Scribd
Upload
333 views17 pages

Lab2-Linux Forensics

The document discusses Linux forensics and provides information on using various Linux commands and shell commands to examine Linux log files and collect volatile and non-volatile information from a Linux system for forensic analysis.

Uploaded by

alwkilmunirh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
333 views17 pages

Lab2-Linux Forensics

The document discusses Linux forensics and provides information on using various Linux commands and shell commands to examine Linux log files and collect volatile and non-volatile information from a Linux system for forensic analysis.

Uploaded by

alwkilmunirh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

www.tvtc.gov.

sa

Digital Forensics
Lab2: Linux Forensics

Prepared by: Fatimah Albrahimi


Outline

• Work on kali Linux operating system


• Use various shell commands
• Examine Linux log files
• Collect volatile and non-volatile information

Prepared by: Fatimah Albrahimi


Use various shell commands
Commands Description
sudo dmesg Present information about device drivers
sudo dmesg | grep –i eth0 Present information about ethernet stored on eth0, grep if you
want to search about specific information about eth0
sudo fsck –n /dev/sda1 Check from all file system ensure from consistently, integrity
and make a repair if there is a problem
sudo stat /dev/ sdel Search about state of file system present all detail about file

sudo stat / dev/ sdl


ps -ef Present all run operation on device
ps aux Present all details about files when it start and time for each
file
sudo mount -h Present any files hidden and OS cannot see it
history 10 Present just the last 10 command user work on
pstree -h Present all process in a tree format
Prepared by: Fatimah Albrahimi
Use various shell commands

Prepared by: Fatimah Albrahimi


Use various shell commands

Prepared by: Fatimah Albrahimi


Log Files
log files: Linux log files are stored in plain-text and can be found in the /var/log directory and subdirectory.
There are Linux logs for everything: system, kernel, package managers,..etc

Commands Description

ls /var/log -l To see where log file stored

sudo ls -l /var/log/apache2/ Present all log file on Apache server.

sudo more /var/log/auth.log Present all authorization details for each operation with time
in OS

cat /var/log/dpkg.log Present all the install and delete log files
or
cat /var/log/dpkg.log.1

Prepared by: Fatimah Albrahimi


Log Files

Prepared by: Fatimah Albrahimi


Log Files

Prepared by: Fatimah Albrahimi


Volatile and Non-Volatile Information
• Volatile information
• Volatile information can be easily modified or lost when the system is shut down or rebooted.
• Collection volatile information helps to determine a logical timeline of the security incident.
• Volatile data reside in registers, cache, and RAM.
• Non-Volatile information
• Non-volatile data remain unchanged when system is shut down or be unable to find power.
• Example: Emails, word documents, and some deleted file.
• Such data usually resides in HDD (swap files, slack space, unlocated drive space,…etc)

Prepared by: Fatimah Albrahimi


Volatile Information
Commands Description
netstat Present and extract all network information, connections,
routing table for all interfaces
last -F Present all logging and logout for each user with time and
date on OS
hostname The name of computer you use it
ifconfig Present what you have on your computer cart ethernet,
netmask, Ip address …etc.
ifconfig –a Present more details about interface on the computer
sudo lsof If there is any open file now and present it on list format
sudo readelf --file-header /bin/ls Read all details of executable files from header of file
arp Present all information about Ip address and devices
communicate with this device on the same subnet
ls –l /proc Present operations and information about it
Prepared by: Fatimah Albrahimi
Volatile Information

Prepared by: Fatimah Albrahimi


Volatile Information

Prepared by: Fatimah Albrahimi


Volatile Information

Prepared by: Fatimah Albrahimi


Non-Volatile information
Commands Description

sudo find /etc –type f –printf ‘%TY-%Tm-%Td-%TT %p\n’ Present the modified files in short time

sudo find /etc –type f –printf ‘%TY-%Tm-%Td-%TT %p\n’ | Present the modified files in short time and sorted from the
sort -r new to the older files.

sudo cat /var/log/auth.log Present all users whose login with command they apply

sudo chkrootkit Enter to all file systems and apply a check all of them and
present any infect happen for any file

ls –al /tmp Present the temporary files

ls –lh /tmp Present the size of temporary file on linux

Prepared by: Fatimah Albrahimi


Non-Volatile information

Prepared by: Fatimah Albrahimi


Non-Volatile information

Prepared by: Fatimah Albrahimi

You might also like