hacktricks/forensics/basic-forensic-methodology/linux-forensics.md

466 lines
23 KiB
Markdown
Raw Normal View History

2022-05-08 23:13:03 +00:00
# Linux Forensics
2022-04-28 16:01:33 +00:00
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
\
2022-09-01 23:40:55 +00:00
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-08-31 22:35:39 +00:00
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2022-04-28 16:01:33 +00:00
<details>
2023-12-30 10:12:47 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2023-12-30 10:12:47 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-30 10:43:59 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2023-12-30 10:12:47 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
2023-12-30 10:12:47 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2022-05-08 23:13:03 +00:00
## Initial Information Gathering
2022-05-01 16:32:23 +00:00
2022-05-08 23:13:03 +00:00
### Basic Information
2020-12-25 10:22:35 +00:00
2022-09-07 15:35:57 +00:00
First of all, it's recommended to have some **USB** with **good known binaries and libraries on it** (you can just get ubuntu and copy the folders _/bin_, _/sbin_, _/lib,_ and _/lib64_), then mount the USB, and modify the env variables to use those binaries:
2020-12-25 10:22:35 +00:00
```bash
export PATH=/mnt/usb/bin:/mnt/usb/sbin
export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64
```
Once you have configured the system to use good and known binaries you can start **extracting some basic information**:
```bash
2022-09-07 15:35:57 +00:00
date #Date and time (Clock may be skewed, Might be at a different timezone)
2020-12-25 10:22:35 +00:00
uname -a #OS info
2022-09-07 15:35:57 +00:00
ifconfig -a || ip a #Network interfaces (promiscuous mode?)
2020-12-25 10:22:35 +00:00
ps -ef #Running processes
netstat -anp #Proccess and ports
lsof -V #Open files
netstat -rn; route #Routing table
df; mount #Free space and mounted devices
2020-12-25 22:35:08 +00:00
free #Meam and swap space
2020-12-25 10:22:35 +00:00
w #Who is connected
2020-12-26 23:48:55 +00:00
last -Faiwx #Logins
2020-12-25 10:22:35 +00:00
lsmod #What is loaded
cat /etc/passwd #Unexpected data?
cat /etc/shadow #Unexpected data?
2020-12-25 22:35:08 +00:00
find /directory -type f -mtime -1 -print #Find modified files during the last minute in the directory
2020-12-25 10:22:35 +00:00
```
2022-05-08 23:13:03 +00:00
#### Suspicious information
2020-12-25 22:25:37 +00:00
While obtaining the basic information you should check for weird things like:
2022-09-07 15:35:57 +00:00
* **Root processes** usually run with low PIDS, so if you find a root process with a big PID you may suspect
2021-11-30 16:46:07 +00:00
* Check **registered logins** of users without a shell inside `/etc/passwd`
* Check for **password hashes** inside `/etc/shadow` for users without a shell
2020-12-25 22:25:37 +00:00
2022-05-08 23:13:03 +00:00
### Memory Dump
2020-12-25 20:14:31 +00:00
2022-09-07 15:35:57 +00:00
To obtain the memory of the running system, it's recommended to use [**LiME**](https://github.com/504ensicsLabs/LiME).\
To **compile** it, you need to use the **same kernel** that the victim machine is using.
2020-12-25 20:14:31 +00:00
{% hint style="info" %}
2022-09-07 15:35:57 +00:00
Remember that you **cannot install LiME or any other thing** in the victim machine as it will make several changes to it
2020-12-25 20:14:31 +00:00
{% endhint %}
So, if you have an identical version of Ubuntu you can use `apt-get install lime-forensics-dkms`\
2022-09-07 15:35:57 +00:00
In other cases, you need to download [**LiME**](https://github.com/504ensicsLabs/LiME) from github and compile it with correct kernel headers. To **obtain the exact kernel headers** of the victim machine, you can just **copy the directory** `/lib/modules/<kernel version>` to your machine, and then **compile** LiME using them:
2020-12-25 20:14:31 +00:00
```bash
make -C /lib/modules/<kernel version>/build M=$PWD
sudo insmod lime.ko "path=/home/sansforensics/Desktop/mem_dump.bin format=lime"
```
2020-12-25 21:41:10 +00:00
LiME supports 3 **formats**:
2020-12-25 20:14:31 +00:00
* Raw (every segment concatenated together)
* Padded (same as raw, but with zeroes in right bits)
* Lime (recommended format with metadata
2020-12-25 20:14:31 +00:00
2022-09-07 15:35:57 +00:00
LiME can also be used to **send the dump via network** instead of storing it on the system using something like: `path=tcp:4444`
2020-12-25 21:41:10 +00:00
2022-05-08 23:13:03 +00:00
### Disk Imaging
2020-12-25 22:03:49 +00:00
2022-05-08 23:13:03 +00:00
#### Shutting down
2020-12-25 22:03:49 +00:00
2022-09-07 15:35:57 +00:00
First of all, you will need to **shut down the system**. This isn't always an option as some times system will be a production server that the company cannot afford to shut down.\
There are **2 ways** of shutting down the system, a **normal shutdown** and a **"plug the plug" shutdown**. The first one will allow the **processes to terminate as usual** and the **filesystem** to be **synchronized**, but it will also allow the possible **malware** to **destroy evidence**. The "pull the plug" approach may carry **some information loss** (not much of the info is going to be lost as we already took an image of the memory ) and the **malware won't have any opportunity** to do anything about it. Therefore, if you **suspect** that there may be a **malware**, just execute the **`sync`** **command** on the system and pull the plug.
2020-12-25 22:03:49 +00:00
2022-05-08 23:13:03 +00:00
#### Taking an image of the disk
2020-12-25 22:03:49 +00:00
2022-09-07 15:35:57 +00:00
It's important to note that **before connecting your computer to anything related to the case**, you need to be sure that it's going to be **mounted as read only** to avoid modifying any information.
2020-12-25 22:20:35 +00:00
2020-12-25 22:03:49 +00:00
```bash
#Create a raw copy of the disk
dd if=<subject device> of=<image file> bs=512
2022-09-07 15:35:57 +00:00
#Raw copy with hashes along the way (more secure as it checks hashes while it's copying the data)
2020-12-25 22:08:05 +00:00
dcfldd if=<subject device> of=<image file> bs=512 hash=<algorithm> hashwindow=<chunk size> hashlog=<hash file>
2020-12-25 22:21:23 +00:00
dcfldd if=/dev/sdc of=/media/usb/pc.image hash=sha256 hashwindow=1M hashlog=/media/usb/pc.hashes
2020-12-25 22:03:49 +00:00
```
2022-05-08 23:13:03 +00:00
### Disk Image pre-analysis
2021-01-05 13:06:39 +00:00
2022-09-07 15:35:57 +00:00
Imaging a disk image with no more data.
2021-01-05 13:06:39 +00:00
```bash
2022-09-07 15:35:57 +00:00
#Find out if it's a disk image using "file" command
2021-01-05 13:06:39 +00:00
file disk.img
disk.img: Linux rev 1.0 ext4 filesystem data, UUID=59e7a736-9c90-4fab-ae35-1d6a28e5de27 (extents) (64bit) (large files) (huge files)
#Check which type of disk image it's
img_stat -t evidence.img
raw
#You can list supported types with
img_stat -i list
Supported image format types:
raw (Single or split raw file (dd))
aff (Advanced Forensic Format)
afd (AFF Multiple File)
afm (AFF with external metadata)
afflib (All AFFLIB image formats (including beta ones))
ewf (Expert Witness Format (EnCase))
#Data of the image
fsstat -i raw -f ext4 disk.img
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name:
Volume ID: 162850f203fd75afab4f1e4736a7e776
Last Written at: 2020-02-06 06:22:48 (UTC)
Last Checked at: 2020-02-06 06:15:09 (UTC)
Last Mounted at: 2020-02-06 06:15:18 (UTC)
Unmounted properly
Last mounted on: /mnt/disk0
Source OS: Linux
[...]
#ls inside the image
fls -i raw -f ext4 disk.img
d/d 11: lost+found
d/d 12: Documents
d/d 8193: folder1
d/d 8194: folder2
V/V 65537: $OrphanFiles
#ls inside folder
fls -i raw -f ext4 disk.img 12
r/r 16: secret.txt
#cat file inside image
icat -i raw -f ext4 disk.img 16
ThisisTheMasterSecret
```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
\
2022-09-01 23:40:55 +00:00
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-08-31 22:35:39 +00:00
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2022-05-08 23:13:03 +00:00
## Search for known Malware
2020-12-23 19:52:25 +00:00
2022-05-08 23:13:03 +00:00
### Modified System Files
2020-12-23 19:52:25 +00:00
Linux offers tools for ensuring the integrity of system components, crucial for spotting potentially problematic files.
2020-12-23 19:52:25 +00:00
* **RedHat-based systems**: Use `rpm -Va` for a comprehensive check.
* **Debian-based systems**: `dpkg --verify` for initial verification, followed by `debsums | grep -v "OK$"` (after installing `debsums` with `apt-get install debsums`) to identify any issues.
2020-12-23 19:52:25 +00:00
2022-05-08 23:13:03 +00:00
### Malware/Rootkit Detectors
2020-12-23 19:52:25 +00:00
Read the following page to learn about tools that can be useful to find malware:
{% content-ref url="malware-analysis.md" %}
[malware-analysis.md](malware-analysis.md)
{% endcontent-ref %}
2020-12-23 19:52:25 +00:00
2022-05-08 23:13:03 +00:00
## Search installed programs
2020-12-23 19:52:25 +00:00
To effectively search for installed programs on both Debian and RedHat systems, consider leveraging system logs and databases alongside manual checks in common directories.
2020-12-23 19:52:25 +00:00
* For Debian, inspect _**`/var/lib/dpkg/status`**_ and _**`/var/log/dpkg.log`**_ to fetch details about package installations, using `grep` to filter for specific information.
* RedHat users can query the RPM database with `rpm -qa --root=/mntpath/var/lib/rpm` to list installed packages.
2020-12-23 19:52:25 +00:00
To uncover software installed manually or outside of these package managers, explore directories like _**`/usr/local`**_, _**`/opt`**_, _**`/usr/sbin`**_, _**`/usr/bin`**_, _**`/bin`**_, and _**`/sbin`**_. Combine directory listings with system-specific commands to identify executables not associated with known packages, enhancing your search for all installed programs.
2020-12-23 19:52:25 +00:00
```bash
2024-02-07 04:05:50 +00:00
# Debian package and log details
cat /var/lib/dpkg/status | grep -E "Package:|Status:"
cat /var/log/dpkg.log | grep installed
# RedHat RPM database query
rpm -qa --root=/mntpath/var/lib/rpm
# Listing directories for manual installations
ls /usr/sbin /usr/bin /bin /sbin
# Identifying non-package executables (Debian)
2020-12-23 19:52:25 +00:00
find /sbin/ -exec dpkg -S {} \; | grep "no path found"
2024-02-07 04:05:50 +00:00
# Identifying non-package executables (RedHat)
2020-12-23 19:52:25 +00:00
find /sbin/ exec rpm -qf {} \; | grep "is not"
2024-02-07 04:05:50 +00:00
# Find exacuable files
find / -type f -executable | grep <something>
2020-12-23 19:52:25 +00:00
```
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
\
2022-09-01 23:40:55 +00:00
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-08-31 22:35:39 +00:00
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2022-05-08 23:13:03 +00:00
## Recover Deleted Running Binaries
2022-03-13 16:39:41 +00:00
2024-02-07 04:05:50 +00:00
Imagina a process taht was executed from /tmp/exec and deleted. It's possible to extract it
```bash
cd /proc/3746/ #PID with the exec file deleted
head -1 maps #Get address of the file. It was 08048000-08049000
dd if=mem bs=1 skip=08048000 count=1000 of=/tmp/exec2 #Recorver it
```
2022-03-13 16:39:41 +00:00
2022-09-07 15:35:57 +00:00
## Inspect Autostart locations
2020-12-23 20:08:45 +00:00
2022-05-08 23:13:03 +00:00
### Scheduled Tasks
2020-12-23 20:08:45 +00:00
```bash
cat /var/spool/cron/crontabs/* \
/var/spool/cron/atjobs \
/var/spool/anacron \
/etc/cron* \
/etc/at* \
/etc/anacrontab \
/etc/incron.d/* \
/var/spool/incron/* \
#MacOS
ls -l /usr/lib/cron/tabs/ /Library/LaunchAgents/ /Library/LaunchDaemons/ ~/Library/LaunchAgents/
```
2022-05-08 23:13:03 +00:00
### Services
2020-12-23 20:08:45 +00:00
2024-02-07 04:05:50 +00:00
Paths where a malware could be isntalled as a service:
* **/etc/inittab**: Calls initialization scripts like rc.sysinit, directing further to startup scripts.
* **/etc/rc.d/** and **/etc/rc.boot/**: Contain scripts for service startup, the latter being found in older Linux versions.
* **/etc/init.d/**: Used in certain Linux versions like Debian for storing startup scripts.
* Services may also be activated via **/etc/inetd.conf** or **/etc/xinetd/**, depending on the Linux variant.
* **/etc/systemd/system**: A directory for system and service manager scripts.
* **/etc/systemd/system/multi-user.target.wants/**: Contains links to services that should be started in a multi-user runlevel.
* **/usr/local/etc/rc.d/**: For custom or third-party services.
* **\~/.config/autostart/**: For user-specific automatic startup applications, which can be a hiding spot for user-targeted malware.
* **/lib/systemd/system/**: System-wide default unit files provided by installed packages.
2020-12-23 22:44:17 +00:00
2022-05-08 23:13:03 +00:00
### Kernel Modules
2020-12-23 22:44:17 +00:00
2024-02-07 04:05:50 +00:00
Linux kernel modules, often utilized by malware as rootkit components, are loaded at system boot. The directories and files critical for these modules include:
* **/lib/modules/$(uname -r)**: Holds modules for the running kernel version.
* **/etc/modprobe.d**: Contains configuration files to control module loading.
* **/etc/modprobe** and **/etc/modprobe.conf**: Files for global module settings.
2020-12-23 22:44:17 +00:00
2022-09-07 15:35:57 +00:00
### Other Autostart Locations
2020-12-23 22:44:17 +00:00
2024-02-07 04:05:50 +00:00
Linux employs various files for automatically executing programs upon user login, potentially harboring malware:
2020-12-23 22:44:17 +00:00
* **/etc/profile.d/**\*, **/etc/profile**, and **/etc/bash.bashrc**: Executed for any user login.
* **\~/.bashrc**, **\~/.bash\_profile**, **\~/.profile**, and **\~/.config/autostart**: User-specific files that run upon their login.
* **/etc/rc.local**: Runs after all system services have started, marking the end of the transition to a multiuser environment.
2020-12-23 22:44:17 +00:00
2022-05-08 23:13:03 +00:00
## Examine Logs
2020-12-23 22:44:17 +00:00
2024-02-07 04:05:50 +00:00
Linux systems track user activities and system events through various log files. These logs are pivotal for identifying unauthorized access, malware infections, and other security incidents. Key log files include:
* **/var/log/syslog** (Debian) or **/var/log/messages** (RedHat): Capture system-wide messages and activities.
* **/var/log/auth.log** (Debian) or **/var/log/secure** (RedHat): Record authentication attempts, successful and failed logins.
* Use `grep -iE "session opened for|accepted password|new session|not in sudoers" /var/log/auth.log` to filter relevant authentication events.
* **/var/log/boot.log**: Contains system startup messages.
* **/var/log/maillog** or **/var/log/mail.log**: Logs email server activities, useful for tracking email-related services.
* **/var/log/kern.log**: Stores kernel messages, including errors and warnings.
* **/var/log/dmesg**: Holds device driver messages.
* **/var/log/faillog**: Records failed login attempts, aiding in security breach investigations.
* **/var/log/cron**: Logs cron job executions.
* **/var/log/daemon.log**: Tracks background service activities.
* **/var/log/btmp**: Documents failed login attempts.
* **/var/log/httpd/**: Contains Apache HTTPD error and access logs.
* **/var/log/mysqld.log** or **/var/log/mysql.log**: Logs MySQL database activities.
* **/var/log/xferlog**: Records FTP file transfers.
* **/var/log/**: Always check for unexpected logs here.
2020-12-23 22:44:17 +00:00
{% hint style="info" %}
2022-09-07 15:35:57 +00:00
Linux system logs and audit subsystems may be disabled or deleted in an intrusion or malware incident. Because logs on Linux systems generally contain some of the most useful information about malicious activities, intruders routinely delete them. Therefore, when examining available log files, it is important to look for gaps or out of order entries that might be an indication of deletion or tampering.
2020-12-23 22:44:17 +00:00
{% endhint %}
2024-02-07 04:05:50 +00:00
**Linux maintains a command history for each user**, stored in:
2020-12-23 22:44:17 +00:00
* \~/.bash\_history
* \~/.zsh\_history
* \~/.zsh\_sessions/\*
* \~/.python\_history
* \~/.\*\_history
2020-12-27 00:27:13 +00:00
2024-02-07 04:05:50 +00:00
Moreover, the `last -Faiwx` command provides a list of user logins. Check it for unknown or unexpected logins.
2020-12-27 00:27:13 +00:00
2024-02-07 04:05:50 +00:00
Check files that can grant extra rprivileges:
2020-12-27 00:27:13 +00:00
* Review `/etc/sudoers` for unanticipated user privileges that may have been granted.
* Review `/etc/sudoers.d/` for unanticipated user privileges that may have been granted.
* Examine `/etc/groups` to identify any unusual group memberships or permissions.
* Examine `/etc/passwd` to identify any unusual group memberships or permissions.
2020-12-27 00:27:13 +00:00
2024-02-07 04:05:50 +00:00
Some apps alse generates its own logs:
2020-12-27 00:28:02 +00:00
* **SSH**: Examine _\~/.ssh/authorized\_keys_ and _\~/.ssh/known\_hosts_ for unauthorized remote connections.
* **Gnome Desktop**: Look into _\~/.recently-used.xbel_ for recently accessed files via Gnome applications.
* **Firefox/Chrome**: Check browser history and downloads in _\~/.mozilla/firefox_ or _\~/.config/google-chrome_ for suspicious activities.
* **VIM**: Review _\~/.viminfo_ for usage details, such as accessed file paths and search history.
* **Open Office**: Check for recent document access that may indicate compromised files.
* **FTP/SFTP**: Review logs in _\~/.ftp\_history_ or _\~/.sftp\_history_ for file transfers that might be unauthorized.
* **MySQL**: Investigate _\~/.mysql\_history_ for executed MySQL queries, potentially revealing unauthorized database activities.
* **Less**: Analyze _\~/.lesshst_ for usage history, including viewed files and commands executed.
* **Git**: Examine _\~/.gitconfig_ and project _.git/logs_ for changes to repositories.
2020-12-23 23:14:22 +00:00
2022-05-08 23:13:03 +00:00
### USB Logs
2021-05-28 17:27:17 +00:00
2022-03-13 16:39:41 +00:00
[**usbrip**](https://github.com/snovvcrash/usbrip) is a small piece of software written in pure Python 3 which parses Linux log files (`/var/log/syslog*` or `/var/log/messages*` depending on the distro) for constructing USB event history tables.
2021-05-28 17:27:17 +00:00
2022-09-07 15:35:57 +00:00
It is interesting to **know all the USBs that have been used** and it will be more useful if you have an authorized list of USBs to find "violation events" (the use of USBs that aren't inside that list).
2021-05-28 17:27:17 +00:00
2022-05-08 23:13:03 +00:00
### Installation
2021-05-28 17:27:17 +00:00
2024-02-07 04:05:50 +00:00
```bash
2021-05-28 17:27:17 +00:00
pip3 install usbrip
2022-09-07 15:35:57 +00:00
usbrip ids download #Download USB ID database
2021-05-28 17:27:17 +00:00
```
2022-05-08 23:13:03 +00:00
### Examples
2021-05-28 17:27:17 +00:00
2024-02-07 04:05:50 +00:00
```bash
2021-05-28 17:27:17 +00:00
usbrip events history #Get USB history of your curent linux machine
usbrip events history --pid 0002 --vid 0e0f --user kali #Search by pid OR vid OR user
#Search for vid and/or pid
usbrip ids download #Downlaod database
usbrip ids search --pid 0002 --vid 0e0f #Search for pid AND vid
```
More examples and info inside the github: [https://github.com/snovvcrash/usbrip](https://github.com/snovvcrash/usbrip)
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
\
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-08-31 22:35:39 +00:00
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
2022-05-08 23:13:03 +00:00
## Review User Accounts and Logon Activities
2020-12-23 22:44:17 +00:00
2022-09-07 15:35:57 +00:00
Examine the _**/etc/passwd**_, _**/etc/shadow**_ and **security logs** for unusual names or accounts created and or used in close proximity to known unauthorized events. Also, check possible sudo brute-force attacks.\
Moreover, check files like _**/etc/sudoers**_ and _**/etc/groups**_ for unexpected privileges given to users.\
2022-09-07 15:35:57 +00:00
Finally, look for accounts with **no passwords** or **easily guessed** passwords.
2020-12-23 22:44:17 +00:00
2022-05-08 23:13:03 +00:00
## Examine File System
2020-12-23 23:14:22 +00:00
2024-02-07 04:05:50 +00:00
### Analyzing File System Structures in Malware Investigation
2020-12-23 23:14:22 +00:00
2024-02-07 04:05:50 +00:00
When investigating malware incidents, the structure of the file system is a crucial source of information, revealing both the sequence of events and the malware's content. However, malware authors are developing techniques to hinder this analysis, such as modifying file timestamps or avoiding the file system for data storage.
2020-12-23 23:14:22 +00:00
2024-02-07 04:05:50 +00:00
To counter these anti-forensic methods, it's essential to:
* **Conduct a thorough timeline analysis** using tools like **Autopsy** for visualizing event timelines or **Sleuth Kit's** `mactime` for detailed timeline data.
* **Investigate unexpected scripts** in the system's $PATH, which might include shell or PHP scripts used by attackers.
* **Examine `/dev` for atypical files**, as it traditionally contains special files, but may house malware-related files.
* **Search for hidden files or directories** with names like ".. " (dot dot space) or "..^G" (dot dot control-G), which could conceal malicious content.
* **Identify setuid root files** using the command: `find / -user root -perm -04000 -print` This finds files with elevated permissions, which could be abused by attackers.
* **Review deletion timestamps** in inode tables to spot mass file deletions, possibly indicating the presence of rootkits or trojans.
* **Inspect consecutive inodes** for nearby malicious files after identifying one, as they may have been placed together.
* **Check common binary directories** (_/bin_, _/sbin_) for recently modified files, as these could be altered by malware.
2024-02-07 04:05:50 +00:00
````bash
2024-02-07 04:05:50 +00:00
# List recent files in a directory:
ls -laR --sort=time /bin```
# Sort files in a directory by inode:
ls -lai /bin | sort -n```
````
2020-12-28 22:28:30 +00:00
{% hint style="info" %}
2022-09-07 15:35:57 +00:00
Note that an **attacker** can **modify** the **time** to make **files appear** **legitimate**, but he **cannot** modify the **inode**. If you find that a **file** indicates that it was created and modified at the **same time** as the rest of the files in the same folder, but the **inode** is **unexpectedly bigger**, then the **timestamps of that file were modified**.
2020-12-28 22:28:30 +00:00
{% endhint %}
2022-05-08 23:13:03 +00:00
## Compare files of different filesystem versions
2020-12-28 22:28:30 +00:00
2024-02-07 04:05:50 +00:00
### Filesystem Version Comparison Summary
2021-01-06 15:28:14 +00:00
2024-02-07 04:05:50 +00:00
To compare filesystem versions and pinpoint changes, we use simplified `git diff` commands:
* **To find new files**, compare two directories:
2021-01-06 15:28:14 +00:00
```bash
2024-02-07 04:05:50 +00:00
git diff --no-index --diff-filter=A path/to/old_version/ path/to/new_version/
2021-01-06 15:28:14 +00:00
```
* **For modified content**, list changes while ignoring specific lines:
2021-01-06 15:28:14 +00:00
```bash
2024-02-07 04:05:50 +00:00
git diff --no-index --diff-filter=M path/to/old_version/ path/to/new_version/ | grep -E "^\+" | grep -v "Installed-Time"
2021-01-06 15:28:14 +00:00
```
* **To detect deleted files**:
2021-01-06 15:28:14 +00:00
```bash
2024-02-07 04:05:50 +00:00
git diff --no-index --diff-filter=D path/to/old_version/ path/to/new_version/
2021-01-06 15:28:14 +00:00
```
* **Filter options** (`--diff-filter`) help narrow down to specific changes like added (`A`), deleted (`D`), or modified (`M`) files.
* `A`: Added files
* `C`: Copied files
* `D`: Deleted files
* `M`: Modified files
* `R`: Renamed files
* `T`: Type changes (e.g., file to symlink)
* `U`: Unmerged files
* `X`: Unknown files
* `B`: Broken files
2020-12-28 21:51:56 +00:00
2022-05-08 23:13:03 +00:00
## References
2020-12-23 22:44:17 +00:00
2021-10-19 00:01:07 +00:00
* [https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf](https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems\_Ch3.pdf)
2020-12-23 22:44:17 +00:00
* [https://www.plesk.com/blog/featured/linux-logs-explained/](https://www.plesk.com/blog/featured/linux-logs-explained/)
2024-02-07 04:05:50 +00:00
* [https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203](https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---diff-filterACDMRTUXB82308203)
* **Book: Malware Forensics Field Guide for Linux Systems: Digital Forensics Field Guides**
2022-04-28 16:01:33 +00:00
<details>
2024-02-09 00:36:13 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2022-09-07 15:35:57 +00:00
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-30 10:43:59 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2024-02-08 21:36:35 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
2022-04-28 16:01:33 +00:00
**Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
2022-08-31 22:35:39 +00:00
<figure><img src="../../.gitbook/assets/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
2022-08-31 22:35:39 +00:00
\
2022-09-01 23:40:55 +00:00
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
2022-08-31 22:35:39 +00:00
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}