Linux Artifacts: /Var/Lib and /Var/Log

Question 1

/Var/Lib and /Var/Log

Answer 1

In this lesson we’re going to cover two locations that may be of interest to forensic investigators, /var/lib and /var/log.

Question 2

Installed Software and Packaging

Answer 2

On Debian-based systems, we can find a very useful file at the following location: /var/lib/dpkg/status. This file includes a list of all installed software packages, and can be a gold mine if you’re looking to see what programs the user has installed to the system. Let’s take a copy of this file and move it to our desktop, and then open it in a text editor, and see what installed applications we can find!

Question 3

Installed Software and Packaging 2

Answer 3

In the below GIF you can see that we’ve opened the ‘status’ file, and searched for some different programs. We would see that this system has the following installed:

steghide
exiftool
nikto
If forensic investigators or incident responders were looking for specific packages, they could use the search functionality (CTRL + F) to search for what they need.

Alternatively, we could open the file in a terminal, take every line that contains ‘Package’ (as we know this holds the package name), and save this to a text file so we can look at it without the noise of all the extra package details. The command for this would be:

cat status | grep Package > packages.txt

cat status will read the file.
grep Package will search for any lines containing ‘Package’
> packages.txt will output the results to a text file called packages.txt