The transition from HTB CBBH to HTB CWES has officially started. Learn More

Introduction to Linux Forensics

This module covers techniques for conducting digital forensics on Linux systems prevalent in enterprise servers and cloud infrastructures. Introduction to Linux forensics is critical for incident response and cyber investigations to preserve evidence, trace breaches, and support legal proceedings. Using this process, we examine key artifacts like logs, file metadata, and memory dumps to reconstruct timelines and attribute malicious actions.

Created by Volfar_1

Medium Defensive

Summary

This module will cover and deal with many manual techniques that we can use for investigating system activities and events on Linux operating systems with a wide variety of logs.

In this module, we will cover:

  • Linux Persistence
  • Linux Logging
  • Systemd Journal
  • Auditd
  • Linux Memory Images
  • Volatility 3 with Plugins
  • Network & Process Forensics
  • History & File Modifications

This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the target host provided in the interactive sections or your virtual machine.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "Medium" but assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.

A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

  • Linux Fundamentals
  • Introduction to Digital Forensics
  • Introduction to Networking

Introduction to Linux Forensics

Digital forensics is the process of collecting, preserving, and analyzing digital evidence from Linux-based systems to reconstruct events related to security incidents, crimes, or anomalies. It involves examining various components of the operating system such as files, logs, memory, and network activity to identify signs of unauthorized access, malware, data exfiltration, or other malicious behavior. In this module, we will focus explicitly on the Linux operating system.

Unlike general system administration, forensics emphasizes chain of custody, ensuring evidence is handled in a way that's admissible in legal contexts if needed. In essence, it's like performing an autopsy on a computer. You methodically dissect the system to find traces of what went wrong, without altering the evidence in the process.

The forensics process consists of several phases:

Phase Description
Preparation In this phase, we plan everything necessary for the investigation, including tools, procedures, and documentation to ensure evidence handling meets standards.
Identification At this point, potential sources of evidence, such as system logs or storage devices, are located to understand the scope of the incident.
Collection Then, we start collecting all the necessary information. This involves gathering data in a way that maintains its original state, avoiding any alterations that could compromise reliability.
Preservation Once collected, the data is secured to prevent tampering, often through methods that create verifiable copies.
Examination In this stage, the data is carefully reviewed to extract relevant details about the incident.
Analysis The extracted information is interpreted to reconstruct timelines and determine causes.
Reporting Findings are documented clearly, with explanations of methods and conclusions.
Presentation The final phase is used to share the results with involved parties, address questions, and recommend improvements.

Digital forensics is usually used in many different scenarios. For example, it is used when we have to investigate and respond to security incidents, typically after an alert from monitoring tools, a reported breach, or routine security checks. Common triggers include anomalous log entries, unexpected system crashes, or intrusion detection systems (IDS) alerts.

This could include detecting intrusions, analyzing malware infections, tracing insider threats, or auditing compliance violations. For example, if a server shows unusual outbound traffic, forensics can help determine whether it's a data breach or just a misconfiguration. It's also employed in post-incident recovery to understand attack vectors and prevent future occurrences.

Beyond security, it also supports legal investigations, such as gathering evidence for court cases involving cybercrimes or internal audits to verify employee activities. In penetration testing contexts, forensics techniques can be applied post-exploitation to analyze how far an attacker could go or to clean up after a simulated attack.

Forensic Arsenal

For Linux operating systems, there are many specialized tools are available for digital forensics, many of which are open-source and command-line based for precision. These include, but are not limited to:

  • Sleuth Kit and Autopsy: For file system analysis. Autopsy provides a GUI for timeline views and artifact extraction.
  • Auditd: Built-in Linux auditing tool for tracking system calls and file changes in real-time.
  • Sysdig or Falco: For capturing system activity, including processes and network traffic.
  • Wireshark or tcpdump: For network forensics to inspect packet captures.
  • dd or dc3dd: For creating forensic images of disks or memory.
  • Strings, grep, and timeline tools like log2timeline: For parsing logs and creating event timelines.

The tools that we will work with in this module are:

Systemd Journal Auditd SysmonForLinux AVML Volatility 3

These tools can be run from a live system or on forensic images to avoid tampering with evidence. In Linux forensics, we investigate a wide range of artifacts that could indicate compromise or unusual activity. Essentially, anything that leaves a digital footprint, from a modified configuration file to a persistent backdoor, is fair game. This can include:

  • Logs: System logs (/var/log/), authentication attempts, and kernel messages to spot failed logins or privilege escalations.
  • Memory: Running processes, open files, and network sockets for signs of malware or hidden connections.
  • File System: Timestamps (MACb times), deleted files, and hidden directories for evidence of tampering.
  • Processes and Users: Active sessions, cron jobs, and bash history to trace user actions.
  • Network Activity: Open ports, connections, and packet data to detect exfiltration or command-and-control traffic.

Ultimately, digital forensics tries to reconstruct incidents to inform response, recovery, and prevention. It turns raw data into actionable insights, such as identifying the root cause of a breach or attributing actions to a specific actor. This supports everything from patching vulnerabilities to legal proceedings, making it a cornerstone of cybersecurity incident management.

Working with Timelines

Creating timelines can become difficult, especially if the time window spans weeks or months. There are several resources and tools that can help with this, but are not limited to:

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections