Operating Systems come in a few competing choices, of which the major players are Apple’s MacOS, Microsoft’s Windows and then the various flavours of Linux, of which most are open sourced while the remainder are proprietary to their vendors.
Of the three, Windows is the most dissimilar, with MacOS and Linux sharing a similar BSD/Unix platform running behind the scenes. This gives MacOS and Linux similar traits when it comes to logging, analysing and tracing system event-logs.
Windows is very widely spread, particularly on the client side (personal home and office machines), however, Linux is more heavily used on servers, web servers, proxies and network exchanges.
Learning how to uncover vital information from these sources can lead to invaluable evidence in the rounding of a digital investigation.
The primary role of a digital forensic investigator is to sift through all the evidence such as drives, logs, mounted media, etc and focus on three main objectives (Dittrich, n.d.):
- Make sure to preserve as much of the data in its original form
- Reconstruct the events that occurred during the criminal act
- Produce a meaningful starting point for law officials and prosecutors to do their jobs
Windows uses a centralised registry as well as event management application view, this means that all system generated logs are sent through to the same location which makes for easier analysis.
Linux on the other hand, pipes most application/system logs to the /var/log/* hierarchy, usually corresponding to the standard application home found at /etc/*.
This can be accessed in plain text format which makes for simple extraction without contamination.
Using last, w or who can show a listing of current and even past logins, ps shows all running processes, lsof shows all open file handles and ports and ltrace, strace, and truss allows one to debug everyday commands and command-line applications.
- /etc/hosts holds information about the system network addressing
- /etc/fstab is the OSs file system table (Trivedi, 2016)
- /var/log/messages aims at storing valuable, non-debug and non-critical messages. (general system activity)
- /var/log/syslog logs everything, except auth related messages (Sinha, 2011)
There are a wide variety of built in commands to retrieve all sorts of system information such as:
- df -h to get the drives and space allocation
- top or htop to show running processes, that update at a specified interval
- cat /etc/*release to show the Linux version and flavour
- cat /etc/hostname to show the machine’s given name
- export to view all environment variables
- cat /users/$USER/.bash_profile to view bash startup information
- ls -lash /users/$USER/.ssh/* to view any SSH configs, keys, authorised hosts
- history shows a list of all commands typed in per user session
- netstat shows active internet connections
The Linux OS is very easy to extract information from, as each application runs in its own user-space, separate from the kernel, yet logs to the equal class path.
As long as a forensic investigator is versed in how the file-system and process architecture operates, it makes for a simplistic extraction process without changing the original source data or mounts.
Dittrich, D. (n.d.) Basic Steps in Forensic Analysis of Unix Systems [Online] Washington.edu, Available from: https://staff.washington.edu/dittrich/misc/forensics/ (Accessed on 9th September 2018)
Trivedi, Y. (2016) What Is the Linux fstab File, and How Does It Work? [Online] HowToGeek.com, Available from: https://www.howtogeek.com/howto/38125/htg-explains-what-is-the-linux-fstab-and-how-does-it-work/ (Accessed on 9th September 2018)
Sinha, M. (2011) Difference between /var/log/messages, /var/log/syslog, and /var/log/kern.log? [Online] AskUbuntu.com, Available from: https://askubuntu.com/questions/26237/difference-between-var-log-messages-var-log-syslog-and-var-log-kern-log (Accessed on 9th September 2018)