Day 1 Flashcards
How big is the Linux Kernel?
About 10Mb
What is the purpose of the Linux Kernel
It acts as the interface/bridge between the hardware (i.e Drivers and device memory) and software (I.e user space applications, the OS API and services).
What does the Linux kernel manage?
System resources.
Identify the main components of a Linux distribution (6 to define)
- Bootloader.
- Kernel.
- Init System.
- Daemons.
- Desktop Environment.
- Applications.
What does the Bootloader do?
Responsible for managing the initial boot process and loading the Operating System into memory.
Name the four main responsibilities of the Linux Kernel
- Memory management.
- Process management.
- Device drivers.
- System Calls and security management (security rings).
What is the “Init System”?
It’s the first process started by the Linux kernel on boot.
What are the three main responsibilities of the “Init System”?
- System Management (logins, running scripts at boot)
- Adopts all orphaned processes until shutdown complete.
- Manages daemon processes (headless/GUI-less processes that run in the background).
Define a Linux Daemon
A utility program which monitors OS sub-systems.
What does the xiend daemon do?
Performs daemon management.
What does the cron daemon do?
Schedules commands.
What does the ientd daemon do?
Handles networking.
What does the cups daemon do?
Handles printing.
What does the rpc.nfsd daemon do?
Manages file server operations.
What does the sshd daemon do?
Manages secure remote logins (SSH)
What does the dhcpd daemon do?
Manages DHCP configuration.
What does the httpd daemon do?
Manages web-server behaviour and processing.
What does the named daemon do?
Manages DNS.
Identify ACPO principle 1
Do not change data.
Identify ACPO principle 2
Only change data if you are sufficiently trained and competent enough to do so.
Identify ACPO principle 3
If data is changed, contemporaneously record the actions you took, when/where you took them and be prepared to justify them in court. They should be sufficient enough to be reproducible so the same result can be achieved.
Identify ACPO principle 4
OIC is responsible for investigation.
What does ISO 17025 define?
The requirements that must be met for a laboratory to be considered competent at calibration and testing.
Define the 5 stages of an investigation.
- Event/Allegation.
- Identification, search and seizure and preservation of data.
- Examination and interpretation of data.
- Production of any findings.
- Subsequent action/s.
In Linux, everything is considered to be a…
File.
What are the 7 types of data that Linux treats as files?
- Files
- Directories
- Character files (I.e Keyboard, Mouse. Monitor, Sound card, Memory)
- Block files (i.e Disks)
- Pipes (I.e. stdin/ stdout)
- Symlinks
- Sockets
How does Linux enumerate individual drives?
Using alphabetic letters.
I.e.
sda = 1st SATA/SCSI/USB/Firewire drive.
sdb = 2nd SATA/SCSI/USB/Firewire drive.
sdc = 3rd SATA/SCSI/USB/Firewire drive.
hda = 1st IDE/EIDE drive
hdb = 2nd IDE/EIDE drive
hdc = 3rd IDE/EIDE drive
How does Linux enumerate partitions?
Numerically.
I.e.
sda1 = 1st SATA/SCSI/USB/Firewire drive, 1st partition.
sda2 = 1st SATA/SCSI/USB/Firewire drive, 2nd partition.
sda3 = 1st SATA/SCSI/USB/Firewire drive, 3rd partition.
hda1 = 1st IDE/EIDE drive, 1st partition.
hda2 = 1st IDE/EIDE drive, 2nd partition.
hda3 = 1st IDE/EIDE drive, 3rd partition.
What does NVME stand for!?
Non-volatile Memory Express
What does the drive name Nnme0n1p2 represent.
The second partition of the first NVME drive (first namespace)
What does the drive name Nnme2n1p1 represent.
The first partition of the third NVME drive (first namespace)
Why do file systems need to be mounted in Linux?
To allow partitions/volumes (file systems) to be interpreted and writable. A mount point acts as a “doorway” to the file system!
Most modern Linux Distributions auto-mount? True or False?
True.
Forensic Linux Distros disable auto-mounting of volumes? True or False?
True
What type of drive is typically mounted to the “/media” directory?
Removable drives (I.e USB’s)
What type of drive is typically mounted in the “/mnt” directory?
Physical drive volumes (I.e SSD/HDD) manually mounted by the user.
Linux Privileges/Permissions scope can be described as what?
Transient - I.e they only exist for the duration of a session.
System changes can only be performed by what user?
The root/super user.
Root/Superuser permissions are typically required to perform what four type of action in Linux?
- Partitioning drives.
- Mounting and imaging disks.
- Managing users.
- Installing some software packages.
Sudo stands for what?
Substitute User do.
GRUB stands for what?
Grand Unified Bootloader
What does the Sudo command do?
Allows the user to run a single command as root.
What can the sudo command allow the user to do?
To gain access to specific permissions and restricted commands.
How can a user gain permission to use the sudo command?
The user account needs to be added to the sudoers file found in “/etc/sudoers”
What does the su command stand for?
Substitute User
Switch User.
Set User.
What does the su command do?
Provided you can provide the correct password, the su command allows you to switch to another user account.
If no username is provided as an argument to the command, the current account is switched to root.
The su command switches you to the new users environment? True or false?
False, su will keep you in the environment you were in before you ran the su command. This includes keeping the original home directory as well as any environment variables set in the users session.
su and sudo can be used to elevate a users permissions/privileges. True or false?
True
Which command is the preferred means of escalating a user’s privileges? Su or sudo?
su
How do you know if you are running a command as root?
The terminal will prefix the shell input line with “#” instead of “$”
All files and folders have which three permission types?
Read
Write
Execute
A file/directory associated it’s permissions with which three groups?
- User (owner)
- Group (Users in the same group as the user)
- Other.
In a permission entry, what does a ‘d’ prefix represent?
The file system entry is a directory.
In a permission entry, what does a ‘-‘ prefix represent?
The file system entry is a file.
What will happen to a directory with read permission assigned?
A user with the correct permission will see it displayed in the file manager.
What will happen to a directory with write permission assigned?
The user will be able to write new files to the directory.
What will happen to a directory with execute permission assigned?
A user with the correct permissions will be able to navigate to the directory.
List the permission flag structure and their corresponding bit flag values.
Structure:
Owner: R W X
Same Group as Owner: R W X
Others: R W X
-/d R W X R W X R W X
Bit Flag Values:
R W X
4 2 1
Describe the decimal permission flag value of 777
R W X
7 = 1 1 1
User has: RWX
Users in same group as user owner: RWX
Others: RWX
Describe the decimal permission flag value of 752
4 2 1
R W X
7 = 1 1 1
5 = 1 0 1
2 = 0 1 0
User has: RWX
Users in same group as user owner: RX
Others: W
What type of file might be found in the “/boot” directory?
Bootloader files.
What type of file might be found in the “/etc” directory?
Configuration files.
What type of file might be found in the “/home” directory?
The home user directory and its associated files.
What type of file might be found in the “/root” directory?
The root user’s home directory and its associated files.
What type of file might be found in the “/opt” directory?
Third party apps.
What type of file might be found in the “/dev” directory?
Device files.
What type of file might be found in the “/var” directory?
Variable files.
What type of file might be found in the “/bin” directory?
User binaries.
What type of file might be found in the “/sbin” directory?
System binaries.
What type of file might be found in the “/usr” directory?
User applications.
What type of file might be found in the “/proc” directory?
Processes
What type of file might be found in the “/mnt” directory?
User mounted volumes (I.e. HDDs/SSDs)
What type of file might be found in the “/sys” directory?
The virtual file system.
What type of file might be found in the “/media” directory?
Mounted removable drives (I.e USB’s/SDCards).
What type of file might be found in the “/run” directory?
The temporary file system.
What type of file might be found in the “/tmp” directory?
Temporary files.
What type of file might be found in the “/lost+found” directory?
Orphaned objects.
What type of file might be found in the “/lib” directory?
The system runtime libraries.
What type of file might be found in the “/srv” directory?
Service data recovery files.
What command can be used to briefly look inside a files contents from the shell/command line?
cat
Which command doesn’t modify a file’s metadata when called?
ls
What command can be used to query Linux’s internal database to search files?
locate
Which Linux command searches for files in the “live” environment?
find
Which command line operator can be used to direct output to a new file?
>
Which command can be use to append the stdin to an existing file?
> >
Which command sends the output of a processes stdout to the stdin of another process?
(pipe)
What is a static data acquisition?
The device is powered down. Remove the storage and image using write blockers.
How would a data acquisition be performed using a bootable OS?
Power on the device, set the boot order to a USB/CD containing a forensic OS (typically Linux) and image the device and its hardware.
When is a booted OS useful for imaging a device? (2 answers)
- When the device is switched off (can help prevent data modification)
- When the storage media can’t be removed and imaged externally (I.e. a Mac).
In order to comply with ACPO principle 1 when imaging using a bootable OS, what step should be taken during the imaging process and why?
You need to mount a harvest/evidential drive to the evidential device! That way you won’t change the evident data by saving new data to the source drive!
Explain the following command and it’s arguments:
mount -t ntfs-3g /dev/sda2 /mnt/my-disk
- Mount: the mount command! Mount a volume/file system to the target directory.
- (-t): The type of the file system on the volume to mount.
- /dev/sda2: The path of the volume to mount - in this case the second partition of the first drive.
- /mnt/my-disk: The directory to mount the volume/file system to. This must be created in advance of running the command!
You have an encrypted drive to image and have secured the password. Should you perform a physical or logical image?
A logical image. A physical image will simply read the disk which will remain encrypted. For an encrypted drive you should perform a logical image as the sectors will be loaded into RAM and decrypted before being saved.
Does Linux natively support the ability to image a drive?
Yes- the ‘dd’ command!
Does Linux’s ‘dd’ command natively verify the images it creates?
No! You must manually hash the output to verify the bytes.
What must a device be to secure a RAM dump.
Switched on. You may also need to be able to bring the system to a state where you can call or install your own custom tools.
Why directory provides accesss to the physical main memory?
/dev/mem
What directory provides access to kernel virtual memory?
/dev/kmem
What directory provides access to shared memory?
/dev/shm
What directory provides access to the system memory map?
/boot/System.Map
Do modern versions of Linux provide easy access to memory through the /dev/ directories?
No! Security policies can block access to memory!
What Linux tool can be used to perform a memory dump?
LiME
What Windows tool can be used to perform a memory extraction on Linux?
AVML (Acquire Volatile Memory for Linux)
