Forensics Hints

Interesting places (Linux)

Incident Response Collector on GitHub

Locally those places can contain interesting stuff

/var/spool/cron for user-specified cron jobs. This could be useful, as there's a lot of stuff scheduled there. Sometimes, these are hiding real gems.
/etc/cron.* of course too
/etc/hosts, just in case of any unexpected modifications of DNS resolutions.
/etc/passwd, /etc/group in case we suspect some unexpected users or groups present on the system. These are good to acquire anyway, for possible further correlations.
/var/log folder and the data there, of course.
last and last -f /var/log/btmp information
- Contains data about interactive logons and failed (interactive) logons.
ps -aux report, or something similar.
netstat -lntp or some other form which will list established and listening sockets.
modprobe and all the loaded modules lsmod

/etc/shadow

/etc/shadow example

Username : It is your login name.
Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:
1. $1$ is MD5
2. $2a$ is Blowfish
3. $2y$ is Blowfish
4. $5$ is SHA-256
5. $6$ is SHA-512
Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
Warn : The number of days before password is to expire that user is warned that his/her password must be changed
Inactive : The number of days after password expires that account is disabled
Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

! or * indicate that the user will not be able to use a unix/linux password to log in. In other words user login will be disabled.

EternalBlue

There are some artefacts in Event Logs (Windows 2003)

Event number			: <EVENT NUMBER>Creation time			: <DATE>Written time			: <DATE>Event type			: Success Audit event (8)User security identifier	: S-1-5-7Computer name			: <HOSTNAME>Source name			: SecurityEvent category			: 2Event identifier		: 0x0000021c (540)Number of strings		: 17String: 1			:String: 2			: <DOMAIN>String: 3			: (0x0,0x118150)String: 4			: 3String: 5			: NtLmSspString: 6			: NTLMString: 7			:String: 8			: -String: 9			: -String: 10			: -String: 11			: -String: 12			: -String: 13			: -String: 14			: <ATTACKER's IP>String: 15			: 0String: 16			:String: 17			:

Postponed publickey

Sometimes it could occur in logs

Oct 11 04:02:44 hostname sshd[28309]: Postponed publickey for <user> from ::ffff:192.168.0.1 port 22546 ssh2

It is caused by configuration of SSH

When GSSAPIAuthentication is set to no publickey will not be postponed.

Weak Passwords

List of services with wordlists

Usernames

Windows Registry

PreviousForensics NextÚvod do forenzní analýzy paměti

Last updated 3 years ago

Interesting places (Linux)

Incident Response Collector on GitHub

Locally those places can contain interesting stuff

/var/spool/cron for user-specified cron jobs. This could be useful, as there's a lot of stuff scheduled there. Sometimes, these are hiding real gems.

/etc/cron.* of course too

/etc/hosts, just in case of any unexpected modifications of DNS resolutions.

/etc/passwd, /etc/group in case we suspect some unexpected users or groups present on the system. These are good to acquire anyway, for possible further correlations.

/var/log folder and the data there, of course.

last and last -f /var/log/btmp information

Contains data about interactive logons and failed (interactive) logons.

ps -aux report, or something similar.

netstat -lntp or some other form which will list established and listening sockets.

modprobe and all the loaded modules lsmod

/etc/shadow

/etc/shadow example

Username : It is your login name.

Password : It is your encrypted password. The password should be minimum 8-12 characters long including special characters, digits, lower case alphabetic and more. Usually password format is set to $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:

$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512

Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed

Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password

Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)

Warn : The number of days before password is to expire that user is warned that his/her password must be changed

Inactive : The number of days after password expires that account is disabled

Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

! or * indicate that the user will not be able to use a unix/linux password to log in. In other words user login will be disabled.

EternalBlue

There are some artefacts in Event Logs (Windows 2003)

Event number			: <EVENT NUMBER>Creation time			: <DATE>Written time			: <DATE>Event type			: Success Audit event (8)User security identifier	: S-1-5-7Computer name			: <HOSTNAME>Source name			: SecurityEvent category			: 2Event identifier		: 0x0000021c (540)Number of strings		: 17String: 1			:String: 2			: <DOMAIN>String: 3			: (0x0,0x118150)String: 4			: 3String: 5			: NtLmSspString: 6			: NTLMString: 7			:String: 8			: -String: 9			: -String: 10			: -String: 11			: -String: 12			: -String: 13			: -String: 14			: <ATTACKER's IP>String: 15			: 0String: 16			:String: 17			: