Linux Forensics -1-

Saniye Nur
6 min readDec 18, 2022


The following topics will be covered in this series of articles:

Live Response

  • Human interactions
  • Creating a live response kit
  • Transporting data across a network
  • Collecting volatile data Determining if dead analysis is justified
  • Dumping RAM

Acquiring filesystem images Using dd

  • Using dcfldd
  • Write blocking
  • Software blockers
  • Udev rules
  • Forensic Linux distros
  • Hardware blockers

Analyzing filesystems

  • Mounting image files
  • Finding the strange
  • Searching tools
  • Authentication related files
  • Recovering deleted files
  • Finding hidden information

Timeline Analysis

* When was system installed, upgraded, booted, etc.

  • Newly created files (malware)
  • Changed files (trojans)
  • Files in the wrong place (exfiltration)

Digging deeper into Linux filesystems

• Disk editors Active@ Disk Editor



• Other Linux filesystems

Searching unallocated space

— Network forensics

  • Using snort on packet captures
  • Using tcpstat
  • Seperating conversations with tcpflow
  • Tracing backdoors with tcpflow

— File forensics

  • Using file signatures
  • Searching through swap space
  • • Web browsing reconstruction
  • Cookies
  • Search history
  • Browser caches

— Unknown files

  • Comparing hashes to know values
  • File and strings commands
  • Viewing symbols with nm
  • Reading ELF files
  • objdump
  • gdb.

Memory Forensics

  • Volatility Profiles
  • Retrieving process information
  • Recovering command line arguments
  • Rebuilding environment variables
  • Listing open files
  • Retrieving bash information
  • Reconstructing network artifacts
  • Kernel information
  • Volatile file system information
  • Detecting user mode rootkits
  • Detecting kernel rootkits

— Reversing Linux Malware

  • Digging deeper into ELF
  • Headers
  • Sections
  • Strings
  • Symbol tables
  • Program headers
  • Program loading
  • Dynamic linking

— Command line analysis tools

  • Strings
  • Strace
  • Itrace

Running malware (carefully)

  • Virtual machine setup
  • Capturing network traffic
  • Leveraging gdb

Be Prepared

  • Have a response kit with a complete set of system binaries and forensics tools

— Both 32-bit and 64-bit versions

— Ideally CDROM and USB

  • Hardware

— Write blockers

— Media

— Forensic laptop

  • Notebook, etc. for documentation

Data to Collect

Date and Time

Clock may be skewed

Might be in different timezone

Network interfaces

— Funny networks

— Promiscuous mode

Network connections

  • Open ports
  • Programs associated with ports
  • Running processes
  • Open files
  • Routing tables
  • Mounted filesystems
  • Loaded kernel modules

Use Lime(Linux Memory Extractor)

It is a module that allows volatile memory retrieval from Linux-based devices such as Linux and Android. LiME Linux allows it to produce more forensically robust memory captures than other tools designed for memory acquisition.

- Must be built for an exact kernel

- Should not be built on subject machine — For identical versions of Ubuntu can use sudo apt-get install lime-forensics-dkms

For every other situation must download from Labs/LIME and compile with correct kernel headers

Compile with “make” for current kernel or “make -C /lib/modules/<kemel version>/build M=$PWD” for other kernels

LIME supports 3 formats:

  • Raw (every segment concatenated together)
  • Padded (same as raw, but with zeroes in right bits)
  • Lime (recommended format with metadata)

Mounting Images: MBR Basics

Master Boot Record

Ancient standard (from the 80s)

Allows up to four partition

• At most one partition can be active (bootable) • Some partitions may be extended partitions

Can contain multiple partitions inside them

- Partitions are stored in a linked list Being replaced with GUID partition tables

Master Boot Record Format

Mountain an Image with a MBR

Boot start=63

Extended Partitions

  • Used with MBR-based drives with more than 4 partitions
  • A primary extended partition stores logical partitions inside of itself
  • Each logical partition is proceeded by an “MBR sector”

Offsets are relative to extended partition

Interpreted as a linked list

Normally only first two entries are used

Extended Partition MBR Format

Partition Record Format

GUID Partitions

Part of the UEFI system to replace BIOS boot Allows up to 128 partitions


The new standard

All current 64-bit systems ship with this

GUID Partition Tables

Partition Record Format

Partition Attribute

Mounting GUID Partition

fdisk /dev/sda

Filesystem Analysis

Compare files of different filesystem versions

Find added files :

git diff — no-index — diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/

Find Modified content :

git diff — no-index — diff-filter=M _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/ | grep -E “^\+” | grep -v “Installed-Time”

Find Deleted File

git diff — no-index — diff-filter=A _openwrt1.extracted/squashfs-root/ _openwrt2.extracted/squashfs-root/

Ext2 Basics

Extended Filesystem

  • Based on the Unix File System (UFS)
  • Simpler than UFS
  • Meant to be robust with good performance
  • Most common filesystem change
  • Ext2 is common for partitions that don’t much
  • Ext3/4 are journaling and used most often

Ext2 Structure

Ext2 Inodes

Inodes, which are the basic parts of file systems, are structures that carry out their own tasks, whose existence is not noticed unless a problem with usage limits is encountered.

Inode, short for index node, stands for index node. Inodes are small index files that run behind the scenes on the file system.

Getting basic Ext2 Information


fsstat -o 2048 /media/phil/TOSHIBA EXT/disk-images/2015–3–9.img | more


Finding things that are out of place

ls -ali bin | sort -n

and it came,

ls -ali sbin | sort -n

ls -aliR sbin — sort=size bin | more

ls -aliR sbin — sort=size sbin | more

ls -aliR sbin — sort=time sbin | more

ls -aliR bin — sort=time bin | more