Back to Subject
Practice MCQ

Unit 4 - Notes

INT250

Unit 4: Linux and Network Forensics

1. Understand Volatile and Non-volatile Data in Linux

In Linux forensics, data is categorized based on its persistence. Understanding the Order of Volatility (OOV) is crucial for the "Live Response" phase to ensure ephemeral evidence is captured before the system is powered down.

Volatile Data (Live System)

Volatile data resides in the RAM (Random Access Memory) and cache. It vanishes immediately upon system shutdown or reboot.

  • Characteristics:
    • Contains the current state of the system.
    • Highly fragile; changing the system state (even by running forensic commands) alters memory.
  • Key Artifacts & Acquisition Commands:
    • System Time/Date: Critical for timeline correlation.
      • Command: date, uptime
    • Network Connections: Open ports, established connections, and listening services.
      • Command: netstat -anp, ss -tulpn, arp -a
    • Running Processes: Malware running in memory, process hierarchy.
      • Command: ps -aux, lsof (List Open Files)
    • Logged in Users: Who is currently active.
      • Command: w, who, last
    • Mounted Filesystems:
      • Command: mount, df -h
  • Acquisition Methodology:
    • Use statically linked binaries (tools on a USB drive that do not rely on system libraries) to minimize footprint.
    • Use netcat to pipe output to a forensic workstation rather than writing to the victim's disk.

Non-volatile Data (Dead System/Disk Image)

Non-volatile data resides on the Hard Disk Drive (HDD) or Solid State Drive (SSD). It persists after power loss.

  • Characteristics:
    • Static data.
    • Can be analyzed post-mortem using write-blocking hardware.
  • Key Locations:
    • Configuration Files: /etc/
    • Logs: /var/log/
    • User Data: /home/username/
    • Root Data: /root/

2. Analyze File System Image

Linux file systems (commonly Ext4, XFS, or Btrfs) follow a hierarchical directory structure. Analyzing a disk image involves mounting the image read-only or using forensic tools like Autopsy or The Sleuth Kit.

Key Linux Directory Artifacts for Forensics

1. User Activity and History

  • Bash History: Stores commands typed by users.
    • Path: ~/.bash_history (or /home/<user>/.bash_history)
    • Analysis: Look for rm commands, wget/curl (downloading malware), compilation of tools, or ssh connections to other servers.
  • Vim Info: History of files edited with Vim.
    • Path: ~/.viminfo
  • SSH Artifacts:
    • ~/.ssh/authorized_keys: Who can log in (persistence mechanism).
    • ~/.ssh/known_hosts: Servers the user has connected to.

2. System Logs (The /var/log Directory)

  • Authentication Logs: Successful and failed login attempts.
    • Debian/Ubuntu: /var/log/auth.log
    • RHEL/CentOS: /var/log/secure
    • Look for: Brute force attempts, unauthorized sudo usage.
  • System Messages: General system activity.
    • Path: /var/log/syslog or /var/log/messages
  • Web Server Logs: Apache/Nginx access and error logs.
    • Path: /var/log/apache2/ or /var/log/nginx/
  • Audit Logs: Detailed kernel-level auditing (if auditd is active).
    • Path: /var/log/audit/audit.log

3. Persistence Mechanisms (Auto-start)

Malware often modifies these locations to survive reboots.

  • Cron Jobs: Scheduled tasks.
    • Paths: /var/spool/cron/crontabs/, /etc/crontab, /etc/cron.d/, /etc/cron.daily/
  • Systemd Services: Services launched at boot.
    • Paths: /etc/systemd/system/, /usr/lib/systemd/system/
  • RC Scripts: Legacy boot scripts.
    • Path: /etc/init.d/, /etc/rc.local

4. The /etc Directory

  • /etc/passwd: List of user accounts (Check for UID 0 accounts other than root).
  • /etc/shadow: Password hashes (Check for accounts with set passwords that shouldn't have them).
  • /etc/sudoers: Users with administrative privileges.

Deleted File Recovery (Ext4)

  • Inodes: In Linux, file metadata is stored in inodes. When a file is deleted, the inode is marked as free, but data blocks may remain.
  • Journaling: Ext4 uses a journal to record changes. Forensic analysts can use the journal (.journal file) to recover recently deleted data even if the metadata in the main table is wiped.

3. Demonstrate Memory Forensics

Memory forensics involves analyzing a RAM dump to identify artifacts that never touch the hard disk or are encrypted on the disk.

Acquisition (Dumping RAM)

Unlike Windows, Linux does not have a native hibernation file that represents full RAM.

  1. LiME (Linux Memory Extractor): The standard kernel module for acquiring Linux memory. It creates a complete copy of RAM.
    • Usage: Load the kernel module (insmod lime.ko) specifying the output path and format (usually raw).
  2. /dev/mem: Legacy method (often restricted in modern kernels due to security).

Analysis with Volatility Framework

The Volatility Framework is the industry standard for memory analysis.

  1. Profile Generation:
    • Linux memory structures vary by kernel version. You must create a "profile" (using the module.dwarf file and System.map from the victim machine) so Volatility understands the memory layout.
  2. Key Linux Plugins:
    • linux_pslist / linux_pstree: Lists running processes. Look for hidden processes not visible in standard commands.
    • linux_bash: Recovers bash history command lines still resident in memory.
    • linux_netstat: Shows active network connections at the time of capture.
    • linux_lsof: Lists files opened by processes.
    • linux_mount: Shows mounted filesystems.
    • linux_malfind: Scans for code injection and suspicious memory segments (often used to find rootkits).
    • linux_check_fop: Checks file operation structures to detect rootkits hiding files.

4. Understand Network Forensics

Network forensics relates to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.

Layers of Network Forensics

  1. Packet Level (PCAP):
    • "Full Take" capture.
    • Stores the complete payload of every packet (headers + data).
    • Pros: Absolute truth, allows file reconstruction.
    • Cons: Requires massive storage, potential privacy issues (encryption).
  2. Flow Level (NetFlow/IPFIX):
    • Metadata about traffic (Who, What, Where, When, How much).
    • Does not contain payload content.
    • Analogy: Phone bill (records call duration and numbers) vs. recording the actual conversation.

Data Sources

  • Firewalls: Logs allowed/denied traffic.
  • IDS/IPS (Intrusion Detection/Prevention Systems): Logs alerts based on signatures.
  • Proxy Servers: Logs web requests (URLs, User Agents).
  • Packet Captures (Sniffers): Raw data from tools like Wireshark or tcpdump.

5. Explain Logging Fundamentals and Network Forensic Readiness

Logging Fundamentals

  • Syslog Protocol: The standard for message logging.
    • Facilities: The source of the log (e.g., auth, kern, mail).
    • Priorities (Severity): Levels range from debug (7) to emerg (0).
  • Centralized Logging:
    • Critical for Forensics: Logs on a compromised local machine can be wiped by the attacker (rm -rf /var/log).
    • Solution: Forward logs immediately to a remote Log Server or SIEM (Security Information and Event Management) system.

Network Forensic Readiness

Forensic readiness is the capability of an organization to collect, preserve, protect, and analyze digital evidence effectively before an incident occurs.

Key Readiness Steps:

  1. Time Synchronization (NTP): All devices (routers, servers, firewalls) must be synced to a single time source. Without this, correlating events across the network is impossible.
  2. Retention Policy: Define how long logs/PCAPs are kept (e.g., 90 days hot storage, 1 year cold storage).
  3. Baseline Knowledge: Knowing what "normal" traffic looks like to identify "abnormal."
  4. Asset Management: Knowing IP address allocation (DHCP logs) to map an IP to a specific user/device at a specific time.

6. Summarize Event Correlation Concepts

Event correlation involves relating distinct events from multiple sources to identify a larger pattern or security incident.

The Correlation Process

  1. Aggregation: Collecting logs from Firewalls, Linux Servers, Routers, and IDSs into one place (SIEM).
  2. Normalization: Converting different log formats (e.g., JSON, Syslog, XML) into a standard format with consistent fields (Timestamp, Source IP, Dest IP).
  3. Correlation: Applying logic to connect the normalized events.

Correlation Approaches

  • Rule-Based Correlation: Matching events against predefined logic.
    • Example: IF (5 failed logins within 1 minute) AND (1 successful login) THEN Alert "Brute Force Success".
  • Time-Based Correlation: Linking events that happen in chronological sequence.
    • Example: Firewall permit -> Web Server 404 error -> Database SQL Syntax error (indicates SQL Injection probing).
  • Statistical/Anomaly Correlation: Alerting when traffic deviates from the baseline.
    • Example: A user who normally uploads 10MB/day suddenly uploads 5GB (Data Exfiltration).

7. Identify Indicators of Compromise (IoCs) from Network Logs

IoCs are pieces of forensic data that identify potentially malicious activity on a system or network.

Common Network IoCs

  1. IP Addresses:
    • Connections to known Command & Control (C2) servers.
    • Connections to TOR exit nodes (if against policy).
    • Inbound connections from geo-locations where the organization has no business presence.
  2. Domain Names (DNS):
    • DGA (Domain Generation Algorithms): Random-looking domains (e.g., xy7z123qq.com) used by botnets.
    • Typosquatting: Domains mimicking legitimate sites (e.g., goggle.com).
  3. Traffic Artifacts:
    • Beaconing: Regular, periodic connections (heartbeats) sent from an infected host to a C2 server (e.g., every 5 minutes exactly).
    • User-Agent Strings: Unusual agents in HTTP headers.
      • Normal: Mozilla/5.0...
      • Suspicious: Python-urllib/2.7, sqlmap, or empty strings.
  4. File Hashes: MD5/SHA256 hashes of files downloaded over the network matching known malware.
  5. Volume Anomalies: Large outbound transfers over port 53 (DNS Tunneling) or port 443 (HTTPS) at unusual hours.

8. Investigate Network Traffic

This involves the hands-on analysis of Packet Captures (PCAPs) to reconstruct an attack.

Tools

  • Wireshark: GUI-based packet analyzer.
  • Tcpdump: Command-line packet analyzer.
  • TShark: Command-line version of Wireshark.
  • NetworkMiner: Passive network sniffer that automatically extracts files and credentials.

Investigation Techniques

1. Filtering and Stream Reconstruction

Using Wireshark filters to isolate traffic:

  • ip.addr == 192.168.1.5 (Focus on victim IP)
  • http.request.method == "POST" (Look for data being sent out/login attempts)
  • Follow TCP Stream: Right-click a packet -> Follow -> TCP Stream. This reassembles the packets to show the human-readable conversation (e.g., the HTML code of a webpage or the text of an email).

2. Analyzing Specific Protocols

  • HTTP:
    • Check the URI for SQL injection patterns (e.g., UNION SELECT).
    • Check Referer headers to see where the user came from.
  • DNS:
    • Look for distinct high-volume queries for different subdomains of a single domain (Sign of DNS Tunneling/Exfiltration).
  • SMTP/FTP:
    • These are often clear-text. You can read email content or see transferred file names and credentials.

3. File Extraction (Carving)

  • Extracting binaries downloaded by the victim to reverse engineer them.
  • Wireshark: File -> Export Objects -> HTTP/SMB.

4. Encrypted Traffic (HTTPS/TLS)

  • Without the private key, payload analysis is impossible.
  • Analysis strategy: Focus on the "handshake" (JA3 fingerprinting), certificate validity, and traffic volume/timing rather than content.