SANS Digital Forensics and Incident Response Blog: Category - Linux IR

Digital Forensics Case Leads: Spies, Social Networking Experiments, Live CDs & More

This "007" edition of Case Leads (20100708) features Russian spies, a mini-write blocker that would make Q proud, an experiment in social networking, Live CDs for Windows and Linux and an online journal on small digital device forensics.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to


Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Logicube releases new forensics gear, Didier Stevens discovers a new way to do interesting things with a PDF and a cooperative user, and Passware provides a means to defeat TrueCrypt.

Logicube has released two devices which look interesting. The MPFS or Massive Portable Forensic Storage provides up to 8TB of storage capacity for acquiring multiple images. The device may be attached to a forensic analyst's workstation via firewire, USB, or eSATA. The unit is compatible with Logicube's Dossier imager and Logicube's second new device, the NETConnect which as the name suggests, allows network access to forensic images. Based on the description, NETConnect is essentially a file server which enables multiple investigators to access forensic images as soon as they are acquired. The device supports Windows, Mac, and Linux and includes support for CIFS and NFS. (I've not had the opportunity to test either device but if Logicube or anyone else wants to send me a set, I will be

... Continue reading Digital Forensics Case Leads: New Gear, New PDFs Abuse, and Defeating TrueCrypt

Finding out about other users on a Linux system

These commands are used to find out about other users on a *NIX host. When testing the security of a system covertly (such as when engaged in a penetration test) it is best to stop running commands when the system administrator is watching. These commands may also be useful for digital forensics investigators and incident response personnel.


The ''w' command displays any user logged into the host and their activity. This is used to determine if a user is ''idle' or if they are actively monitoring the system.


The ''who' command is used to find both which users are logged into the host as well as to display their source address and how they are accessing the host. The command will display if a user is logged into a local tty (more on this later) or is connecting over a remote network connection.


The ''finger' command is rarely used these days (but does come up from

... Continue reading Finding out about other users on a Linux system

Unix Network and System profiling

It is essential to identify network services running on a UNIX host as a part of any review. To do this, the reviewer needs to understand the relationship between active network services, local services running on the host and be able to identify network behavior that occurs as a result of this interaction. There are a number of tools available for any UNIX system that the reviewer needs to be familiar with.


Netstat lists all active connections as well as the ports where processes are listening for connections. The command, "netstat -p -a -inet" (or the equivalent on other UNIX'es) will print a listing of this information. Not all UNIX versions support the "netstat -p" option for netstat. In this case other tools may be used.


The command, "lsof" allows the reviewer to list all open files where "An open file may be a regular file, a directory, a block special file, a character

... Continue reading Unix Network and System profiling

Learn To Investigate Data Breach Incidents

Computer Forensic Training is becoming more critical to your organizations incident response plan due to some of the current threats that are being discovered. Organizations will find more and more that they will need a team of trained incident responders and computer forensic analysts. Your organization needs to be prepared on how to handle sophisticated incidents and organized groups that can easily walk around your perimeter defenses.

Here are just a few recent headlines over the last year scoping the current threat against many networks.

MSNBC: "Report: Obama helicopter security breached. Pa company says blueprints for Marine One found at Iran IP address"

Wall Street Journal: "Computer Spies Breach Fighter-Jet Project"