SANS Digital Forensics and Incident Response Blog

Solaris Forensics: Part 1


Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris. Our first few steps involves:

  • How the filesystem is laid out (i.e. what kinds of files are in the main directories),
  • A brief discussion on reading ls output as this sets up for:
    • How permissions work
    • What users and groups are
    • Soft and hard links
    • Link counts
    • Basic file types (regular files, directories, links, character devices, and block devices)
  • Breakdown on Solaris slices (partitions)
  • Imaging Solaris drives remotely
  • More stuff to follow :)

I think it is important to understand the basics of how Solaris functions, or any OS for that matter, in order to know where to start looking for the forensic evidence. This way you can quickly assess what needs to be captured during a incident and then move into your analysis for the post-mortem.

For the Windows folks, one of the things I would recommend is picking up one of the O'Reilly In A Nutshell books either the Linux or the UNIX one. These books are great references on what the commands do, their arguments (and what they do), syntax of the commands, and information on the shells. If your really interested in Linux, then get that book as the commands and syntax are pretty much the same for Solaris.


First, before we can even start talking about forensics on Solaris machines, we need to go over how the filesystem is laid out. The Solaris filesystem is like most Linux/Unix filesystems in that we have the traditional root directory and basic OS directories. It looks like this:

/ (Root) — For Linux/UNIX filesystems, this is lowest level in the filesystem. For the Windows folks, think of this as the C:\ drive. Thinking of it as C:\ is not really correct way to picture it, but it will help you to paint the picture in your mind as we go through the rest of the filesystem.

Everything in the filesystem starts off with the / (Root) directory. A couple of definitions are required for the Windows folks. A absolute path is where a directory path starts out with a / and then followed by the rest of the directory path. For example, /bin means that I am referencing from the start of the filesystem (/ Root) and referencing the bin directory. A relative path is where we start from the current working directory and reference a another file or directory at that same level. So if my current working directory was /home/user1 and I referenced a directory called Documents it would look like ./Documents. There will be more examples of relative paths to come throughout the articles.

Below is a short list of some of the default directories that are found on a Solaris system. Notice that I am referencing everything with absolute paths.

/binSystem binaries
/devDevice files
/dev/dskBlock disk devices; Not to be used for imaging
/dev/rdskRaw disk devices; Used to image devices
/devicesPhysical device files
/etcConfiguration files
/exportFilesystems shared out via NFS or may contain mounts of drives (depends on the admin)
/homeUsers home directories
/kernelKernel loadable modules that are required during the boot process
/mntThis is the default mount point for temporary mounts
/netThe default location for mounts mounted by the autmounter
/opt3rd party software
/platformPlatform-specific modules that are required for boot
/procThe root subtree for the processes
/sbinSystem administration binaries
/systemMount point for CTFS and OBJFS file systems.
/tmpTemporary files created by the OS and users
/usrContains system binaries and administration binaries
/varContains the spooling files, and more importantly the log files


Keven Murphy, GCFA Gold #24, is the Senior Forensics/Incident Handler for General Dynamics Land Systems.


Posted July 2, 2012 at 11:20 AM | Permalink | Reply

taurean dennis

Hey everyone
If you need to image a non x86 sun server what is the best tool and approach.
he server is raided . Would imaging each disk in the raid and then reconstructing
With something like raid recontructor
be a good approach?