Operating System Forensics Flashcards
Windows O/S Forensics Methodology
- Collecting Volatile Information
- Collecting Non-Volatile Information
- Windows Memory Analysis
- Windows Registry Analysis
- Cache, Cookie & History Analysis
- Windows File Analysis
- Metadata Investigation
- Event Logs Analysis
What is the first volatile information you need to collect?
System time/date
The second piece of volatile information you collect is logged on users. What are the three tools you can use for this?
- PSloggedon
- LogonSessions -p
- net session
What are the three ways you can check for open files?
- net file
- psfile
- openfiles
What two commands can show you network information?
- nbtstat -c
2. netstat -a | -r
What can show you the memory contents of processes?
a. tasklist /v
b. pslist -x
c. listdlls
d. handle
Process to port mapping
- netstat -o
2. netstat -fport
Process Memory Tools
- process explorer
- pmdump
- userdump
Network Status Tools
- ipconfig
- promqry
- promisdetect
Print Spool Files
The temporary files can store print details such as owner, document, printer, printing processor - format, number of copies printed and the print method
Print Spool Files Support what two data types?
RAW - .SPL file consists of data to be printed EMF - .SPL file consists the metadata and can be printed on any printer
FSUTIL Object ID
Manages object identifiers, which are used by the Windows operating system to track objects such as files and directories. fsutil quota. Manages disk quotas on NTFS volumes to provide more precise control of network-based storage
FSUTIL Disable LAST ACCESS UPDATE on files:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\Disablas tacess
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\
NTFSDisablelastacessupdate
Autoruns
a great tool for checking areas within the file system, such as scheduled tasks.
Microsoft Security IDs for users
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Event Logs-PSLogList
PsLogList allows to login to remote systems in situations when current set of security credentials would not permit access to the Event Log.
ESE Database
Windows 10 comes with Microsoft Edge as the default web browser. It uses the Extensible Storage Engine (ESE) database format to store browsing records, including history, cache, and cookies.
ESE Database Tables
categorized as FileCleanup, Folder, ReadingList, RowId, MSysObjids, MSysObjects, FolderStash, MSysLocales, and MSysObjectsShadow. These tables contain information of all the applications stored and accessed from the system. This information can act as evidence in case of criminal incidents.
ESE Database Path
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxx\AC\Micr osoftEdge\User\Default\DataStore\Data\nouser1\xxxxx\DBStore\spartan.eb
Microsoft Edge cached Files
Edge cached files location:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx
\AC#!001\MicrosoftEdge\Cache\
Edge last active browsing session data location:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx
\AC\MicrosoftEdge\User\Default\Recovery\Active\
Edge stores history records, Cookies, HTTP POST request header packets and downloads in:
\Users\user_name\AppData\Local\Microsoft\Windows\WebCache\WebCac heV01.dat
If the last browsing session was opened in InPrivate mode then the browser stores these records in:
\Users\user_name\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx
\AC\MicrosoftEdge\User\Default\Recovery\Active{browsing-session- ID}.dat
DevCon Tool
Device Console , is a command-line tool that displays detailed information about devices on computers running Windows operating system. DevCon can be used to enable, disable, install, configure, and remove devices. It also performs device management functions on local computers and remote computers.
What can you do with Slack Space?
Hide Data
Virtual Memory
Virtual (or logical) memory is a concept that, when implemented by a computer and its OS, allows programmers to use a large range of memory addresses for stored data.
Virtual memory can be scanned to find out the hidden running processes.
Use X-Ways Forensics tool to scan virtual memory.
What is X-Ways Forensic Tool Used for?
Use X-Ways Forensics tool to scan virtual memory.
What is the DRIVESPY Tool used for?
Finding Drive Slack Space
Swap Space
Linux operating system allocates a certain amount of storage space on a hard disk called Swap Space. OS uses as the virtual memory extension of a computer’s real memory (RAM).
Hibernate Files/aka sleep modes. What ar ethe two types of sleep modes
Sleep Mode
Hibernate mode
Hibernate Mode
completely writes the memory as a hiberfil.sys file in HDD. the hiberfil.sys file is a crucial source of evidence, as it consists of the crucial information of all programs, applications, files, and processes that were running on the RAM at a given time.
Where can you see if hibernate mode was enabled?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Power
Sleep Mode
keeps the system running in a low power state so that the user can quickly resume where he/she has paused working.
Where is the pagefile.sys file?
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
What is the pagefile.sys?
a hidden file on the Windows operating system, which is used as virtual memory to expand the physical memory of a system. To increase the RAM performance, the system moves the least used “pages” of memory into pagefile.sys file to free the RAM space and pools in the running applications.
Windows Search Index
supports indexing for over 200 common file types by maintaining a record of all the documents. It also allows the users to quickly access any document such as messages, calendar events, contacts, and media files.
Partition Logic
Partition Logic is a hard disk partitioning and data management tool. It can create, delete, erase, format, defragment, resize, copy, and move partitions and modify their attributes. It can copy entire hard disks from one to another.
Partition Find & Mount
Partition Find & Mount implements a new concept of deleted or lost partition recovery. It locates and mounts partitions into the system, thus making those lost partitions available. It will also work in case any Boot Record (including the Master Boot Record) is missing, damaged or overwritten.
Web Browser Cache
The web browser cache allows users to cache the contents of web pages locally, in order to speed future access to regularly visited sites. This can be done because, the downloaded content remains on the hard drive until deleted. However, the data remains in the unallocated space of the hard drive even after deleting the cache.
ChromwCacheView
ChromeCacheView is a small utility that reads the cache folder of Google Chrome Web browser, and displays the list of all the files that are currently stored in the cache. For each cache file, the following information is displayed: URL, Content type, File size, Last accessed time, Expiration time, Server name, Server response, etc.
Cookies
Cookies are small packages of data made to track, validate, and maintain specific user information. Cookies may have an expiration date, after which the browser deletes it. The system can also delete the cookies without the need of an expiration date at the end of a user session. The users may also delete cookie data directly from the browser.
Temp Files
Programs and processes create temporary files when they cannot allocate enough memory for the tasks or when the program is working on a large set of data. In general, when a program terminates, the system deletes these temp files. However, some programs create temp files and leave them behind. These files contain information about all the system processes which can be useful to gather evidences in any forensic investigation
Windows Thumbnail caches
Thumbcache Viewer
Thumbcache Viewer allows you to extract thumbnail images from the thumbcache_.db and iconcache_.db database files found on Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10. The program comes with both graphic user interface and command-line interface.
Windows Memory Analysis
Memory of a system refers to the storage space, where the system saves important data required for processing, such as application files, virtual memory, etc. This space contains files and metadata required for functioning of the in-built and external applications. Investigators can analyze this space to find the installed application, recent events, and other related data.
Memory Dump Files
Memory dump or crash dump is a storage space, where the system stores a memory backup, in case of a system failure. aka BSOD
Dumpchk is a tool that can be used
Types of Memory dumps
Automatic
Complete
Kernal- created by default in the %systemroot% folder as a memory dump file whenever a machine has kernel faults.
Small- a 64 KB dump containing the stop code and a list of all the loaded drivers and parameters.
What is important about the EProcess Block Structure?
- PPEB_LDR_DATA (pointer to the loader data) structure that includes pointers or references to DLLs used by the process
- A pointer to the image base address, where the beginning of the executable image file can be found
- A pointer to the process parameters structure, which maintains the DLL path, the path to the executable image, and the command line used to launch the process
What tools can be used to view EProcess info?
Microsoft debug toolset or LiveKD
How do you parse memory?
Lsproc.pl
Lsproc (short for list processes) locates processes but not threads. It takes single argument, the path, and name, to a RAM dump file:
Lspd.pl
Parsing Memory Contents
Lspd.pl is a Perl script that will allow the user to list the details of the process. Like the other tools, lspd.pl is a command-line Perl script that relies on the output of lsproc.pl to obtain its information. Specifically, lspd.pl takes two arguments: the path and name of the dump file and the offset from the lsproc.pl output of the process that the investigators are interested in.
Lspi.pl
Extracting the Process Image
takes the same arguments as lspd.pl and lspm.pl It locates the beginning of the executable image for the process. If the Image Base Address Offset leads to an executable image file, Lspi.pl parses the values
contained in the PE header to locate the pages that make up the rest of the executable image file.
Lspm.pl
Parsing Process Memory
takes the same arguments as lspd.pl (the name and path of the dump file, and the physical offset within the file of the process structure) and extracts the available pages from the dump file, and writes them to a file within the current working directory. To run lspm.pl against the ITPROtv.exe process, use the following command line:
Collecting/Dumping Process Memory
pmdump.exe tool- allows dumping the contents of process memory without stopping the process.
Process Dumper - It dumps the entire process space along with additional metadata and the process environment to the console (STDOUT), so that the output can be redirected to a file or a socket.
Userdump.exe - allows dumping of any process, without attaching a debugger and without terminating the process once the dump has been completed.
Powershell script to get basic details on memory for a process:
Get-Process | Sort-Object WorkingSet64 | Select-Object Name,@{Name=’WorkingSet’;
The Volatility Framework
is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offers visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Five Windows Registry Root Folders
HKEY_CLASSES_ROOT - Config info f/which application is used to open what
HKEY_CURRENT_USER - Current logged on user
HKEY_LOCAL_MACHINE - System Config Info
HKEY_USERS - All active loaded user profiles
HKEY_CURRENT_CONFIG - h/w profile used during startup
HKEY_USERS
HKU
Each registry key under HKU hive relates to a user on the computer, which is named after the user’s security identifier (SID). The registry keys and registry values under each SID control the user specific mapped drives, installed printers, environmental variables and so on.
HKEY_CLASSES_ROOT
HKCR
A subkey of HKEY_LOCAL_MACHINE\Software.
It contains file extension association information and also programmatic identifier (ProgID), Class ID (CLSID), and Interface ID (IID) data. This hive stores the necessary information which makes sure that the correct program opens when the user opens a file through the windows explorer
HKEY_CURRENT_USERS
HKCU
Contains the configuration information related to the user currently logged on. This hive controls the user level settings associated with user profile such as desktop wall paper, screen colors, display settings etc.
HKEY_CURRENT_CONFIG
HKCC
Stores information about the current hardware profile of the system.
The information stored under this hive explains the differences between the current hardware configuration and the standard configuration. The HKEY_CURRENT_CONFIG is simply a pointer to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles\Current registry key, which contains the information about the standard hardware configuration that is stored under the Software and System keys.
HKEY_LOCAL_MACHINE
HKLM
contains most of the configuration information for installed software which includes the Windows OS as well, and the information about the physical state of the computer which includes bus type, installed cards, memory type, startup control parameters and device drives
Find the time when the system was last shut down in the following key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Windows\Shutdowntime
Registry Analysis
ProDiscover - a self-managed tool for the examination of the user’s hard disk security.
RegRipper - a flexible open source tool that facilitates registry analysis with ease. It contains pre-written Perl scripts for the purpose of fetching frequently needed information during an investigation involving a Windows box.
System Information
asically the system information is stored in the System and Software database files, and partially in the Security hive file. The information about the system users is stored in the Security Account Manager (SAM) database file. Each user’s registry settings for their specific account is stored in the NTUSER.DAT registry file.
USB Devices in the Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
All Mounted devices in the Registry
HKEY_LOCAL_MACHINE\System\MountedDevice
When a user logs in to a system, certain registry keys are accessed and parsed so that listed applications can be run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnc
Look for malware in registry locations
HKLM\SOFTWARE\Classes\exefile\shell\open\command
HKCR\exefile\shell\open\Commad
Screensaver registry key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo
Enumerating Auto-start Registry Locations w/ Process Monitor
Process Monitor - is an advanced monitoring tool for windows that shows real-time file system, registry and process/thread activity. It monitors and records all activities performed against the Microsoft Windows Registry. compatible with Windows Vista and higher
USB Removable Storage Devic
Plug and Play (PnP) Manager
USBDeview
What tool can you use to decrypt userassist key value names?
ROT-13 Encryptor & Decryptor. ROT-13 is basically a ceaser cipher
MRU Lists is
Most Recently Used List are the lists of recently visited webpages, opened documents, etc., maintained by the Windows operating system in the Windows Registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore r\RecentDocs
Registry Restore Points
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRe stor
Startup Services and their Registry codes
2 = automatic 3 = manual and starts on demand for service 4 = disabled
User Startup Registry Folder Settings
HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders
HKCU\Software\Microsoft\ Windows\CurrentVersion\ Explorer\User Shell Folders
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Explorer\Shell Folders
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\ Explorer\User Shell Folder
Firefox Cache Location
C:\Users\AppData\Local\Mozilla\Firefox\Profiles\XXXXXXXX. defaul\cache2
Firefox Cookies Location
C:\Users\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX XX.default\cookies.sqlite
Firefox History Location
C:\Users\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXX XX.default\places.sqlite
Chrome History/Cookie Location
C:\Users{user}\AppData\Local\Google\Chrome\User Data\Default
Chrome Cache Location
C:\Users{user}\AppData\Local\Google\Chrome\User Data\Default\Cache
IE Cache, Cookie, and History Location
C:\Users\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
Edge Cache Location
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache
Edge Cookie Location
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8weky b3d8bbwe\AC\MicrosoftEdge\Cookies
Edge History Location
C:\Users\Admin\AppData\Local\Microsoft\Windows\History
Firefox Analysis Tools
MZCacheView
MZCookiesView
MZHistoryView
Google Chrome Analysis Tools
ChromeCacheView
ChromeCookiesView
ChromeHistoryView
IE Analysis Tools
IECacheView
IECookiesView
BrowsingHistoryView
System Restore Points are
Rp.log Files
- Includes value indicating the type of the restore point; a descriptive name for the restore point creation event, and the 64-bit FILETIME object indicating when the restore point was created
- Description of the restore point can be useful for information regarding the installation or removal of an application
Prefetch Files
- Once the data is processed, it is written to a .pf file in the Windows\Prefetch directory
- DWORD value at the offset 144 within the file corresponds to the number of times the application is launched
- DWORD value at the offset 120 within the file corresponds to the last time of the application run, this value is stored in UTC format
- Information from .pf file can be correlated with Registry or Event Log information to determine who was logged on to the system, who was running which applications, etc.
Prefetching Registry Key is?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Control\Session Manager\Memory Management\PrefetchParameters
Prefetching Number codes
0: Prefetching is disabled
1: Application prefetching is enabled
2: Boot prefetching is enabled
3: Both application and boot prefetching are enabled
What can metadata tell us?
It is important to collect the data, as it provides information about:
Hidden data about the document
Who tried to hide, delete, or obscure the data
Correlated documents from different sources
What are the three types of metadata?
Descriptive
Structural
Administrative
What are MAC Times?
MAC = modified, accessed, and created
The MAC times are timestamps that refer to the time at which the file was last modified in some way (data was either added to the file or removed from it), the time when it was last accessed (when the file was last opened), and when the file was originally created.
What is UTC?
Coordinated Universal Time
MAC Times within a FAT16 File System
Copy myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.
Move myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification and creation dates.
Copy myfile.txt from a FAT16 partition to an NTFS partition – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.
Move myfile.txt from a FAT16 partition to an NTFS partition – Myfile.txt keeps the same modification and creation dates
MAC Times within a NTFS File System
Copy myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification date, but the creation date is updated to the current date and time.
Move myfile.txt from C:\ to C:\subdir – Myfile.txt keeps the same modification and creation dates.
PDF Metadata
Portable Document Format (PDF) files can contain metadata such as the name of the author, the date that the file was created, and the application used to create that file. The metadata shows that the PDF file was created on Mac or it was created by converting a Word document to PDF format. The pdfmeta.pl and pdfdmp.pl scripts can be used to extract metadata from PDF files. Another way to retrieve metadata is to open the file in Adobe Reader and click File Properties. The Description tab of the Properties dialog box contains all the available metadata
Metadata Analysis Tool
Metashield Analyzer
Event Log File Format
Fixed Size Header (ELF_LOGFILE_HEADER)
Variable number of event records
End of file record (ELF_EOF_RECORD)
How are Event Records Organized?
Non-Wrapping
Wrapping
Non-Wrapping
In non-wrapping event record organization, the oldest record exists after event log header and the new record is placed last. This method is implemented for maximum log sizes. This size depends on the configured size value or number of system resources. Wrapping method is applied when the log size limit is crossed.
Wrapping
In wrapping event record organization, the oldest record is 102 instead of 1. The oldest record and ELF_EOF_RECORD have some empty space between them, in order to make a place for the new records. The event log file size has a limit and when this file size exceeds, the file records are wrapped. When wrapping begins the last record of the file will be divided into tw
Five types of events
Error: It denotes an issue or problem like data loss
Warning: It is an indication of future occurrence of error Information: This event gives details of the occurrence of a successful operation
Success Audit: This event records a successful audited security access attempt
Failure Audit: This event records a failed audited security access attempt
Wevutil Command
wevtutil command can be used to retrieve information about event logs and publishers that is not readily apparent via the Event Viewer user interface
How are Win 10 logs saved?
.xml format
System Logs contain
Changes to the OS
Changes to hardware configuration
Device Driver installation
Starting and Stopping of services
EnCase
Can be used to parse windows event logs by means of an EnScript. Investigators often opt to use EnCase for examining log traffic.
Windows Forensic Tools
OS Forensics - information gathering software, which extracts forensic data from computers and uncovers everything hidden inside a PC
Belkasoft Evidence Center - search, analyze, and store digital evidences found in Instant Messenger histories, Internet browser histories, and Outlook mailboxes.
RegScanner - scans the registry
MultiMon - displays highly detailed output of a very wide range of system activities in real time.
Process Explorer - shows the information about which handles and DLLs processes have been opened or loaded.
Security Task Manager - detects unknown malware and rootkits hidden from anti-virus software.
Proc Heap Viewer - enumerates process heaps on Windows
Memory Viewer - View your system memory configuration
Word Extractor - converts binary files to text files
Belkasoft Browser Analyzer - Allows you to search and analyze various internet browser histories
Metadata Assistant - analyzes Word/Excel/PowerPoint (2000 and higher) files to determine the type and amount of metadata (hidden information) that exists within
HstEx - Windows-based, advanced professional forensic data recovery solution designed to recover browser artifacts and Internet history from a number of different source evidence types.
XpoLog Log Management - turns your Data into actionable insights, with in-depth analytics.
Event Log Explorer - a software solution for viewing, monitoring, and analyzing events recorded in security, system, application, and other logs of Microsoft Windows operating systems.
LogMeister - monitors virtually any log your systems and applications can generate, including event logs, text logs and RSS.
System Explorer - is free software for exploration and management of system internals.
Helix3 Pro - is the cyber security solution providing incident response, computer forensics and e-discovery
ThumbsDisplay - is a tool for examining and reporting on the contents of Thumbs.db files used by Windows.
Registry Viewer - allows you to view the contents of Windows operating system registries. Unlike the Windows Registry Editor, which displays only the current system’s registry, Registry Viewer lets you view registry files from any Windows system.
Windows Forensic Toolchest (WFT) - is designed to provide a structured and repeatable automated live forensic response, incident response, or audit on a Windows system while collecting security-relevant information from the system. WFT is essentially a forensically enhanced batch processing shell, capable of running other security tools and producing HTML-based reports in a forensically sound manner.
IIS Logs
Managed through the IIS Console
DHCP Server Logs
%WinDir%\System32\LogFiles\MSFTPSVC1\exyymm dd.log
Windows Firewall Logs
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall WithAdvanced Security%4Firewall.evtx
dmesg
Display Message or Driver Message
The command displays the kernel ring buffers, which contains the information about the drivers loaded into kernel during boot process and error messages produced at the time of loading the drivers into kernel. These messages are helpful in resolving the restoring the device’s driver issues
fsck
File System Consistency Check
stat
displays file or file system status
history
checks and lists the bash shell commands used/ helps the user for auditing purposes.
mount
mounts a file system or device to the directory structure.
grep
Searches for presence of text or an expression or pattern in files
Linux Log Locations
/var/log/auth.log - System authorization information, including user logins and authentication mechanism
/var/log/kern.log - Initialization of kernels, kernel errors or informational messages sent from kernel
/var/log/faillog - Failed user login attempts
/var/log/lpr.log - Stores printer logs
/var/log/mail.* - All mail server message logs
/var/log/my.sql.* - MySQL server logs
/var/log/apache2/* - Apache web server logs
/var/log/apport.log - Application crash report / log /var/log/lighttpd/* - Lighttpd web server log files directory
/var/log/daemon.log - Running services such as squid, ntpd, etc.
/var/log/debug - Debugging log messages
/var/log/dpkg.log - Package installation or removal logs
netstat for collecting volatile data
In a web based attack the investigator primarily focuses on network related logs. Investigators use the command netstat to view the network logs. The command collects and displays the information about the network connections, routing tables, network interfaces and network protocol stats.
last -F for collecting volatile data
The command last –F displays the activities of each user in detail such as number of login and logout attempts along with dates of the syste
hostname command
displays the hostname of the system
ifconfig -a
Used to view the config of all network, both up and down interfaces on the system.
lsof
short for list open files. Command is used to list all the open files and the active processes that opened them.
lsmod
displays information about the loaded modules
xclip
command line interface, enabling the users to directly interact with the x clipboard instead of using a mouse to copy paste. To output the contents to the clipboard use xclip -o
aureport
used to produce summery reports of the audit system logs.
id
determines the specified user ID and the group information for a specified user.
readelf
the short notion for “Read Executable and Linking Format”. The command is used to analyze the file headers and section of the ELF Files.
cron process
Often used for scheduling tasks (backdoors) to run at specific points of time.
nvestigators collect the contents in /var/spool/cron/ and /etc/cron.daily to identify the presence of the scheduled tasks in a compromised system
.bash_history
The .bash_history file stores the command history. These file helps the investigator to analyze the commands used in the terminal by the malicious user.
/proc
The /proc/ directory is also known as proc file system. The directory comprises of the order of special files that represent the current state of a kernel. Investigators can find the information of the systems hardware and the processes running them. The proc file system acts as interface for the internal data structures within the kernel.
ps
Short for “process status” and used to view the list of processes running in the system.
arp
short for address resolution protocol. Used to clear, add to or extract the kernals ARP cache.
ss -l -p -n | grep
Used to check if a particular process running on the system is suspicious.
cat /proc/sys/kernel/domainname command
Run cat /proc/sys/kernel/domainname command to know the domain name
cat /proc/swaps command
Run cat /proc/swaps command to see total and used swap size
cat /proc/partitions command
Run cat /proc/partitions command to see the list of disk partitions
cat /proc/cpuinfo command
Run cat /proc/cpuinfo command to see details about the CPU on a machine
cat /proc/self/mounts Command
Run cat /proc/self/mounts to view the count points and mounted external devices
cat /proc/uptime command
Run cat /proc/uptime to measure the computers working time
swapon -s
View the swap space
Find the Linux system version
Identify the system version by viewing the SystemVersion.plist file located at
/System/Library/CoreServices/SystemVersion.plist
Find the Linux Timestamp
Provides important info such as creation, access and modification times of any file Use the command stat to see the timestamp of any file
Usage: stat [-FlLnqrsx] [-f format] [-t timefmt] [file …]
MAC Forensic Tools
OS X Auditor-Mac Forensics Tool MacForensicLab Macintosh Forensic Software Memoryze for the Mac Mac Marshal F-Response Mac OS X Memory Analysis Toolkit Volatility 2.5 Avast Free Mac Security OS X Rootkit Hunter for Mac
