SANS Digital Forensics and Incident Response Blog: Author - craigswright

Understanding *NIX File Linking (ln)

The "ln" command is an important tool in any Unix admin's arsenal and attackers use it too, so it is essential that forensics analysts understand it. It is used to either:

  1. Create a link to a target file with a selected name.
  2. Create a link to a target file in the current directory.
  3. Create links to each target in a directory.

The "ln" command will by default produce hard links. Symbolic links are created with the "-symbolic" option set (or "-s"). In order to create a hard link; the target file has to exist. The primary formats of the commands are:

  • ln [OPTION]... [-T]
  • ln [OPTION]...
  • ln [OPTION]... -t

Some malicious uses of ln are in hiding files, though perhaps not very well, and creating subterfuge by wrapping legitimate programs. The "ln" command need not

... Continue reading Understanding *NIX File Linking (ln)

Unix System Accounting and Process Accounting

Accounting reports created by the system accounting service present the *NIX administrator with the information to assess current resource assignments, set resource limits and quotas, and predict future resource requirements. This information is also valuable to the forensic analyst and allows for the monitoring of system resourcing. This data can be a means of finding what processes and resources have been used and by which user.

When the system accounting has been enabled on a *NIX system, the collection of statistical data will begin when the system starts or a least from the moment that the accounting service is initiated. The standard data collected by system accounting will include the following categories:

  • Connect session statistics
  • Disk space utilization
  • Printer use
  • Process use

The accounting system process starts with the collection of statistical data from which summary reports

... Continue reading Unix System Accounting and Process Accounting

Finer Points of Find

The *NIX "find" command is probably one of the system security tester's best friends on any *NIX system. This command allows the system security tester or digital forensic analyst to process a set of files and/or directories in a file subtree. In particular, the command has the capability to search based on the following parameters:

  • where to search (which pathname and the subtree)
  • what category of file to search for (use "-type" to select directories, data files, links)
  • how to process the files (use "-exec" to run a process against a selected file)
  • the name of the file(s) (the "-name" parameter)
  • perform logical operations on selections (the "-o" and "-a" parameters)

One of the key problems associated with the "find" command is that it can be difficult to use. Many experienced professionals with years of hands-on experience on *NIX systems still find this command to be tricky. Adding

... Continue reading Finer Points of Find

Finding out about other users on a Linux system

These commands are used to find out about other users on a *NIX host. When testing the security of a system covertly (such as when engaged in a penetration test) it is best to stop running commands when the system administrator is watching. These commands may also be useful for digital forensics investigators and incident response personnel.


The ''w' command displays any user logged into the host and their activity. This is used to determine if a user is ''idle' or if they are actively monitoring the system.


The ''who' command is used to find both which users are logged into the host as well as to display their source address and how they are accessing the host. The command will display if a user is logged into a local tty (more on this later) or is connecting over a remote network connection.


The ''finger' command is rarely used these days (but does come up from

... Continue reading Finding out about other users on a Linux system

Unix Network and System profiling

It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.


Netstat lists all active connections as well as the ports where processes are listening for connections. The command, "netstat -p -a -inet" (or the equivalent on other UNIX'es) will print a listing of this information. Not all UNIX versions support the "netstat -p" option for netstat. In this case other tools may be used.


The command, "lsof" allows the reviewer to list all open files where "An open file may be a regular file, a directory, a block special file, a character

... Continue reading Unix Network and System profiling