SANS Digital Forensics and Incident Response Blog: Category - Computer Forensics

Finding out about other users on a Linux system

These commands are used to find out about other users on a *NIX host. When testing the security of a system covertly (such as when engaged in a penetration test) it is best to stop running commands when the system administrator is watching. These commands may also be useful for digital forensics investigators and incident response personnel.


The ''w' command displays any user logged into the host and their activity. This is used to determine if a user is ''idle' or if they are actively monitoring the system.


The ''who' command is used to find both which users are logged into the host as well as to display their source address and how they are accessing the host. The command will display if a user is logged into a local tty (more on this later) or is connecting over a remote network connection.


The ''finger' command is rarely used these days (but does come up from

... Continue reading Finding out about other users on a Linux system

The Chain of Custody for 2010-03-14 - Weekly Tweets

Unix Network and System profiling

It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.


Netstat lists all active connections as well as the ports where processes are listening for connections. The command, "netstat -p -a -inet" (or the equivalent on other UNIX'es) will print a listing of this information. Not all UNIX versions support the "netstat -p" option for netstat. In this case other tools may be used.


The command, "lsof" allows the reviewer to list all open files where "An open file may be a regular file, a directory, a block special file, a character

... Continue reading Unix Network and System profiling

Digital Forensics Case Leads: From Cellebrite to celebrities

This week we have news of threats posted on social networks that closed some schools in the US, the take down of an ISP spreading malware and Mandiant's State of the Hack Webinar.For your reading pleasure thereare the SANS Forensic Whitepapers along with posts by Joe Garcia and Lance Mueller.In the tools section some updated enscripts, and one of our own posts on building an incident response disk, and more.


Good Reads:


Unix Logging

There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX. It is important that the digital forensics analyst become familiar with the logging deployed on the UNIX system that they are reviewing. In particular, have a look at the syslog configuration file, the "/var/log" and "/var/run" directories and check if there are any remote log servers. Syslog is a network service that is most commonly run locally. This allows for the capability of sharing logs to a remote system.

Syslog and Other Standard Logs

There are five primary log files that will exist on nearly any UNIX system (the location may vary slightly). These have been listed in the table below.

The 5 primary Unix Log files

  • /var/log/btmp btmp contains the failed login history
  • /var/log/messages

... Continue reading Unix Logging