Forensic Artifacts from a Linux Machine

As per net market share’s October 2015 statistics on Desktop share, 1.57% of desktop market is owned by Linux.  Whereas windows owns 90% of desktop market share. The market share of Linux is very less compared to windows market, but companies who do not want to invest more on their IT infrastructure prefers to make use of open source operating systems like Linux operating systems. We can find most of the researchers prefers to perform Research & Development activities with open source products. A company who has a strong information security policy would like to provide exceptions to these assets by isolating them from standard operating environment. There are more threats like data leakage, malware infection for this set of assets. So Carrying forensic analysis of such devices/ environment needs special attention of forensic examiner in developing specialized skill set of analysis of operating systems.

This article discusses a small case study on “extraction of forensic evidence from a desktop running with Ubuntu Linux operating system”. We have also provided locations of forensic evidence for the same artefacts in windows environment.

Incident

A corporate security group in an organization received an incident from a project manager stating that their Client reported that one of the offshore employee in India accessed client’s license repository webserver which is in UK on specific date and time. During access rights consolidation for critical business servers, the team identified that they identified access attempts and successful logon entries of an associate who was part of the project earlier.

Client provided IP address of offshore machine and employee id identified on their webserver logs. Client requested the corporate security group to investigate and provide relevant evidence. Corporate security group identified it as an administrative investigation and requested forensic investigation team to perform digital forensic analysis.

Corporate security group initiated digital forensic analysis with the provided information. IP address of the offshore machine was identified from DHCP server logs. The machine identified was running with Ubuntu Linux edition. As the client has specific business requirement hence exception was provided. Forensic imaging of suspect’s machine is completed.

Investigation team has defined its scope as stated below

  1. When was the operating system installed on the machine?
  2. Which operating system was installed on the machine>
  3. What was the time zone information identified?
  4. What were the identified user profiles?
  5. What was the IP address of the machine during incident reported date.
  6. Who was logged on the machine at incident reported date and time?
  7. Were there any hits to client’s webserver identified specific to the reported date and time?
  8. Were there any files downloaded from client’s webserver?
  9. Were there any traces of data transfer identified?
  10. Were there any traces of uploading files downloaded to any email servers or cloud storage websites?

Forensic investigation team started its analysis as per defined scope

  1. Operating system was installed 21days prior to the incident reported date. When it was checked with system administration team suspect got business approval for installation.Operating system installed date was identified from “/root/install.log”.
  2. The operating system version and release information was identified from “/etc/os-release”. Operating system identified was Ubuntu 14.04.3”
  3. Time zone information of the machine was identified from “/etc/timezone”. The time zone identified was “Asia/Kolkata”. Logs provided by client was in UK time zone and logs of the suspect’s machine are correlated to UK’s time zone.
  4. User profiles on suspect’s machine were identified on “/home/$USER”. Only the suspect’s user   profile was identified.
  5. The IP address of the suspect machine was identified from “/var/Syslog”. Syslog is a widely used standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyses them. You can find multiple archives of syslog files in Var” directory. This folder would be archived periodically, can be on daily basis by default.
  6. The login activity details of users were identified from “/Var/log/auth.log”. There were traces of login sessions identified from “auth.log”. It was evidenced that suspect was logged on to the machine at the time of suspicious activity that client has reported.
  7. Internet history was analysed. The browser identified on suspect’s machine was Mozilla Firefox as it is the default browser that we can find on most of the open source operating systems. The default directory of user specific internet activity was identified from “/home/username/.mozilla/firefox “It was identified from Forensic analysis of internet history that suspect accessed Client’s webserver on the incident reported date.
  8. It was evidenced from Cache pages that suspect accessed License files and downloaded license files. This files were identified in default downloads folder.
  9. Summary of USB storage devices connected was analysed from “/var/log/syslog”. There was a flash drive with unique serial number was identified to be connected to the suspect’s machine. The file “Client name_ Serial Keys.txt” was identified from recently accessed files entries from “/home/username/.local/share/recently-used.xbel” and it was identified to be copied on suspect’s machine.With the consent from Suspect, USB hard drive was acquired and suspected file was  searched with hash value, hash querying resulted in finding the file” Client name_ Serial Keys.txt”.
  10. During the analysis of internet history, it was evidenced that suspect accessed google drive and URL of google drive has an entry to upload “Client name_ Serial Keys.txt”file.The hash values of uploaded file and file that was downloaded from client’s web server were compared and identified to be same file.

Summary of Findings

Forensic examiners were able to correlate facts and concluded that the suspect was working as support administrator. He was moved to other project, but his access to previous project information resources like servers was not revoked.  He also violated corporate security policy by means of unauthorized access and data theft.

Approach for  the Analysis

The forensic analysis of Linux and windows are not same as the kernel types are different, and   file systems are different. Linux uses Monolithic kernel which is a single large processes running entirely in a single address space. It is a single static binary file. All kernel services exist and execute in kernel address space. The kernel can invoke functions directly. Windows uses hybrid kernel. Windows uses Programs and subsystems in user mode are limited in terms of to what system resources they have access, while the kernel mode has unrestricted access to the system memory and external devices. The Windows NT kernel is known as a hybrid kernel.

Following are some major differences between windows and Linux.

The forensic artifacts that forensic examiner can identify depends on the file system, operating system. A brief introduction to Linux directories is provided below.

The location details of digital evidence from windows and Linux operating systems provided below.

Conclusion

Every organization has a standard information security policy, change management in place but any kind of relaxation for any business team from corporate security policy should address the risk associated with that exception. Timely auditing ,enforcing strict change management, and privileged access review are some of the critical factors that can address the risk stated. It is also recommended for forensic practitioners to update their skill set as per the organization’s business requirements to avoid mishandling of digital evidence. 

Authored by Jayaprasad B

Rate this article: 
Average: 4.7 (23 votes)
Article category: