Linux and Mac Forensics

Module Overview

  • Focus on Linux and Mac forensics.

  • Exploration of four major areas:

    • Volatile vs. non-volatile data analytics.

    • File system images using the Sleuth Kit.

    • Memory forensics using Volatility & PhotoRec.

    • Understanding Mac forensics.

Volatile and Non-Volatile Data

Linux Forensics

  • Linux: An open-source operating system that runs on a variety of devices (servers, desktops, Android devices).

  • Importance of knowledge about Linux in forensic investigations due to the rising number of cyber crimes needing incident investigation.

  • Cybercrime prevalence in business environments mandates artifact extraction from Linux systems.

Volatile Data Collection

  • Volatile Data: Data lost when a machine is turned off. Critical to collect this data before shutting down a system.

    • Important for creating a timeline analysis of incidents.

  • Types of volatile data to collect include:

    • Hostnames and timestamps (date, time, and timezone).

    • Network information (open ports, open files, mounted file system information).

    • Running processes and loaded kernel modules.

    • Service/driver information (information or logs of what devices were connected)

  • Commands to collect information:

    • hostname - retrieves the name of the host.

    • date - retrieves the current date and time.

    • cat /etc/timezone - to know the timezone.

    • Important Note: Unix Epoch time started on January 1, 1970, at 00:00 UTC.

  • Calculate uptime and identify if the system has been rebooted multiple times:

    • Use uptime command to get the system's current time and how long it has been running.

    • top command to view running processes and their details.

Network Information Collection

  • Network data is crucial in understanding the status of connections, especially in incidents.

  • Old command: ifconfig has been deprecated, replaced by ip addr show for network interfaces.

  • Promiscuous Mode: A network interface in this mode captures all packets on the network, not just those addressed to it.

    • Command to check promiscuous mode: ifconfig -a with the -promisc flag.

  • Netstat Command: Used to extract external connection information, revealing routing tables, connected sockets, and protocol stats.

Routing Tables

  • Routing tables determine the path packets take on a network:

    • Default routes in these tables direct packets when no specific path is available.

    • route or ip route can be used to display routing tables.

  • Detecting anomalies in routing tables can hint at malicious activity (e.g., injected routes).

Open Ports Identification

  • Tools for identifying open ports include:

    • Nmap: A network scanning tool that identifies open ports and services in use.

    • netstat: Can provide a list of open ports and the connection status.

Process and File Analysis

  • lsof (List Open Files): Command that shows which files are opened by which processes on the system.

  • ps Command: Used to show active processes and their details like PID and user.

Non-Volatile Data Collection

System Information

  • Non-volatile data remains when the system is powered down, including:

    • System information, user accounts, login histories, and file system structures.

  • Key files to check include:

    • /etc/passwd: for user account info.

    • /var/log/: for event logs and system logs.

User Account Activity

  • To analyze user activity and login history:

    • Use w command to show who is logged in and their activity.

    • Consult /var/log/wtmp and use last to view login history.

    • Investigate /var/log/auth.log or secure for authentication events.

Analyzing File System Images

Sleuth Kit

  • Sleuth Kit: A collection of command-line tools for analyzing disk images and file systems.

  • Commands include:

    • mmls: Displays partition structure.

    • fls: Lists files in an image.

    • icat: Extracts files from images based on file identifiers.

Memory Forensics

Volatility Framework

  • Volatility: A powerful tool for memory analysis that can extract useful information from RAM dumps.

  • Can identify:

    • Active network connections,

    • Running processes,

    • Modules loaded in memory (malicious code, malware injections).

  • Common commands:

    • volatility -f <dumpfile> --profile=Linux for general analysis.

    • Plugins like pslist and pstree can show running processes.

Mac Forensics Overview

Investigative Steps

  • Familiarity with MacOS filesystem is critical for effective investigation.

  • Analyze logs and configuration files, including:

    • system_version.plist for system version information.

    • Application bundles for custom data storage.

  • Key artifacts:

    • User directories like Library, Applications, etc.

    • System logs located in /var/log/.

Essential Tools

  • Mac Forensics Tools: e.g., OS X Auditor, Recon Imager, and data recovery tools specific to Mac.

  • Use Spotlight for indexing and metadata analysis of files and directories.

Windows

Logs

  • PsLoggedOn: is a command-line utility from the Sysinternals suite that displays information about users logged on to a Windows computer, both locally and remotely. It combines data from the Registry (HKEY_USERS) and the NetSessionEnum API to show local and resource-based sessions.

    • To use PsLoggedOn, you can run the command psloggedon in the command prompt. It can display local logons, resource connections, and even search for users logged on to specific computers on the network. The tool is useful for administrators to ensure that a user is not logged on when making changes to their profile or policies.

Files & File Systems

NetworkOpenedFiles: A utility for Widows OS that lists all the currently opened files on the host user.

Network Information

Intruders after gaining access to a remote system, try to discover other systems that are available on the network.

  • NetBIOS name table cache maintains a list of connections make to other systems using NetBIOS

  • The Windows inbuilt command line utility nbstat can be used to view NetBIOS name table cache

  • nbtstat -c option shows the contents of the NetBIOS name cache, which contains NetBIOS name-to-IP address mappings. Using netstat allows you to find victim ports, logs, and what not.

    • Syntax: nbtstat [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-RR] [-s] [-S] [interval]

Process Information

  • Investigate the process running on a potentially compromised system and collect the information

  • Task Manager displays the programs, processes, and services that are currently running on computer.

  • Task List: display a list of applications and services with their Process ID (PID) for all tasks running on either a local or remote computer. Possess utilizations

  • PsList: moderate information

Process-to-Port Mapping

  • Process-to-port traces the port used by a process, and protocol connected to the IP

  • Tool & Commands: Syntax

    • netstat -a -n -o

Process Memory

Running processes could be suspicious or malicious activities

  • Process Explorer: can be used to check these processes

  • If the processes suspicious it gathers information by dumping the memory used by the process using tools such as ProcDump & Process Dumper

  • The tool comes w/ built-in VirusTotal (site) support which is a webservice that checks a hash or file to analyze against a database of known viruses.

Network Status

  • Collect info of the network interface cards (NICs) of a system to know whether the system is connected to a wireless access point and what IP address is being used

  • Tools:

    • ipconfig command

    • PromiscDetect tool

    • Promqry tool

  • Ipconfig.exe is a utility native to Windows systems that displays information about NICs & their status

  • Ipconfig/all command displays the network configuration of NICs on the system.

Search Index Analysis

  • Windows Search Index uses ESE data storage technology to store its data

  • It stored in Windows.edb

  • Forensic investigators parse those files to search for live communication identifiers like emails and accounts messages even internet history.

Analysis

Malware Analysis using Redline

Redline is a security tool to identify malware that may be in memory or sum

  • click on ports under processes tab, where you can find all the connections available when the RAM dump was acquired.

  • MetaSploit scans a device for any known exploits and lets the user know.

Cache, cookie, History analysis

  • mzchacheview

  • mzcookiesview

  • mzhistoryview

Image Files

  • Exiv2, IrfanView, and Image::MetaData::JPEG

  • ExifReader, Exif Library, and ExifTool display EXIF data found in JPEG

Metadata

  • The investigator can use tools such as Metadata Assistant, Paraben P2 Commander, and Metashield Analyzer to analyze metadata

Conclusion

  • Recap of key areas covered in digital forensics concerning Linux and MacOS, emphasizing the importance of learning and using various tools effectively during forensic investigations.

  • Encourage students to seek hands-on experience to solidify understanding and skills in forensic data extraction and analysis.