Linux Forensics

By Hal Pomeranz

Linux is everywhere– running in the cloud, on cell phones, and in embedded devices that make up the “Internet of Things”. Often neglected by their owners, vulnerable Linux systems are low-hanging fruit for attackers wishing to create powerful botnets or mine cryptocurrencies. Ransomware type attacks may target Linux-based database systems and other important infrastructure.

As attacks against Linux become more and more common, there is an increasing demand for skilled Linux investigators. But even experienced forensics professionals may lack sufficient background to properly conduct Linux investigations. Linux is its own particular religion and requires dedicated study and practice to become comfortable.

This four-day, hands-on course is a quick start into the world of Linux forensics. Learn how to use memory forensics to rapidly triage systems and spot attacker malware and rootkits. Learn where the most critical on-disk artifacts live and how they can help further an investigation. Rapidly process Linux logs and build a clearer picture of what happened on the system.

KEY TAKEAWAYS:

STUDENT REQUIREMENTS:

• High speed Internet access
• A BitTorrent client for downloading course materials (e.g., Transmission https://transmissionbt.com/download/)
• A computer with at least 150GB of free space and capable of running a 64-bit VMware virtual machine using 4GB of RAM

Day One – Memory Forensics

• Why memory forensics?
• Acquisition tools and scenarios
• Building memory analysis profiles
• Automation

LAB: Memory Capture and Volatility Profile Creation

Day Two – Linux Live Capture

MOD 1: Live Capture with UAC

• Memory forensics is great but…
• Configuring and running UAC
• Deployment options

LAB: Collecting data with UAC

MOD 2: Live Analysis and Triage – File System

• Standard directory layout, ownerships, and permissions
• Spotting malicious executables
• Deeper dives with /proc

LAB: Too much evil!

MOD 3:Live Analysis and Triage – Processes

• The process hierarchy
• Typical process ownership
• Suspicious process anti-patterns

LAB: Even more evil!

MOD 4: Live Analysis and Triage – Users and Groups

• Superuser, application users, and regular users
• Processes and users anti-patterns
• User back doors

LAB: Find the back door(s)

Day Three – Linux Disk Analysis

MOD 1 :Disk Acquisition and Access

• Acquisition scenarios and tools
• Complex disk geometries
• Setup and teardown walk-throughs

LAB: Disk Image Mounting Challenge

MOD 2 : Rapid Disk Triage

• Critical system directories
• System profiling
• Common back doors
• Persistent malware
• Finding recently modified files

LAB: Disk Triage

MOD 3: Timeline Analysis

• Why timeline analysis?
• Unix timestamps
• Generating timeline

LAB: Timeline Analysis

MOD 4 : Linux Log Basics

• User access (wtmp, btmp, lastlog)
• Understanding where logs live via syslog.conf
• Linux Syslog log format
• Which logs are most useful?

LAB: Using Logs to Enhance Timeline Analysis

MOD 5: Digging Deeper Into Logs

• Web server logs
• Kernel logging with auditd
• Searching kernel audit logs
• Keystroke logging

LAB: Web Server Compromise Logs

Day Four – Digging Deeper

MOD 1: User Artifacts:

• bash_history
• SSH artifacts, inbound and outbound
• Editing history
• Recently opened file history
• Web history

LAB: Post-Exploitation Activity

MOD 2 :EXT File System Analysis:

• Key data structures and layout
• Tools for examining EXT
• Reverse-engineering EXT case study

LAB: Recover Deleted Exploit

MOD 3 : XFS File System Analysis:

• Key data structures and layout
• Tools for examining XFS
• Data recovery methods

LAB: XFS file system walkthrough

MOD 4: Web Compromise – Case Study

• Spotting patterns of activity
• Separating multiple actors
• Matching logs to system activity
• Pivoting to find further information

LAB: Choose your own adventure(s)