Linux Forensics 101 | Infosec

Not all humans are good-hearted/moral, some are atrocious too and they make crimes against other people or society, etc. when they do such things its responsibilities for rest of other moral peoples to get punishment to the criminal to purpose of realize his/her mistake and to avoid similar things to happen in future. To do this, in some circumstances, the judicial system needs to assist from science. That’s where forensics comes into the picture.

In the Digital era, crimes are often occurring within digital Boundary, so in those situations, we are in need of Digital forensics

Digital forensics is the process of uncovering and interpreting electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital information for the purpose of reconstructing past events

Definiton for Digital forensics

In Digital forensics also, we’ve plenty of different branches like Windows forensics for investigating on windows based systems, network forensics for investigation on network-related stuff. So likewise am going to briefly explain about Linux forensics here in this blog today

This is not an outright tutorial for Linux forensics.

Let’s get started!

Moving to the actual forensics process, we need to understand the different sets of the process that we’ve to do before doing forensics. and basic things that I am going to describe here is, listed below

• Disk Imaging
• Memory Acquisition

Disk Imaging

Disk imaging refers to cloning or copying the contents of a data storage device or medium, and transferring this to another, similar medium or device for the purpose of doing forensics without affecting the actual evidence

There are plenty of both software and hardware tools available on the market for imaging.

But, in Linux forensics, the os comes with a built-in program for doing disk imaging (Linux is awesome

)

And the program is DD

dd if=/dev/sda  of=fiel.img --- low levle bit y bit copy

And, dd — program command, if — input file, of = output file, and low-level bit y bit copy to make a bit-level copy of all the data in the device

tools other than above are like Clone Zilla, FOG, GParted.

Memory Acquisition

Memory Acquisition is the process of dumping/copying the data from the volatile memory device (ie Random Access Memory) because the RAM only has the data about the program which is running when the system is being used. it is crucial to check memory data when it comes to forensics.

In volatile memory were lots of evidence were sitting inside.

So, to acquire the data from the RAM, we need to use some special tools. And the most famed tool for Linux memory acquisition ‘LIME’

Please follow the steps.

1. You will first need to download Lime on the suspicious machine.

2. Do the compilation of Lime. Once it has been compiled, you will notice the creation of the Lime loadable kernel object. make

3. Now the kernel object has to be loaded into the kernel. Insert the kernel module. Then, define the location and format to save the memory image. insmod lime-2.6.32–696.23.1.el6.x86_64.ko “path=/Linux64.mem format=lime”

4. You can view if the module has been successfully loaded. lsmod | grep -i lime python vol.py –info | grep -i linux_

5. Now imagine that you want to see the processes running at the time of the memory dump. You will have to execute the vol.py script, specify the location of the memory dump, define the profile created and call the parser concerned. python vol.py –file=/Linux64.mem –profile=LinuxCentos6–2632×64 linux_psscan

After dumping the memory we use tools like ‘ Volatality ‘ to analyze the memory dumps, that we’ll discuss in another separate blog, so that’s it for now guys.

Thank you

Leave your comments below