Scribd
Upload
19 views5 pages

Week 4 Lab Exercises B Linux File Systems

This lab focuses on understanding Linux file systems and recovering data from memory dumps. Participants will learn to interpret mounted file systems, recover specific files, and identify users within the operating system using various tools and commands. The exercises include listing mounted file systems, recovering files, and analyzing user data, with a summary of skills necessary for an upcoming assessment.

Uploaded by

ussy1804
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views5 pages

Week 4 Lab Exercises B Linux File Systems

This lab focuses on understanding Linux file systems and recovering data from memory dumps. Participants will learn to interpret mounted file systems, recover specific files, and identify users within the operating system using various tools and commands. The exercises include listing mounted file systems, recovering files, and analyzing user data, with a summary of skills necessary for an upcoming assessment.

Uploaded by

ussy1804
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Week 4 Lab Exercises B

Linux File Systems

Introduction
In this Lab you will perfom some exercises which will allow you to understand how data is
stored by Linux and how to recover it’s contents. As the learning slides point out (LS10), we
cannot exepct to recover every file that was stored on the files sytem but those that were
recently used or of imporatance to the OS will often be available. Even fragments of files may
contain forensically useful information.

Lab Goals
During this Lab you will learn a number of skills that will be vital for your first assessment
which takes place in the lab during week 6.

1. Learn how to interpret file systems which were mounted at the time of capture.
2. Recover specific files and directories that are of interest including the entire file
system.
3. Understand how to identify users of the operating system.

Tools and Resources


For today’s Lab you will require the following tools and software;

• Learning slides for reference– LS10


• debian.dump
o Used for Exercises
• linux-sample-3.bin
o Used for Analysis
• MemoryAnalysis.ova
o can be found on Lab machine at C:\CST3510\VM
• VirtualBox Application

Virtual Machine Username Password


Kali-Linux kali MDXK4l1

CST3510 Week 2 Lab Exercises A 1 ©2024 [email protected]


Exercises
Mounted File Systems

The first and most simple step is to list the mounted file systems identified in the memory
dump, for that we can use the command

$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_mount

This command shows the devices that are mounted in the system, the file system of each
device, their options and their mounting point. The following shows the output of these:

For instance, we can see that the root system is in /dev/sda1 and that there are two temporal
file systems, one in /run/lock and another one in /sys/fs/cgroup. Refer to LS10 for more
information on the mounting options.

To list all of the files found in the system's memory, we can use the linux_enmerate_files
plugin. As the output is likely to be long you should use grep if you are searching for one
specific file or output the content to a text file if you require more information using >
operand.

$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_enumerate_files

Exercise 1: Which files belong to the vagrant user?

CST3510 Week 2 Lab Exercises A 2 ©2024 [email protected]


Recovering files

In order to provide a richer analysis, we are also interested in recovering the file system. For
this, we can simply use the linux_recover_filesystem plugin – remember to make an output
directory called “fsout” before running the plugin. Notice how for this plugin we need to use
sudo to get the results.

$> sudo volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_recover_filesystem -D /media/testShare/fsout

The directory "/media/testShare/fstest" specifies where the file system will be dumped and
the title given to the output directory will form the root directory. However due to the fact
that this plugin takes almost an hour to complete it is wasteful of time to do so now, and there
is another more targeted method. To exit press ctrl-Z to end the execution.

Instead we will make use of the plugin which allows searching for individual files –
linux_find_file. On the example below we will search for the bash history.

$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_find_file -F /home/vagrant/.bash_history

This produces an inode number (0xffff97fa5c9f6b88), inode offset and the path to the file.
We need to take the offset value (circled red) and run the command again this time with the
-i option. The -O is switch for the output filename.

$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_find_file -i 0xffff97fa5c9f6b88 -O bash.txt

To view the file contents you can use cat. If you have been practicing hard for your lab test in
week 6 then you will recognize the commands. If you don’t then you should be doing a little
more outside of the lab to prepare!

$> cat bash.txt

CST3510 Week 2 Lab Exercises A 3 ©2024 [email protected]


It is often helpful to identify the users and groups on the system by analyzing /etc/passwd
and /etc/group files.

$> volatility -f debian.dump --profile=LinuxDebian_4_9_0-12-


amd64_profilex64 linux_find_file -F /etc/passwd

Now you need to extract this file as you did for the bash_history above. You can then use
the contents to do Exercise 2 below.

Exercise 2: Enumerate the users and groups of the operating system and
explain what each of the fields in them represent.

Exercise Solutions can be found on following page. Once you have checked these move
onto the Analysis questions.

CST3510 Week 2 Lab Exercises A 4 ©2024 [email protected]


Exercise Solutions

Exercise 1:

Filter the enumeration with /home/vagrant

Exercise 2:

Check the files /etc/passwd and /etc/group

There are 27 users and 52 groups.

User fields = username, password, User ID, Group ID, GECOS (User Info), home directory,
shell

Group fields = group name, password, Group ID, User list

File System Analysis Questions.


Below is an exercise which will combine some of the skills you have learnt in the above Lab
Exercises. You will need to download and import the memory dump below. Use the profile
name which is also given below, but there is no need to import as it is already in the Kali
Analysis VM.

Memory Sample: linux-sample-3.bin


Profile name to use: --profile=Linuxbookx64

Questions

1. Recover the cookies.sqlite file of the vol user. Which websites stored cookies on this
user's system?
2. How many entries are in /etc/hosts?

Lab Summary
As you have seen today acquisition from Linux systems is a fairly complicated process and can
take a considerable amounts of time. Remember while waiting that unless Volatility reports
an error or the shell returns to your prompt then it is still working on producing its outputs
from the plugin.

CST3510 Week 2 Lab Exercises A 5 ©2024 [email protected]

You might also like