Linux Forensics -1-

Saniye Nur

6 min readDec 18, 2022

The following topics will be covered in this series of articles:

Live Response

Human interactions
Creating a live response kit
Transporting data across a network
Collecting volatile data Determining if dead analysis is justified
Dumping RAM

Acquiring filesystem images Using dd

Using dcfldd
Write blocking
Software blockers
Udev rules
Forensic Linux distros
Hardware blockers

Analyzing filesystems

Mounting image files
Finding the strange
Searching tools
Authentication related files
Recovering deleted files
Finding hidden information

Timeline Analysis

* When was system installed, upgraded, booted, etc.

Newly created files (malware)
Changed files (trojans)
Files in the wrong place (exfiltration)

Digging deeper into Linux filesystems

• Disk editors Active@ Disk Editor

Autopsy

ExtX

• Other Linux filesystems

Searching unallocated space

— Network forensics

Using snort on packet captures
Using tcpstat
Seperating conversations with tcpflow
Tracing backdoors with tcpflow

— File forensics

Using file signatures
Searching through swap space
• Web browsing reconstruction
Cookies
Search history
Browser caches

— Unknown files

Comparing hashes to know values
File and strings commands
Viewing symbols with nm
Reading ELF files
objdump
gdb.

Memory Forensics

Volatility Profiles
Retrieving process information
Recovering command line arguments
Rebuilding environment variables
Listing open files
Retrieving bash information
Reconstructing network artifacts
Kernel information
Volatile file system information
Detecting user mode rootkits
Detecting kernel rootkits

— Reversing Linux Malware

Digging deeper into ELF
Headers
Sections
Strings
Symbol tables
Program headers
Program loading
Dynamic linking

— Command line analysis tools

Strings
Strace
Itrace

Running malware (carefully)

Virtual machine setup
Capturing network traffic
Leveraging gdb

Be Prepared

Have a response kit with a complete set of system binaries and forensics tools

— Both 32-bit and 64-bit versions

— Ideally CDROM and USB

Hardware

— Write blockers

— Media

— Forensic laptop

Notebook, etc. for documentation

Data to Collect

Date and Time

Clock may be skewed

Might be in different timezone

Network interfaces

— Funny networks

— Promiscuous mode

Network connections

Open ports
Programs associated with ports
Running processes
Open files
Routing tables
Mounted filesystems
Loaded kernel modules

Use Lime(Linux Memory Extractor)

It is a module that allows volatile memory retrieval from Linux-based devices such as Linux and Android. LiME Linux allows it to produce more forensically robust memory captures than other tools designed for memory acquisition.

- Must be built for an exact kernel

- Should not be built on subject machine — For identical versions of Ubuntu can use sudo apt-get install lime-forensics-dkms

For every other situation must download from https://github.com/504ensics Labs/LIME and compile with correct kernel headers

Compile with “make” for current kernel or “make -C /lib/modules/<kemel version>/build M=$PWD” for other kernels

LIME supports 3 formats:

Raw (every segment concatenated together)
Padded (same as raw, but with zeroes in right bits)
Lime (recommended format with metadata)

Mounting Images: MBR Basics

Master Boot Record

Ancient standard (from the 80s)

Allows up to four partition

• At most one partition can be active (bootable) • Some partitions may be extended partitions

Can contain multiple partitions inside them

- Partitions are stored in a linked list Being replaced with GUID partition tables

Master Boot Record Format

Mountain an Image with a MBR

Boot start=63

Extended Partitions

Used with MBR-based drives with more than 4 partitions
A primary extended partition stores logical partitions inside of itself
Each logical partition is proceeded by an “MBR sector”

Offsets are relative to extended partition

Interpreted as a linked list

Normally only first two entries are used

Extended Partition MBR Format

Partition Record Format

GUID Partitions

Part of the UEFI system to replace BIOS boot Allows up to 128 partitions

Simple

The new standard

All current 64-bit systems ship with this

GUID Partition Tables

Partition Record Format

Partition Attribute

Mounting GUID Partition

fdisk /dev/sda

Filesystem Analysis

Compare files of different filesystem versions

Find added files :

git diff — no-index — diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/

Find Modified content :

git diff — no-index — diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E “^\+” | grep -v “Installed-Time”

Find Deleted File

git diff — no-index — diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/

Ext2 Basics

Extended Filesystem

Based on the Unix File System (UFS)
Simpler than UFS
Meant to be robust with good performance
Most common filesystem change
Ext2 is common for partitions that don’t much
Ext3/4 are journaling and used most often

Ext2 Structure

Ext2 Inodes

Inodes, which are the basic parts of file systems, are structures that carry out their own tasks, whose existence is not noticed unless a problem with usage limits is encountered.

Inode, short for index node, stands for index node. Inodes are small index files that run behind the scenes on the file system.