CDS 341 SURVEY OF DIGITAL FORENSICS LINUX SYSTEM COMMANDS AN

CDS 341 SURVEY OF DIGITAL FORENSICS

LINUX SYSTEM COMMANDS AND FORENSICS ASSIGNMENT

Define the following terms:

Bootstrap Environment

Grand Unified Bootloader (GRUB)

Graphical User Interface (GUI)

Intrusion Detection System (IDS)

Journaling

Linux Directories

Linux Filesystems

Linux Loader (LILO)

Linux Shell

Identify each log and whether it is important to forensic investigations; if so, how:

/var/log/faillog

/var/log/kern.log

/var/log/lpr.log

/var/log/mail

/var/log/mysql.*

/var/log/apache2/*

/var/log/lighttpd/*

/var/log/apport.log

Intrusion detection system logs

Linux Shell Command Identification: What is the purpose of the following key Linux directories and the types of files they contain?

/dmesg

/pstree

/file

/root

/bin

/sbin

/etc

/etc/inittab

/dev

/mnt

/boot

/usr

/var

/var/spool

/proc

Of the above directories, answer the following:

Which directories are most likely to contain malware?

Which directories hold files that an attacker could modify to change application behavior?

Which directories hold files that an attacker could modify to change system behavior?

Which directories are most important to check when performing live analysis and before shutting down the system?

Solution

Definitions of the following Terms:

Bootstrap Environment:
A bootstrap is the process of starting up a computer. It also refers to the program that initializes the operating system (OS) during start-up. Bootstrap is the process of loading a set of instructions when a computer is first turned on or booted. During the start-up process, diagnostic tests are performed, such as the power-on self-test (POST), that set or check configurations for devices and implement routine testing for the connection of peripherals, hardware and external memory devices. The bootloader or bootstrap program is then loaded to initialize the OS.

Grand Unified Bootloader (GRUB)
GRand Unified Bootloader, is a boot loader package from a free software, mass collaboration project (September 1983) by Richard Stallman of MIT. GNU GRUB provides the user with a choice to boot in any one of multiple OSs on a computer system, plus write new boot sequences.

Graphical User Interface (GUI)
A graphical user interface (GUI) is an interface through which a user interacts with electronic devices such as computers, hand-held devices and other appliances. This interface uses icons, menus and other visual indicator (graphics) representations to display information and related user controls, unlike text-based interfaces, where data and commands are in text. GUIl representations are manipulated by a pointing device such as a mouse, trackball, stylus, or a finger on a touch screen.
The need for GUI became apparent because the first human/computer text interface was through keyboard text creation by what is called a prompt (or DOS prompt). Commands were typed on a keyboard at the DOS prompt to initiate responses from a computer. The use of these commands and the need for exact spelling created a cumbersome and inefficient interface.

Intrusion Detection System (IDS)
An intrusion detection system (IDS) is a type of security software designed to automatically alert administrators when someone or something is trying to compromise information system through malicious activities or through security policy violations.
An IDS works by monitoring system activity through examining vulnerabilities in the system, the integrity of files and conducting an analysis of patterns based on already known attacks. It also automatically monitors the Internet to search for any of the latest threats which could result in a future attack.

Journaling
A journaling filesystem is a filesystem that maintains a special file called a journal that is used to repair any inconsistencies that occur as the result of an improper shutdown of a computer. Such shutdowns are usually due to an interruption of the power supply or to a software problem that cannot be resolved without a rebooting. A filesystem is a way of storing information on a computer that usually consists of a hierarchy of directories (also referred to as the directory tree) that is used to organize files. Each hard disk drive (HDD) or other storage device as well as each partition (i.e., logically independent section of a HDD) can have a different type of filesystem if desired.

Linux Directories
The term directory is used in a computer software context to refer to what appears to the user to be a container or folder1 that can hold files and other directories. Directories play a key role in hierarchical filesystems, which are fundamental to modern computer operating systems, by allowing the grouping of directories and files in order to organize the filesystem into a modular hierarchy. This gives the filesystem structure flexibility and depth; it also facilitates searching for data and adds to the robustness of data storage.

Linux Filesystems
The term filesystem has two somewhat different meanings, both of which are commonly used. This can be confusing to novices, but after a while the meaning is usually clear from the context. One meaning is the entire hierarchy of directories (also referred to as the directory tree) that is used to organize files on a computer system. On Linux and Unix, the directories start with the root directory (designated by a forward slash), which contains a series of subdirectories, each of which, in turn, contains further subdirectories, etc.
A variant of this definition is the part of the entire hierarchy of directories or of the directory tree that is located on a single partition or disk. (A partition is a section of a hard disk that contains a single type of filesystem.)
The second meaning is the type of filesystem, that is, how the storage of data (i.e., files, folders, etc.) is organized on a computer disk (hard disk, floppy disk, CDROM, etc.) or on a partition on a hard disk. Each type of filesystem has its own set of rules for controlling the allocation of disk space to files and for associating data about each file (referred to as meta data) with that file, such as its filename, the directory in which it is located, its permissions and its creation date.

LILO (LInux LOader)
LILO (LInux LOader) is a boot loader (a small program that manages a dual boot) for use with the Linux operating system. Most new computers are shipped with boot loaders for some version of Microsoft Windows or the Mac OS. If a computer is to be used with Linux, a special boot loader must be installed. LILO is the most popular boot loader among users who employ Linux as their main, or only, operating system.

Linux Shell
Shell is a UNIX term for the interactive user interface with an operating system. The shell is the layer of programming that understands and executes the commands a user enters. In some systems, the shell is called a command interpreter. A shell usually implies an interface with a command syntax (think of the DOS operating system and its \"C:>\" prompts and user commands such as \"dir\" and \"edit\").
As the outer layer of an operating system, a shell can be contrasted with the kernel, the operating system\'s inmost layer or core of services.