Saturday, July 31, 2021

Linux Forensics - Some Artifacts

 

Target: Red Hat Enterprise Linux Server release 7.6 (Maipo)

 

Tools:

1.     SANS SIFT Workstation: https://digital-forensics.sans.org/community/downloads

2.     Log2timeline

3.     Aureport

4.     Lnav: https://lnav.org/

5.     Stat

6.     Cat

7.     Grep

8.     Lastb

9.     Last

10.  Chrootkit

11.  Rkhunter

12.  Clamav

13.  Lynis: https://cisofy.com/lynis/

 

Offline investigation

1.     Mount the victim DD image on SIFT Workstation.

2.     Antivirus scan with clamAV

1)    Update ClamAV:

a.     sudo systemctl stop clamav-freshclam.service

b.     sudo freshclam

2)    Scan the image: clamscan -r -i DIRECTORY

 

3.     Rootkit scan with Chkrootkit

1)    Install:

# apt-get update

# apt install chkrootkit

# chkrootkit -V

 

2)    Scan: # chkrootkit -r /mnt/ ; This will check all files under this specified directory.

 

4.     Build timeline

1)    sudo log2timeline.py victim.plaso /media/sansforensics/

2)    sudo log2timeline.py -z America/Toronto victim.plaso /media/sansforensics/

3)    search key word:

a.     USER_PROCESS IP Address

b.     User:

c.     terminal=ssh res=success

5.     aureport offline check:

1)    Install: sudo apt install auditd

2)    Load the offline logs: aureport --input

6.     Check suspicious file info: stat filename

7.     A few cat commands:

cat /var/log/secure-yyyymmdd | grep "authentication failure" | more

cat secure- yyyymmdd | grep "user NOT in sudoers"

cat secure- yyyymmdd | grep "failed - POSSIBLE BREAK-IN ATTEMPT" | more

cat secure- yyyymmdd | grep "Accept" | more

 

8.     Show root user login history: lastb -f btmp-20201016 -Fadx root | more

9.     Show login history: last -aiF -f wtmp

10.  Check hosts file (if the attacker hijacks the DNS): sudo cat (mount drive)/etc/hosts

11.  Check autoruns script: sudo cat (mount drive)/etc/fstab

12.  Check cron job:

ls /etc/cron*

cat /etc/crontab

 

 

Online check

1.     Import/convert DD image to VMware and take a snapshot.

2.     Turn on the system.

3.     Check cron job: cron -l; sudo cron -l

4.     Check hosts file (if the attacker hijacks the DNS): sudo cat etc/hosts

5.     Check autoruns script: sudo cat etc/fstab

6.     Aureport commands:

aureport -au -i | more

 

aureport -au -i --success | more (To get authentication report for all the success attempts which was made.)

 

aureport -au -i --failed | more (To get authentication report for all the failed attempts which was made.)

 

aureport -l --success | more (To get success login information.)

 

aureport -l --failed | more (To get failed login information.)

 

aureport -l --success --summary -i | more (To get success login summary report for all the success attempts which was made.)

 

7.     Install and run chkrootkit

8.     Install and run rkhunter.

9.     Install and run clamAV

10.  Install and run lynis

11.  Install and run lnav.

 

Reference:

1.     https://digital-forensics.sans.org/community/downloads

2.     https://lnav.org/

3.     https://cisofy.com/lynis/

4.     https://www.redhat.com/sysadmin/3-antimalware-solutions