LINUX FORENSIC -UNIT 4

Linux OS Architecture, File System Analysis: Understanding and Analyzing EXT

File System, Recreating EXT Partitions, Analyzing Unallocated Partitions. Log
Analysis: Understanding Various Logs, Analyzing Important Logs to Find
Important Artefacts Related to User Activities, User/Application Configurations
and Preferences; Attached Devices, Shared Locations, Recently Accessed
Documents, Programs and Locations; Installed Applications.

1. Linux OS Architecture

The Linux operating system is built on a modular architecture consisting of

several layers. Each layer plays a critical role in how the OS functions, from the
hardware level up to the user interaction level. Here’s a detailed breakdown of
the Linux architecture:

a. Hardware Layer:

 This is the physical layer consisting of CPU, memory, storage devices,

network interfaces, and other peripherals. Linux interacts with the
hardware through device drivers that translate hardware commands
into a format the kernel can understand.

b. Kernel Layer:

 The kernel is the core of the Linux OS and is responsible for managing
system resources, such as CPU scheduling, memory management, file
systems, and device control.
o Process Management: The kernel manages all running processes,
their scheduling, and allocation of CPU time.
o Memory Management: Handles allocation and deallocation of
memory, virtual memory management, and paging.
o File System Management: The kernel controls access to files,
manages file storage, retrieval, and modification, and handles file
system integrity.
o Device Management: Through device drivers, the kernel
communicates with the hardware, such as disk drives,
input/output devices, etc.
o Networking: The kernel manages network interfaces and the data
packets that flow through them.
c. System Call Interface (User Space):

 This provides a communication layer between the user-level applications

and the kernel. Applications make system calls to request services from
the kernel, such as creating processes, opening files, or allocating
memory.

d. User Applications:

 These are programs like text editors, web browsers, and user-specific
applications that run in user space. They interact with the kernel
through system calls.

e. Shell:

 The shell is the user interface that allows users to interact with the
system. It interprets commands typed by the user and translates them
into actions the system can perform. Common shells include bash, sh,
and zsh.

2. File System Analysis: Understanding and Analyzing EXT File System

The EXT (Extended File System) is a family of file systems widely used in Linux
distributions, including EXT2, EXT3, and EXT4. Here’s a detailed breakdown of
these file systems:

a. Structure of the EXT File System:

 Superblock: Contains important metadata about the file system, such as

the total size, block size, number of blocks, and other vital information.
The superblock is crucial in mounting and recovering a file system.
 Inodes: Each file and directory has an associated inode that stores
metadata such as file permissions, ownership, timestamps (created,
accessed, modified), file size, and pointers to data blocks on disk.
 Data Blocks: These are the blocks on disk where the actual file data is
stored.
 Directories: Directories in EXT file systems are special types of files that
map file names to their corresponding inode numbers.
  Journal (EXT3/EXT4): EXT3 and EXT4 support journaling, which helps
prevent data corruption by keeping a log (journal) of file changes before
they are written to disk. This ensures data integrity in case of crashes.

b. Analyzing EXT File System:

 Tools like debugfs, e2fsck, and tune2fs are used to analyze and
manipulate EXT file systems.
o debugfs: Provides direct access to the file system structure and
allows for inode inspection, recovery of deleted files, and more.
o e2fsck: Used to check and repair file system inconsistencies.
o tune2fs: Used to view and modify file system parameters (like the
journaling options).

c. Recreating EXT Partitions:

 Partitioning can be done using tools like fdisk, gdisk, or parted. After
creating a partition, the mkfs.ext4 command can format it to EXT4.
 Partition Recovery: Forensic tools like TestDisk can recover lost or
deleted EXT partitions. These tools read the superblock and other
metadata to reconstruct the file system.

d. Analyzing Unallocated Partitions:

 Unallocated Space: This refers to portions of a disk that are not

currently assigned to any partition. Even though unallocated, this space
may still contain remnants of old file systems or data.
 Tools like photorec and dd can be used to search unallocated space for
recoverable files or file system structures.
o photorec: Specifically useful for recovering files from unallocated
or damaged file systems by scanning the disk for file signatures.

3. Log Analysis: Understanding and Analyzing Various Logs

Logs are crucial for monitoring system activity, security incidents, and forensic
investigations. Linux systems generate various logs that provide insights into
system behavior, user activities, and errors.

a. Types of Logs:
  System Logs: These capture general system messages, errors, and
system warnings. Found in /var/log/messages and /var/log/syslog.
 Authentication Logs: Logs related to login attempts, both successful and
failed. Found in /var/log/auth.log or /var/log/secure (on Red Hat-based
systems).
 Kernel Logs: Kernel-generated logs, typically found in /var/log/kern.log.
Useful for analyzing hardware-related issues.
 Application Logs: Logs generated by individual applications. These are
typically stored in /var/log or a subdirectory created by the application.

b. Analyzing Important Logs for User Activities:

 User Login/Logout Logs: Logs like /var/log/auth.log and

/var/log/lastlog help trace user login sessions and access times. Tools
like last and who can provide an overview of user activity.
 Bash History: Each user’s bash history can be found in ~/.bash_history,
showing a list of commands executed by the user.
 User Permissions: Analyze files like /etc/passwd and /etc/group to find
user roles, permissions, and group memberships.

c. User/Application Configurations and Preferences:

 User-specific configuration files are often found in the user’s home

directory, typically in hidden files (starting with .). For example:
o .bashrc: Contains user-specific shell configurations.
o .profile: User-specific environmental settings.
o Application-specific files: Found in folders like ~/.config/ or
~/.local/. These files contain application settings and preferences.

d. Attached Devices:

 Logs related to connected USB or other external devices are stored in

/var/log/syslog, /var/log/messages, or can be monitored through
dmesg.
o lsusb: A command that lists currently connected USB devices.
o udevadm: Provides detailed information about devices managed
by udev, the Linux device manager.

e. Shared Locations:
  Shared network locations and mounted drives can be found in logs
under /var/log/syslog. Additionally, the /etc/fstab file lists filesystems
that are mounted automatically.
 Samba/SMB logs (for Windows shares) can be found in
/var/log/samba/, and these logs provide information on shared file
access.

f. Recently Accessed Documents, Programs, and Locations:

 lsof (list open files): Lists all open files and the processes that opened
them, providing insight into recently accessed files.
 GNOME/KDE Activity Logs: Many desktop environments maintain their
own logs of recently accessed files and documents. For example, in
GNOME, ~/.local/share/recently-used.xbel logs recently opened files.

g. Installed Applications:

 You can list all installed applications by querying package managers. For
example:
o APT: dpkg --list
o YUM/DNF: yum list installed
o Snap: snap list
 Application-specific logs may also reside in /var/log/, providing insights
into installation dates, updates, and potential configuration changes.

Conclusion:

 Linux OS Architecture is built on modular layers, with the kernel at its

core.
 EXT File System analysis requires understanding key structures like
inodes and superblocks, along with tools for file recovery and partition
recreation.
 Log Analysis helps track user actions, system changes, and application
behaviors, providing crucial insights in forensic investigations. By
analyzing logs, unallocated space, and file system metadata,
investigators can recreate user behavior and determine the causes of
incidents.