5. Identification and analysis of information in Operating Systems

5.3. Analysis of Linux Based systems

The digital forensics in MS Windows operating systems, are widely disseminated, either through courses and scientific articles, or through new media such as videos. The digital forensics in Linux operating systems, are not so widespread, mainly because the analysis of these is also much smaller.

 

File Systems

The standard filesystem currently on Linux is Ext4 although it supports different types of filesystems

Linux File
System

Data

Ext

1992

Meaning “Extended file system”, it was the first file system created for linux in 1992

Ext2

1993

It supported disks up to 2 TB and did not support journaling. Because it does not use journaling it can be used on USB sticks.

Ext3

1999

Same as Ext2, but with the advantage of journaling. 

Ext4

2006

The current version of Ext. types has several advantageous features when compared to its predecessors, such as reduced system fragmentation, works with large files, and more. EXT4 supports 1EB (1 Exabyte) maximum filesystem size and 16TB maximum file size. It is possible to have an unlimited number of subdirectories

 

General considerations

  1. There are no log files as in Windows OS
  2. Information should be collected in dispersed locations
  3. Different System file structures in different distributions

The file and folder structure of the Linux system can be summarised as shown in Figure 67.


Figure 67 - Linux System File Structure

Source: The Linux Foundation – https://linuxfoundation.org/blog/classic-sysadmin-the-linux-filesystem-explained/

 

5.3.1.  Points of Interest in Linux Systems

The analysis of user activity on Ubuntu Linux systems should follow a sequence of validations and information gathering, such as the one presented in Figure 68.

 

Figure 68 - Proposal for the collection of information on Linux

Autorun of programs running on the system :

Bear in mind that many programs are configured to start automatically at system startup. The information about the programs that should be run at startup is in the "/etc/rc.local" directory.

 

Documents accessed :

The examiner can know which documents have been accessed recently. The file containing this information is in /home/user/.local/share/recently-used.xbel. The cat command can be used to view the contents of the file. The .xbel file provides detailed information about the files that have been accessed by the user, such as access and modification time..

 

Installed Applications :

The application information is in the folder /usr/bin the libraries needed for the applications are in the folder  /usr/lib. The list of applications can be obtained by the command ls –l /usr/bin/. It is possible to understand installation date, permissions, size, etc. 

 

Network informations:

Ubuntu keeps a list of the networks connected to the system in: /etc/NetworkManager/system-connections

The file /var/log/syslog provides the date and time when a network connection was established.

 

Connected equipment:

The /dev directory provides information about the hardware connected to the system. 

The file /var/log/syslog also has information about the devices that have been connected to the system.

 

Last login and activity of the User:: 

The information about the last login can be obtained in /var/log/lastlog

 

Internet browsing activity:

We present the location of folders with navigation information, in two of the main browsers used in the Linux operating system  (Figure 69 and Figure 70). After extracting these contents, it becomes possible to analyse them in the same way as in Windows .

Firefox Browser


Figure 69 - Firefox Browser Information Location

 

Google Chrome


Figure 70 - Google Chrome browser information location