Forensic Analysis of a Linux System

Students will use the Autopsy forensic suite, a free and open software tool, to load and then analyze a disk image of a compromised Linux system. Some people have the misconception that malware does not work on or affect Linux systems when using malware against Linux systems is common. After completing this lab, you will be familiar with some of the common locations where forensic artifacts exist on a Linux system, which are very different from analysis of Windows systems.

Overview

In this lab, you will learn how to search through a forensic disk image in dd format to find artifacts related to an intrusion on a Linux Server. Some of the relevant forensic artifacts from a Linux system include apache log files, the history file, and the secure or auth.log file, which includes valuable information such as SSH connections or user account activity. You will find that forensic analysis of a Linux system is far different than forensics in Windows.

OUTCOMES

In this lab, you will learn to:

Create an image of a compromised Linux machine using FTK imager
Examine a compromised Linux machine using Autopsy
Analyze the common locations of compromised artifacts

Courses

Cybersecurity Attack and Defend

Key terms and descriptions

FTK Imager

A free program that can be used to create forensic images.

auth.log

A file that tracks security-related events on the system.

/etc/shadow

A file that contains the password hashes for the users.

history file

This file contains commands that the user typed during a session.

/etc/passwd

This file contains the names of the users on the system as well as their user IDs (UID).