Linux Investigations

Linux Artefacts

• /etc/passwd and /etc/shadow

• Used to keep track of every user who has access to the system.

• /passwd contains information about accounts

• /shadow contains information about passwords

• John the ripper can be used to decrypt password hashed in the shadow file.

• John <file> --wordlist=rockyou.txt

/Var/Lib /Var/Log

• On debian, if you go to /var/lib/dpkg/status, it lists all software packaged which are installed on the system

User Files

Bash History

• The .bash_history file is located in a user's home directory

• Reading the bash history file and using the history command could have the same output. However the history command can be cleared but this does not clear the bash history file.

Hidden Files

Files starting with a . are hidden from viewing.

These can be viewer by using ls -la

Clear files

These are files which can be viewed normally.

Steganography

This is hiding text or data within other types of data

Hiding Zip files within images

• Using the command: cat <image> <Secret zip file> > <image2>

• This will hide the zip inside the first image and output a new image

• To get this secret file out, simply unzip the image, which the secret file is hidden in

Steghide

• Steghide can do the exact same thing as the thing above. However, its password protects the file we are hiding data inside of.

• Steghide embed -cf image.jpg -ef secretmessage

• To extract this sata you use: steghide extract -sf image.jpg

Hiding strings in metadata

• Exiftool can be used to hide information in metadata

• Exiftool -comment=image.jpg

• View This by using: exiftool <file>