CHAPTER 3

Linux Forensics
Linux is a UNIX-like open source operating system gifted to the world by Linus Torvalds.
Here the word open source sticks out as it refers to the licensing nature of Linux. Being
open source means that Linux is free and not owned by anyone. The source code is
available to download and use for the public. Linux stays free as it is distributed under
a GNU General Public License (GPL). This makes Linux a popular choice for computer
enthusiasts and developers. Linux is a fast and secure alternative to other operating
systems.
In 1991, Torvalds was a college student in Helsinki, Finland where he was working
on creating his own operating system. What he developed was the Linux kernel, which
is the core of Linux. He uploaded his work on to the internet, and coding enthusiasts all
over the world kept adding their inputs to it; this sparked the community-driven Linux
operating system.
Linux is a crucial part of the IT industry; it powers most of the supercomputers
around the world, which are used in meteorology, statistics, and advanced computing.
Linux comes in numerous different versions called distributions: for example,
Ubuntu, Debian, Fedora, SUSE, etc. Developers use the Linux kernel to create object-
specific distributions. There are Linux distributions, which are designed to carry out
specific tasks as they are configured for them. For example, Debian is ideal for servers;
Santoku is ideal for Mobile forensics whereas Ubuntu, which is a derivative of Debian,
is also a popular choice for servers, cloud computing, and mobile devices running on
Ubuntu Linux; and Kali Linux, DEFT, Parrot, etc., are also ideal choices for penetration
testing and digital forensic analysis.
Linux systems were earlier associated with black screens, command-line working,
and dull desktops. This is a big misconception; Linux systems are modern with state-of-
the-art GUI and customizable desktops. Linux still has the Terminal at its core, which
most users use to input and execute commands, but modern systems have an equally
capable GUI and other tools, which allow users to operate a Linux system with total ease.

69
© Niranjan Reddy 2019
N. Reddy, Practical Cyber Forensics, https://doi.org/10.1007/978-1-4842-4460-9_3
CHAPTER 3 LINUX FORENSICS

Popular Linux Distributions

Linux has come a long way from being a command-line interface to having a Graphical
user interface and a user-friendly desktop environment. Linux systems come with lots of
open source and free tools to enhance the user experience. Here is a list of a few popular
Linux Distributions that are commonly used.

Red Hat Linux

Red Hat Linux is the commercial version of the Linux distribution used extensively by
large corporations, banks, and offices. Red Hat is associated with powering most of the
Fortune 500 companies in their daily operations.

Ubuntu
Developed and maintained by Canonical, Ubuntu is one of the most popular Linux
distributions among home users and professionals. Ubuntu has been revolutionary
in promoting Linux among non-Linux users with its attractive features and strong
performance. Many other Linux distributions are based on Ubuntu.

Fedora
Fedora is a Linux distribution sponsored by Red Hat and developed by the community-
supported Fedora Project. It contains various free and open source software and aims to
be on the leading edge of such technologies.

Debian
Debian is a Unix-like operating system, started by Ian Murdock on August 16, 1993. It is
one of the earliest operating systems based on Linux Kernel and officially contains only
free software. Any non-free software can be downloaded and installed from the Debian
repositories. Debian is the largest collection of software in the world, having access to
online repositories, which contain over 51,000 packages.

70
 CHAPTER 3 LINUX FORENSICS

SUSE
SUSE is a Unix-based operating system built on top of the free and open source Linux
kernel. SUSE Linux an acronym of “Software and System-Entwicklung” (software and
systems development). It is of German origin, and it was mainly developed in Europe.
The first version appeared in early 1994, making it one of the oldest Linux distributions.

Mint
Mint is a Debian- and Ubuntu-based Linux distribution, which aims to provide its users
with a modern, elegant, and comfortable operating system.

Arch Linux
Arch is an independently developed Linux distribution, which is aimed at providing
users a simple and minimalist environment for computing.

Linux Lite
Linux Lite is a free operating system based on Debian and Ubuntu, and it uses Xfce,
which is a lightweight desktop environment. Xfce is similar to the Windows interface, and
therefore Linux Lite it is a preferred choice for users who want to switch from Windows to
Linux. It comes with lots of preinstalled applications like Dropbox, VLC, LibreOffice, etc.

File System
Linux supports many file system formats, but the default file system for modern Linux
system is EXT4. The EXT4 is the successor of the EXT2 and EXT3 file systems, and it
offers improved performance, reliability, and capacity. Improvements include Metadata
and Journal checksums, which improved reliability.
Another upgrade in EXT4 is the introduction of extents. Extents allow a more
efficient way to map blocks of data together. It groups contiguous blocks together by
performing multiblock allocation at the time of file creation. This reserves a group of
inodes together. Whenever a file is created or saved, it gets indexed by a number or

71
CHAPTER 3 LINUX FORENSICS

inode. These inodes have multiple attributes attached to it, which is the metadata. EXT4
file system and inode structure. It is shown in Figures 3-1 and 3-2.
When a file gets deleted in the EXT4, the inode is unlinked from the file. However,
the metadata will still stay in the system until it is linked with other files; once the links
are removed, all the metadata will be lost.

Figure 3-1. Inode structure in EXT4 file system

Figure 3-2. The inode stores information about each file and enables the EXT file
system to locate all of the data belonging to it

72
 CHAPTER 3 LINUX FORENSICS

Forensic Process for Linux Systems

A forensic investigator will follow the same protocol for the forensic examination of a
Linux system as for Windows. Linux and Windows both have Volatile and nonvolatile
evidence, and when it comes to open source tools, most of them are multiplatform. The
approach is slightly changed as the artifacts are located at different places, and different
tools will be required to obtain them.

Forensic Artifacts
Just like Windows, there are important artifacts in Linux systems that have high forensic
significance. There are similar artifacts such as User files, Timestamps, Log Files,
Network log, information files, System configuration files, etc. Following is a list of
important directories in Linux.

Directory Description

/bin The essential command binaries

/boot Files required for the system
bootloader
/dev Device files
/etc System configuration files
/home Home directories
/lib Shared libraries and kernel modules
/media Mount points for removable media
/opt Add-on application packages
/root Root user home directory
/sbin System binaries
/tmp Temporary files
/var/logs Centralized repository of log files

These locations have important files related to the system and user. Cyber forensics
experts are needed to examine these locations and the data it houses.

73
CHAPTER 3 LINUX FORENSICS

Special Artifacts
We discussed important directories; now we’ll see the important artifacts in these
directories, which are important evidence in any audit or cyber forensics investigation.

Artifacts Location

User profile /home/$USER

System and Application logs /etc
Operating system information /etc/os-release
Operating system install /root/install.log
Host/ Computer name /etc/hostname
IP address, DNS /var/log
Time Zone Information /etc/timezone
User login History /var/log/auth.log
Recently Accessed files /home/username/
local/share/recently-
used.xbel
Command History $HOME/.bash_history

An important thing to address is the fact that as most Linux system are used for a
special purpose as a server or back-end support or cloud server, these are vulnerable to
malware attacks due to the following reasons:
1. Flaws in protocol designs or lacking security checks within the
source code.
2. Programming defects and misconfigurations resulting in security
vulnerability.
3. Lack of patch management.
4. Outdated third-party applications such as Apache, MySQL,
OpenSSL, etc.
5. Most of the software packages come with default configurations;
and while most of the settings are functions, some of them might
negatively impact security measures.
74