IT411_ERIC_CLARKSON_UNIT_8_LAB
docx
keyboard_arrow_up
School
Purdue Global University *
*We aren’t endorsed by this school
Course
411
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
7
Uploaded by BarristerRiverRook47
1
Unit 8 Assignment
IT411 Digital Forensics Eric Clarkson
Purdue Global University
Professor Louay Karadsheh October 17, 2023
2
What are some of the things that you can learn from the forensic artifacts from a Linux system? How can they be used to help piece together the puzzle after a breach has occurred?
To investigate security incidents and uncover system vulnerabilities, digital forensic investigators employ several methodologies and tools. Forensic artifacts made by Linux systems are one of the most potent sources of information. After a breach, these artifacts can help investigators piece together the puzzle by offering significant information about system activities, user behavior, and potential security risks.
Forensic artifacts created from Linux systems can reveal important information about system activity, user behavior, and potential security breaches. These artifacts can be utilized to investigate security incidents, discover system flaws, and track user behavior. This paper looks at
some of the most important forensic artifacts that may be obtained from a Linux system, as well as how they can be used to investigate security issues.
When researching a Linux system, system logs are among the most important artifacts to collect. They maintain a record of all system events, such as user logins, system events, and application activity. System logs usually reside in the /var/log/ directory and can be examined with the 'dmesg' and 'journalctl' commands. System log analysis can assist in identifying potential security events such as failed login attempts or unauthorized access to critical information.
3
Digital forensic investigators can uncover unusual actions that may have led to the security issue by reviewing system logs. They can, for example, examine for indications of brute force assaults, illegal access attempts, or changes to system settings that may have exposed vulnerabilities.
Another essential artifact to gather is Bash history, which shows what commands were run on the system and by whom. Bash history is saved in the.bash_history file in the user's home directory. The bash history can be used to follow a user's activities and discover any suspicious or malicious commands that were run. This data can be utilized to identify insider risks as well as
externally perpetrated attacks.
By examining bash history, digital forensic investigators can uncover any unusual or malicious behavior that may have contributed to the security problem. They can also detect attempts to conceal illicit activity, such as deleting bash history files or running commands to wipe logs.
Network activity can also be utilized to detect unusual activity like network scans and other potential security concerns. Netstat, tcpdump, and Wireshark are among the tools available in Linux for monitoring network activities. Analyzing network activity can assist in identifying
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
potential risks, such as malware infestations or data exfiltration attempts. Network activity may also disclose the presence of illegal network devices or attempts to exploit system vulnerabilities.
Forensic investigators can analyze network activity data to pinpoint the source of a security event as well as any other devices or systems that may have been affected. They can also
utilize this information to detect any attempts to exfiltrate data or conceal illegal activity.
Metadata in the filesystem can give essential information about file creation, modification, and access times. This information can be used to determine when and where a file
was produced or updated. The inode table, which holds information about every file and directory on the system, stores filesystem metadata. Filesystem metadata analysis can assist in detecting unauthorized changes to vital system files or the existence of dangerous software.
Through studying filesystem metadata, digital forensic investigators can detect any illegal
changes to system files or other crucial files that may have led to the security event. They can also detect any attempts to conceal illegal conduct, such as changing file timestamps or deleting files.
Memory analysis can reveal a lot of information about the present status of the system, such as running processes, network connections, and open files. Memory analysis can be performed with software such as Volatility or Rekall. Investigators can uncover malware,
5
rootkits, and other harmful software that may be running on the system by studying memory. Memory analysis can also aid in the detection of illegal user activity or the presence of persistent
threats.
Memory analysis can be used by digital forensic investigators to detect any malicious software that may have contributed to the security event. They can also utilize this information to
detect any attempts to conceal illegal activity or the existence of malware.
It is also crucial to monitor user activities. Investigators can receive a record of all user logins and logouts by using the 'last' command. Analyzing user activity can aid in the detection of suspicious conduct, such as users checking in at odd hours or from strange locations. User activity can also show potential insider risks, such as attempts to exfiltrate data or engage in other hostile behavior. Investigators can spot possible security incidents and take appropriate steps to limit their impact by monitoring user activities.
Finally, the'sysctl' and 'lsmod' commands can be used to analyze system configuration. Analyzing system configuration can assist in identifying potential vulnerabilities or misconfigurations that attackers may exploit. System configuration can also be used to detect rootkits or other malicious software that is attempting to hide its presence on the system. Investigators can identify potential attack vectors and take action to prevent future security incidents by reviewing system configuration.
6
Finally, forensic artifacts generated by Linux systems can provide investigators with a wealth of information about user behavior, system events, and potential security vulnerabilities. Analyzing system logs, Bash history, network activity, filesystem information, RAM, user activity, and system configuration can help investigators acquire a comprehensive knowledge of what happened on the system and identify potential hazards. It is critical to underline that collecting and examining these artifacts requires specific knowledge and skills and should be conducted only by trained investigators. Using forensic artifacts, investigators can identify potential security incidents, mitigate their impact, and prevent future intrusions.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
References
Andrade, R. (2021, May 4).
6 Linux artifacts and why they matter
. Magnet Forensics.
https://www.magnetforensics.com/blog/6-new-linux-artifacts-and-why-they-
matter/
Gillis, A. S. (2022, February 1).
What is an artifact in software development?
Software Quality.
https://www.techtarget.com/searchsoftwarequality/definition/artifact-software-
development
Imam, F. (2019, July 6).
Computer forensics: Operating system forensics [updated 2019]
. Infosec Resources - IT Security Training & Resources by Infosec.
https://resources.infosecinstitute.com/topics/digital-forensics/computer-
forensics-operating-system-forensics/
Smith, G. (2018, April 23).
Breach detection with Linux filesystem forensics
. Opensource.com.
https://opensource.com/article/18/4/linux-filesystem-forensics