DF Lab 09
Uploaded by
codifyacademiaDF Lab 09
Uploaded by
codifyacademiaDEPARTMENT OF TELECOMMUNICATION ENGINEERING
BACHELOR OF SCIENCE IN CYBER SECURITY
MEHRAN UNIVERSITY OF ENGINEERING & TECHNOLOGY, JAMSHORO
DIGITAL FORENSICS (CYS350)
(6TH SEMESTER, 3RD Year) LAB EXPERIMENT # 09
Name: ________________________________ Roll number: ______________
Score: __________ Date: ____________ Instructor’s ______________
Signature:
Lab # 09: To Investigate the Linux Filesystem Analysis
Lab Objective
Learn to perform live Linux filesystem forensic analysis to identify attack artifacts, reconstruct
event timelines, and investigate security breaches on Unix-based systems during incident
response scenarios.
Lab Url: https://tryhackme.com/room/linuxfilesystemanalysis
Rubrics
LAB PERFORMANCE DATA ANALYSIS AND ABILITY TO CONDUCT
SUBJECT KNOWLEDGE
INDICATOR INTERPRETATION EXPERIMENT
SCORE
Note: Student performance will be assessed based on this rubric during lab sessions.
Learning Objectives
• Perform live file system analysis on a Linux system
• Understand common artifacts, log mechanisms, and file system activities in
Linux forensics
• Reconstruct an event timeline in a hands-on incident response scenario
• Identify persistence mechanisms and privilege escalation techniques
Prerequisites
• Linux Fundamentals Parts 1, 2, and 3
• Linux System Hardening concepts
• Basic command line proficiency
Scenario
Penguin Corp has tasked you to perform file system and OS analysis on a Linux-based web
server during a suspected breach. A potential file upload vulnerability has been identified that
allows remote attackers to execute arbitrary commands and gain unauthorized access.
Lab Environment Setup
Connection Details: - Username: investigator - Password: TryHackMe123! - Access Method:
Split view or SSH via AttackBox/VPN - Trusted Binaries Location: /mnt/usb/
Prepared By: Engr. Saqib Hussain
1
DEPARTMENT OF TELECOMMUNICATION ENGINEERING
BACHELOR OF SCIENCE IN CYBER SECURITY
MEHRAN UNIVERSITY OF ENGINEERING & TECHNOLOGY, JAMSHORO
DIGITAL FORENSICS (CYS350)
(6TH SEMESTER, 3RD Year) LAB EXPERIMENT # 09
Security Setup Commands:
export PATH=/mnt/usb/bin:/mnt/usb/sbin
export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64
Task 1: Environment Setup and Initial Investigation
Background
When investigating a potentially compromised system, it’s crucial to use trusted binaries to avoid
executing malicious code. The system has trusted binaries mounted at /mnt/usb/ from a clean
installation.
Lab Instructions
1. Set up trusted environment:
export PATH=/mnt/usb/bin:/mnt/usb/sbin
export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64
2. Verify environment setup:
check-env
Questions
Q1.1: After setting up the PATH and LD_LIBRARY_PATH environment variables, run the
command check-env. What is the flag that is returned in the output?
Answer:
Task 2: Identifying the Initial Foothold
Background
Based on intelligence from Penguin Corp, the web server has a file upload vulnerability. We
need to examine the web directories to identify evidence of exploitation.
Lab Instructions
1. Navigate to web directory:
ls -al /var/www/html/
2. Examine uploads directory:
ls -al /var/www/html/uploads
3. Filter out JPEG files to find suspicious uploads:
Prepared By: Engr. Saqib Hussain
2
DEPARTMENT OF TELECOMMUNICATION ENGINEERING
BACHELOR OF SCIENCE IN CYBER SECURITY
MEHRAN UNIVERSITY OF ENGINEERING & TECHNOLOGY, JAMSHORO
DIGITAL FORENSICS (CYS350)
(6TH SEMESTER, 3RD Year) LAB EXPERIMENT # 09
ls -al /var/www/html/uploads | grep -v ".jpeg"
4. Examine the suspicious file:
cat /var/www/html/uploads/b2c8e1f5.phtml
Questions
Q2.1: Using the find command, locate all the files that the user bob created in the past 1 minute.
Once found, review its contents. What is the flag you receive?
Answer:
Task 3: File Analysis and Metadata Extraction
Background
Understanding file metadata, checksums, and timestamps is crucial for forensic analysis. These
provide insights into file origins, modification times, and potential malicious activities.
Lab Instructions
1. Find files owned by www-data:
find / -user www-data -type f 2>/dev/null | less
2. Examine the reverse.elf file:
ls -l /var/www/html/assets/reverse.elf
3. Extract metadata using ExifTool:
exiftool /var/www/html/assets/reverse.elf
4. Generate checksums:
md5sum /var/www/html/assets/reverse.elf
sha256sum /var/www/html/assets/reverse.elf
5. Check timestamps:
stat /var/www/html/assets/reverse.elf
6. Check /etc/hosts timestamps:
stat /etc/hosts
Questions
Q3.1: Extract the metadata from the reverse.elf file. What is the file’s MIME type?
Prepared By: Engr. Saqib Hussain
3
DEPARTMENT OF TELECOMMUNICATION ENGINEERING
BACHELOR OF SCIENCE IN CYBER SECURITY
MEHRAN UNIVERSITY OF ENGINEERING & TECHNOLOGY, JAMSHORO
DIGITAL FORENSICS (CYS350)
(6TH SEMESTER, 3RD Year) LAB EXPERIMENT # 09
Answer:
Q3.2: Use the stat command against the /etc/hosts file on the compromised web server. What is
the full Modify Timestamp (mtime) value?
Answer:
Task 4: User and Group Analysis
Background
Examining user accounts and group memberships helps identify potential backdoor accounts,
privilege escalations, and unauthorized access methods.
Lab Instructions
1. Examine user accounts:
cat /etc/passwd
2. Find users with UID 0 (root privileges):
cat /etc/passwd | cut -d: -f1,3 | grep ':0$'
3. Examine groups:
cat /etc/group
4. Find group with specific ID:
getent group 46
5. Check sudo privileges:
sudo cat /etc/sudoers
Questions
Q4.1: What is the name of the group with the group ID of 46?
Answer:
Q4.2: Examine the /etc/sudoers file on the compromised system. What is the full path of the
binary that Jane can run as sudo?
Answer:
Prepared By: Engr. Saqib Hussain
4
DEPARTMENT OF TELECOMMUNICATION ENGINEERING
BACHELOR OF SCIENCE IN CYBER SECURITY
MEHRAN UNIVERSITY OF ENGINEERING & TECHNOLOGY, JAMSHORO
DIGITAL FORENSICS (CYS350)
(6TH SEMESTER, 3RD Year) LAB EXPERIMENT # 09
Task 5: User Login Analysis and Session Tracking
Background
Analyzing user login patterns, session data, and authentication logs helps identify unauthorized
access and attacker activity.
Lab Instructions
1. Check recent logins:
last
2. Check last login per user:
lastlog
3. Check failed login attempts:
lastb
4. Check currently logged-in users:
who
Questions
Q5.1: [No specific question for this task - observation and analysis focus]
Task 6: Home Directory Investigation
Background
User home directories contain personal configurations, command history, and SSH
configurations that can reveal evidence of compromise or unauthorized access.
Lab Instructions
1. List home directories:
ls -l /home
2. Examine hidden files in Jane’s directory:
ls -a /home/jane
3. Investigate SSH configuration:
ls -al /home/jane/.ssh
cat /home/jane/.ssh/authorized_keys
4. Check authorized_keys timestamps:
stat /home/jane/.ssh/authorized_keys
5. Examine command history:
Prepared By: Engr. Saqib Hussain
5
DEPARTMENT OF TELECOMMUNICATION ENGINEERING
BACHELOR OF SCIENCE IN CYBER SECURITY
MEHRAN UNIVERSITY OF ENGINEERING & TECHNOLOGY, JAMSHORO
DIGITAL FORENSICS (CYS350)
(6TH SEMESTER, 3RD Year) LAB EXPERIMENT # 09
cat /home/jane/.bash_history
6. Check Bob’s home directory for hidden files:
find /home/bob -name ".*" -type f 2>/dev/null
Questions
Q6.1: View Jane’s .bash_history file. What flag do you see in the output?
Answer:
Q6.2: What is the hidden flag in Bob’s home directory?
Answer:
Q6.3: Run the stat command on Jane’s authorized_keys file. What is the full timestamp of the
most recent modification?
Answer:
Task 7: Binary Analysis and SUID Investigation
Background
Analyzing system binaries, checking for SUID permissions, and verifying package integrity
helps identify privilege escalation techniques and system modifications.
Lab Instructions
1. Find all executable files:
find / -type f -executable 2> /dev/null
2. Check package integrity:
sudo debsums -e -s
3. Find SUID binaries:
find / -perm -u=s -type f 2>/dev/null
4. Search Jane’s history for Python usage:
sudo cat /home/jane/.bash_history | grep -B 2 -A 2 "python"
5. Compare binary checksums:
md5sum /var/tmp/bash
md5sum /bin/bash
Prepared By: Engr. Saqib Hussain
6
DEPARTMENT OF TELECOMMUNICATION ENGINEERING
BACHELOR OF SCIENCE IN CYBER SECURITY
MEHRAN UNIVERSITY OF ENGINEERING & TECHNOLOGY, JAMSHORO
DIGITAL FORENSICS (CYS350)
(6TH SEMESTER, 3RD Year) LAB EXPERIMENT # 09
Questions
Q7.1: Run the debsums utility on the compromised host to check only configuration files. Which
file came back as altered?
Answer:
Q7.2: What is the md5sum of the binary that the attacker created to escalate privileges to root?
Answer:
Task 8: Rootkit Detection
Background
Rootkits are malicious tools designed to maintain administrator-level access while remaining
hidden. Detection tools like chkrootkit and rkhunter can help identify these threats.
Lab Instructions
1. Run chkrootkit scan:
sudo chkrootkit
2. Run rkhunter scan:
sudo rkhunter -c -sk
3. Review scan results for anomalies
Questions
Q8.1: What .sh file that was detected?
Answer:
Q8.2: How many duplicate (UID 0) accounts check?
Answer:
Note: Attach the screenshot of TryHackMe room after 100% completion from your
own account.
Prepared By: Engr. Saqib Hussain
7
