lastly, to see a long listing of file or directory, size, modified date and time, file or folder name and owner of the file, and its permission, we can use the ls -l command.
Using this command, we can identify the permission or access by looking at the first component. For example, on the first row for Desktop, the first component is an array of strings: drwxr-xr-x.
The first character is an identifier if it is a symbolic link (l), a directory (d), or a file (-). Consecutively, the next three characters display the owner, group, and all users permissions. The r symbol indicates read, w indicates write, and x indicates execute permissions.
Using the brief explanation above, the drwxr-xr-x string means that the “Desktop” is a directory, and the owner can have all permissions to read, write, and execute, while both the group and all users only have the access to read and execute.
Log and Journalctl
Logs provide detailed information about events for our OS, applications, and the whole system, which can be used for troubleshooting and also forensics approaches. It is stored at the /var/log directory, so we need to move to the directory and then use the ls command to list down the logs stored under the directory.
You can also check the syslog to see every event related to auth-messages. Simply type the command cd/var/log/syslog.
Moving further, we can display a list of all the users logged in and out since the var/log/wtmp was created by using the last command. By looking at the image below, there are two users, christovito (which has not logged out) and reboot (which is still running).
To see the system booting logs, we can access boot.log by using the sudo cat boot.log command.
Furthermore, we can also access the debug, daemon (Linux programs that run in the background), and history log.
Besides accessing the logs, we can also use the journalctl command to view logs collected by systemd, which retrieves messages from the kernel, systemd services, and other services in a central location.
Similar to the boot.log accessing command previously, we can also view the list system booting activities by using the journalctl --list-boots command.
It will list down ascendingly all the booting activity by its timestamp. Apparently, the first booting of my system was way back in October 28th 2019, almost exactly two years ago.
And lastly, we can narrow down the journalctl logs by filtering it to the duration of the logs, by adding the since command.
As the logs might be very long, I manage to only view the logs occurring in the last hour.
Summary
As one of the most used operating system in the world, Linux is also sometimes the subject of malicious attacks. To resolve this, there are some tools to perform Linux forensics and monitoring to halt some type of these attacks. Some of the tools are simple Terminal commands such as who, timedatectl, top, ps, locate, accessing the log files, and lastly the journalctl. Not only these tools are quite powerful to troubleshoot some of the issues arising on the system, they also provide various approaches for the examiners to find some evidences of an attack on Linux more easily.
Christovito Hidajat
18218043
II4033 Digital Forensics
