Question

Digital Forensics, Please describe in detail in your own language

Describe Linux their artifacts and their functionalities.

How they might be used by forensic examiners?

Answer 1

Introduction

A computer’s Operating System (OS) is the collection of software that interfaces with computer hardware and controls the functioning of its pieces, such as the hard disk, processor, memory, and many other components.

Forensic investigation on an OS can be performed because it is responsible for file management, memory management, logging, user management, and many other relevant details.

The forensic examiner must understand OSs, file systems, and numerous tools required to perform a thorough forensic examination of the suspected machine. Modern OSs track a good deal of information that could become artifacts of evidentiary value on the eve of forensic examination.

Describe Linux their artifacts and their functionalities.

Linux is an open source, Unix-like, and elegantly designed operating system that is compatible with personal computers, supercomputers, servers, mobile devices, netbooks, and laptops. Unlike other OSs, Linux holds many file systems of the ext family, including ext2, ext3, and ext4.

/etc    [%SystemRoot%/System32/config]

This contains system configurations directory that holds separate configuration files for each application.

/var/log

This directory contains application logs and security logs. They are kept for 4-5 weeks.

/home/$USER

This directory holds user data and configuration information.

/etc/passwd

Linux forensics is often IR driven, but sometimes one comes up in a File Use & Knowledge investigation. It is a given that an examiner will more likely be dealing with a PC or Mac system but when a Linux box eventually rolls in it is good to know some basic triage artifacts so the investigation does not stall completely.

Artifacts:

Below are the Linux artifacts, Consider these entry level artifacts that may be easily interpreted, with a little validation testing, by a “non-linux” examiner.

Computer System Profile Information

ID Suspicious Accounts

Profile User account activity

Profile User Login History

Web Browsing Evidence

What are the Examination Steps in Forensics?

There are five basic steps necessary for the study of Operating System forensics. These five steps are listed below:

• 1. Policies and Procedure Development
  2. Evidence Assessment
  3. Evidence Acquisition
  4. Evidence Examination
  5. Documenting and Reporting

Data Analysis for Forensics

Forensic examiners perform data analysis to examine artifacts left by perpetrators, hackers, viruses, and spyware. They scan deleted entries, swap or page files, spool files, and RAM during this process. These collected artifacts can provide a wealth of information with regard to how malicious actors tried to cover their tracks and what they were doing to a system.

What Tools Are Most Useful When Conducting Operating System Forensics?

Forensic Toolkit for Linux

Forensic specialists use a forensic toolkit to collect evidence from a Linux Operating System. The toolkit comprises many tools such as Dmesg, Insmod, NetstatArproute, Hunter.O, DateCat, P-cat, and NC.

X-Ways Forensics

X-Ways Forensics offers a forensics work environment with some remarkable features, such as:

• Disk imaging and cloning, including under Disk Operating System (DOS)
• Compatible with UDF, CDFS, ext2, ext3, NTFS, and FAT
• Views and dumps the virtual memory of running processes and physical RAM
• Gathers inter-partition space, free space, and slack space
• Mass hash calculations for files
• Ensures data authenticity with write protection feature
• Automated files, signature check, and much more

Figure 3 shows the interface of an X-Ways Forensics.