ArticlePDF Available

Digital Forensic Analysis of Ubuntu File System

Authors:
  • Veermata Jijabai Technological Institute, India, Mumbai
Digital Forensic Analysis of Ubuntu File System
Dinesh N. Patil, Bandu B. Meshram
Veermata Jijabai Technological Institute
Matunga, Mumbai, India
dinesh9371@gmail.com, bbmeshram@vjti.org.in
ABSTRACT
A file system of Ubuntu operating system can
conserve and manage a lot of configuration
information and the information with forensic
importance. Mining and analyzing the useful data of
the Ubuntu operating system have become essential
with the rise of the attack on the computer system.
Investigating the File System can help to collect
information relevant to the case. After considering
existing research and tools, this paper suggests a new
evidence collection and analysis methodology and the
UbuntuForensic tool to aid in the process of digital
forensic investigation of Ubuntu File System.
KEYWORDS
File System, Digital Forensic, Integrated Analysis,
Timeline Analysis, Digital Evidence
1 INTRODUCTION
The Ubuntu operating system is one of the
distributions of the Linux operating system. Most of
the Ubuntu kernels are the default Linux kernel.
Ubuntu uses the Linux file system which is usually
considered as a tree structure. Ubuntu is having Ext4
as its default file system. Ext4 is an evolution of Ext3,
which was the default file system earlier. The
evolution of the Ext file system is summarized in
table 1. Linux computers are very much prone to
attack from the hackers. Linux boxes are often used as
servers, essentially for a central control point. In fact,
roughly 70% of malware downloaded by hackers to
the honeypots is infected with Linux/Rst-B [1]. Linux-
based web servers are constantly under attack. At
SophosLabs, an average of 16,000-24,000 websites
were compromised in a day in 2013 [2]. Linux
systems are indeed attacked by malware.
The Microsoft's operating system design includes
some features that make documents able to install
executable payloads. The use of a database of
software hooks and code stubs (the registry) also
simplified things [3]. Linux malware is quite distinct
from what it does and how it does it, compared to
Windows viruses, but it exists. The crucial operating
system directories might be used by the malware to
affect the computer system as a whole. In addition,
there is always the risk of the malicious insider.
Attacks directed at Linux systems tend to aim at
exploiting bugs in system services such as web
browsers or Java containers. These don't frequently
run with elevated privileges either, so an exploit is
typically contained to altering the behavior of the
targeted service and, possibly, disabling it. The
malware uses the various directories in the Linux file
system to plant it to run as a service and harm the
Computer. Also, the activity of the malicious insider
also gets stored in the file system. This raises the need
to do the forensic investigation of directories under
the Linux file system to find the traces of malicious
activities on the system.
The paper is organized as follows: Section 2 discusses
the related work and the existing tools on the Linux
file system forensics. The potential locations of the
digital evidences in the directory structure of the
Ubuntu File System are discussed in section 3.
Section 4 covers the forensic investigation of the
various user activities on the Linux file system. The
proposed UbuntuForensic tool is discussed in section
5. Comparative study between the existing Linux
tools and the proposed tool is performed in
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
175
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
Table 1. EXT Family features and limitation
Linux File
Linux File Linux File
Linux File
System
SystemSystem
System
Year of
Year of Year of
Year of
Introduction
IntroductionIntroduction
Introduction
Features
FeaturesFeatures
Features
Limitation
LimitationLimitation
Limitation
EXT 1992 Virtual File system concept used No support for separate timestamp
for file access
EXT2 1993 File Compression added No journaling feature
EXT3 1999 Journaling added, online file system
growth
Lack feature such as extents,
dynamic allocation of inodes and
block suballocation
EXT4 2006 Extent-based storage, backward
compatibility with EXT2 and EXT3,Online
defragmentation
Do not overwrite the file after
deletion causing security problem
section 6. The findings are concluded in section
7.
2 RELATED RESEARCH
This section details out the existing research on
the Linux file system forensic and the tool
developed to carry out the forensic investigation
of it.
2.1 Existing Research
The logging system is the most important
mechanism for Computer forensics on an
Operating System. The various logging
mechanism in Linux system that can be of
forensic importance is discussed in [4]. A
comparative study of the various file systems in
Ubuntu Linux and Free BSD is performed in [5].
In order to meet the Linux file system analysis
applications demand for computer forensics, an
object-oriented method of analyzing Linux file
system is proposed in [6]. The paper also
analyzed different data sources deeply with the
inheritance relationship between classes and the
encapsulation of class and showed information of
Linux file to the users in a friendly interface. The
Linux operating system has been used as a server
system in plenty of business services worldwide.
Unauthorized intrusions on a server are
constantly increasing with a geometric
progression. Conversely, the protection and
prevention techniques against intrusion accidents
are certainly insufficient. A new framework to
deal with a compromised Linux system in a
digital forensic investigation is developed and
implemented in [7]. Issues pertaining to the
Linux Forensics and the various forensic tools for
the forensic investigation of the Linux system
have been discussed in [8].
2.2 Existing Tools
The Sleuth kit(TSK)
The Sleuth kit(TSK)The Sleuth kit(TSK)
The Sleuth kit(TSK). It is a collection of Unix-
based command line analysis tools. TSK can
analyze FAT, NTFS, Ext2/3, and UFS file
systems and can list files and directories, recover
deleted files, make timelines of file activity,
perform keyword searches, and use hash
databases.
Autopsy.
Autopsy.Autopsy.
Autopsy. This tool is a graphical interface to the
TSK. It also analyzes FAT, NTFS, Ext2/3, and
UFS file systems and can list files and directories,
recover deleted files, make timelines of file
activity, perform keyword searches, and use hash
databases.
Scalpel.
Scalpel.Scalpel.
Scalpel. Scalpel is an open source file carver
which is also available for Linux. File carvers are
used to recover data from disks and to retrieve
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
176
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
files from raw disk images. In some case, file
carvers are even able to retrieve data if the
metadata of the file system were destroyed.
Scalpel is designed to use minimal resources and
to perform file carving.
Digital Evidence an
Digital Evidence anDigital Evidence an
Digital Evidence and Forensic Toolkit (DEFT)
d Forensic Toolkit (DEFT) d Forensic Toolkit (DEFT)
d Forensic Toolkit (DEFT)
Linux.
Linux.Linux.
Linux. DEFT is a free computer forensics Linux
distribution. DEFT is combined with the Digital
Advanced Response Toolkit (DART) which
contains a collection of forensics software for
Windows.
Computer Aided In
Computer Aided InComputer Aided In
Computer Aided Investigative Environment
vestigative Environment vestigative Environment
vestigative Environment
(CAINE).
(CAINE).(CAINE).
(CAINE). CAINE is a Linux live distribution
which aims to provide a collection of forensics
tools with a GUI. It includes open source tools
that support the investigator in four phases of the
forensic process viz., Information gathering,
collection, examination, analysis. It also supports
the investigator by providing capabilities to
automate the creation of the final report and is
completely controlled by a GUI that is organized
according to the forensics phases.
i
ii
i-
--
-Nex.
Nex.Nex.
Nex. It is an application that gathers
information for hardware components available
on the system and displays using user interface
[9].
History.
History.History.
History. The history command lists commands
that were recently executed. This can help to
track the activity of an intruder.
3 UBUNTU FILE SYSTEM ANALYSIS
3 UBUNTU FILE SYSTEM ANALYSIS3 UBUNTU FILE SYSTEM ANALYSIS
3 UBUNTU FILE SYSTEM ANALYSIS
In Ubuntu Operating System, the information
about the actions performed on the system is
maintained in the file system. The careful
analysis of the file system leads in finding helpful
evidence of the user’s activity on the system.
The following are some of the files and
directories in the file system which can be helpful
to the forensic investigator to find the potential
digital evidence of the various activity being
performed on the system. The evidence identified
in each directory of the Ubuntu File System are
discussed as below:
/etc/rc.d
/etc/rc.d/etc/rc.d
/etc/rc.d.
. .
. In the case of Ubuntu, the information
about the programs which are to be executed
when the system booted is available in the file
stored /etc/rc.d directory. The malicious user
might gain an access to the Ubuntu system &
will add files in rc.d directory to execute its
malicious script. So whenever the Ubuntu
System will boot up the malicious script will
automatically run. The forensic examiner will
have to look into those files to identify if any file
contains malicious code which may be causing
unauthorized activity on the system.
/etc/init.d
/etc/init.d/etc/init.d
/etc/init.d.
. .
. To remain running after reboots,
malware is usually re-launched using some
persistence mechanism available in the various
startup methods on a Linux system, including
services, drivers, scheduled tasks, and other
startup locations. There are several configurations
files that Ubuntu uses to automatically launch an
executable when a user logs into the system that
may contain traces of malware programs.
Malware often embeds itself as a new,
unauthorized service. Ubuntu has a number of
scripts that are used to start the service as the
computer boots. The startup scripts are stored in
/etc/init.d. Malware program may embed itself in
/etc/init.d directory to run as a service. Therefore
the forensic examiner will have to look into those
files to check for malware incident.
/etc/NetworkManager/system
/etc/NetworkManager/system/etc/NetworkManager/system
/etc/NetworkManager/system-
--
-connections
connectionsconnections
connections.
Ubuntu maintains the list of networks connected
to the system in /etc/NetworkManager/system-
connections. In addition to this, it is possible to
know the active network connections which are
being used in the system using the command
“sudo netstat –tupn “.
/etc/passwd
/etc/passwd/etc/passwd
/etc/passwd.
. .
. The passwd file maintains the
details about the users accessing the system. The
details include the user name, path to the user’s
home directory, programs that are generally
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
177
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
started when the users log on. The forensic
investigator can come to know about the users
working directory, and the program that are
executed when the user performs the login.
/etc/shadow
/etc/shadow/etc/shadow
/etc/shadow.
. .
. The shadow maintains the
authentication details of the user. The details
included in shadow file are user login name,
salted password.
/etc/profile
/etc/profile/etc/profile
/etc/profile.
. .
. Files and commands to be executed
at login or startup time by the Bourne or C shells.
These allow the system administrator to set
global defaults for all users.
/etc/networks
/etc/networks/etc/networks
/etc/networks.
. .
. The list of the networks that the
system is currently located on is available in this
directory.
/etc/hosts
/etc/hosts/etc/hosts
/etc/hosts.
..
.
The IP address of the machine is
available in the hosts file if the machine is
connected to the network. The forensic
investigator can come to the conclusion whether
the system was connected to the network or not.
/etc/cron.d, /etc/cron.daily, /etc/cron.
/etc/cron.d, /etc/cron.daily, /etc/cron./etc/cron.d, /etc/cron.daily, /etc/cron.
/etc/cron.d, /etc/cron.daily, /etc/cron.weekly,
weekly, weekly,
weekly,
/etc/cron.monthly
/etc/cron.monthly/etc/cron.monthly
/etc/cron.monthly.
. .
. These directories contain
scripts to be executed on a regular basis by the
cron daemon. The investigator has to look into
those directories to search for the presence of any
malicious code in it.
/usr/bin
/usr/bin/usr/bin
/usr/bin. In Ubuntu, the configuration information
about the application is stored in the /usr/bin
directory and the library required for these
applications is available in the /usr/lib directory.
The list of the application installed can be
obtained by the command ls –l /usr/bin/ .The
directory /usr/share/ application also provides the
graphical view of the application installed Using
the information available in the bin directory,
analyst can provide the historic view of the
application configuration that the user has
installed onto the system, date on which a
particular application was modified, permissions
granted to the user, size of the application.
/usr/lib
/usr/lib/usr/lib
/usr/lib.
. .
. This directory contains program libraries.
Libraries are collections of frequently used
program routines. The investigator has to search
in the lib directory to search for any malicious
file.
/usr/local/share/recently
/usr/local/share/recently/usr/local/share/recently
/usr/local/share/recently-
--
-used.xbel
used.xbelused.xbel
used.xbel.
. .
. In Ubuntu,
the files which have been recently accessed are
noted in the file ‘recently-used.xbel’. This file is
available in the local/share/ directory. The ‘cat’
command can be used to read the contents of the
recently-used.xbel. Recently-used.xbel file
provides the detailed information about the files
which have been accessed by the user, the
application used to access those documents and
the timing of accessing & modifying these
documents.
/var/log/syslog
/var/log/syslog/var/log/syslog
/var/log/syslog.
. .
. In Ubuntu, the login time and the
logout time can be accessed by using the last
command at the terminal. Syslog file in the
/var/log maintains the login and shutdown time.
The analyst can predict the criminal, if the crime
had happened during the duration of the use of
the system by the user. Syslog file in /var/log
provides the date and time at which a particular
network connection was established. Network
information enables the forensic examiner to
know about the type of network used in order to
do malicious activity.
/var/log/lastlog
/var/log/lastlog/var/log/lastlog
/var/log/lastlog.
. .
. The lastlog file contains the
recent login information for all the users. The
lastlog command provides the content of this file.
The Forensic Investigator can come to know
about the user who was logged in at the time of
crime.
/var/log/faillog
/var/log/faillog/var/log/faillog
/var/log/faillog.
. .
. It contains user failed login
attempts. The user who was under attack can be
identified.
/
//
/var/tmp
var/tmpvar/tmp
var/tmp.
. .
. The tmp directory consists of
temporary files. These files can provide the
details about the files that were accessed by the
user.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
178
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
/dev.
/dev. /dev.
/dev. Hardware devices attached to the system.
Also the /dev directory in the file system
provides the information about the hardware
attached to the system. The syslog also maintains
the details of the devices which have been
detected. The date and timing at which the device
was connected along with device details are
recorded in the syslog. The device information
provides the knowledge about the kind of devices
and the time at which they were used in doing
malicious activity.
/
//
/proc/net/netstat
proc/net/netstatproc/net/netstat
proc/net/netstat.
. .
. The netstat file maintains the
network statistics about the network connections
of the system. The suspicious connections if there
are any will be identified by the investigator
/proc/net/dev_mcast
/proc/net/dev_mcast/proc/net/dev_mcast
/proc/net/dev_mcast.
. .
. The statistic about the
network device connected to access the network
is available in the dev_mcast file.
/proc/cpuinfo.
/proc/cpuinfo. /proc/cpuinfo.
/proc/cpuinfo. The information about the cpu
connected to the system is available in the
cpuinfo file.
/proc/PID/exe
/proc/PID/exe/proc/PID/exe
/proc/PID/exe.
. .
. Exe directory contains the Link to
the executable of this process with the process
identification i.e., PID. If there are any malicious
codes running for this process, then it can be
detected.
4 EVIDENCE COLLECTION USING
PROPOSED TOOL
The forensic investigator should be able to
analyze the activities of the user when
performing the investigation and in doing so the
timing of the activities is needed to be considered
to establish the correlation between the time and
the activity. As the details of the user’s activities
are recorded in the various files managed by the
file system of the Linux based Computer System.
The investigator should be able to investigate the
files stored in the seized hard disk of the
computer system which was used to commit the
crime.
Figure 1. A snapshot of UbuntuForensic tool showing Integrated Analysis
However, the previous forensic tools provided
limited facilities for performing the forensic
analysis of Linux file system. For this reason, a
new evidence collection and analysis
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
179
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
methodology is required. This methodology
performs integrated file system analysis, timeline
analysis and extracts the information that is
useful for the digital forensic analysis of the file
system.
4.1 Integrated Analysis
The cyber crime cell generally used to seize the
hard disk of the computer which is used for crime
purpose. The forensic investigator has the
responsibility to find out the possible traces of
evidence against the criminal. The Linux-based
computer system maintains the files in the
directory structure which begin with root
directory ‘/’.
The proposed UbuntuForensic tool provides the
facility for extracting the forensic evidence from
the files stored in the external hard disk. This
hard disk is needed to be connected to the
computer system having a UbuntuForensic tool
which mounts the external directory structure in
the media directory of the running system to
extract the evidence. The proposed tool also
performs Local file system forensic which
involves extracting the information from the files
about the various activity performed by the user
on the system, on which the tool is running.
4.2 Analysis of User Activity
The existing tools provide a limited functionality
in extracting the forensic information from the
file system. This has stimulated the need of
having a file system forensic tool which can
extract the forensic data from the directory
structure based on the various activities being
performed by the user and generate a report of
the evidence for further use.
The proposed UbuntuForensic tool covers the
various activities as discussed in [10], which are
performed on the Computer system. These
activities include:
• Autorun programs running on the system
• Recently accessed documents/programs,
• Applications installed on the system
• Network connected
• Devices connected to the system
• Last login activity of the user
• Malware activity
The detail of these activities is as follows:
The Autorun programs running on the system
The Autorun programs running on the systemThe Autorun programs running on the system
The Autorun programs running on the system
Many programs are configured in such a way that
when the Computer boot and start the operating
system, they automatically start running such
programs are called as Auto Run program. In the
case of Ubuntu, the information about the
programs which are to be executed when the
system booted is available in the file stored
/etc/rc.d directory. The malicious user might gain
an access to the Ubuntu system & will add files
in rc.d. So whenever the Ubuntu System will
boot up the malicious script will automatically
run. The forensic examiner will have to look into
those files to identify if any file contains
malicious code which may be causing
unauthorized activity on the system.
Recently Accessed documents and programs
Recently Accessed documents and programsRecently Accessed documents and programs
Recently Accessed documents and programs
From the documents that the user has recently
accessed, the forensic examiner can know about
the documents in which the user has interest. In
Ubuntu, the files which have been recently
accessed are noted in the file ‘recently-
used.xbel’. This file is available in the
local/share/ directory. The ‘cat’ command can be
used to read the contents of the recently-
used.xbel file. Recently-used.xbel file provides
the detailed information about the files which
have been accessed by the user, the application
used to access those documents and the timing of
accessing & modifying these documents.
The recently accessed document information
helps in understanding the files which may have
been read, modified by the user.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
180
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
Figure 2. A snapshot of UbuntuForensic tool showing category of User Activities
Applications installed on the system
Applications installed on the systemApplications installed on the system
Applications installed on the system
In Ubuntu, the configuration information about
the application is stored in the /usr/bin directory
and the library required for these applications is
available in the /usr/lib directory. The list of the
application installed can be obtained by the
command ls –l /usr/bin/. Using the information
available in the bin directory, an analyst can
provide the historic view of the application
configuration that the user has installed onto the
system, date on which a particular application
was modified, permissions granted to the user,
the size of the application etc.
Network connected or acces
Network connected or accesNetwork connected or acces
Network connected or accessed
sedsed
sed
Ubuntu maintains the list of networks connected
to the system in /etc/NetworkManager/system-
connections. In addition to this, it is possible to
know the active network connections which are
being used in the system using the command
“sudo netstat –tupn“.
Syslog file in /var/log provides the date and time
at which a particular network connection was
established. Network information enables the
forensic examiner to know about the type of
network used in order to do the malicious
activity.
Devices connecte
Devices connecteDevices connecte
Devices connected to the System
d to the Systemd to the System
d to the System
In Ubuntu “lshw” command provides the list of
hardware devices attached to the system. Also,
the /dev directory in the file system provides the
information about the hardware attached to the
system. The syslog file also maintains the details
of the devices which have been detected.
The date and timing at which the device was
connected along with device details are also
recorded in the syslog.
Last Login Activity of the user
Last Login Activity of the userLast Login Activity of the user
Last Login Activity of the user
In Ubuntu, the login time and the logout time can
be accessed by using the ‘last’ command at the
terminal. Syslog file in the /var/log maintains the
login and shutdown time.
Malware Activity
Malware ActivityMalware Activity
Malware Activity
To remain running after reboots, malware is
usually re-launched using some persistence
mechanism available in the various startup
methods on an Ubuntu system, including
services, drivers, scheduled tasks, and other
startup locations. There are several configurations
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
181
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
files that Ubuntu uses to automatically launch an
executable when a user logs into the system that
may contain traces of malware programs.
Malware often embeds itself as a new,
unauthorized service. A certain amount of
malware use /etc/init.d directory to hide and start
their execution on startup of the system.
Figure 3. Forensic report using UbuntuForensic tool
4.3 Timeline Analysis
The digital forensic investigator should detect the
activity being performed by the suspect along
with a timeline. By performing the timeline
analysis, the investigator can trace the sequence
of events that were performed by the suspect. For
instance, if the suspect had accessed a word
document by logging using a login id ,the date
and time of these activities can be correlated to
convict the suspect. The forensic report obtained
as in Figure 3 shows root user had logged in at
11:39AM on 18/05/2016 and accessed the .doc
file 'An Evidence Collection and Analysis of
Ubuntu File System using UbForensicTool' at
11:49AM using document viewer application.
This forensic information can be evidence against
the root user for accessing the .doc file as the
.doc file was accessed after the login time by root
user and before the shutdown of the system. The
forensic report thus obtained using the
UbuntuForensic tool underlines the importanceof
performing the timeline analysis of the activities.
4
44
4.4
.4 .4
.4 Data S
Data SData S
Data Security
ecurityecurity
ecurity
The UbuntuForensic tool provides the facility for
the backup of the files from the hard disk of the
running system. The backup of these files is
maintained on the external storage media. The
content of these files is then hashed one by one
and the resulting hashes are then indexed and
stored along with file name and the path of the
file in a table on the external storage. The md5
algorithm is used to obtain the hashes from the
backup data.
In order to detect if any changes have been
occured to the data on the hard disk of the
running system by the suspicious criminal, the
hashes are obtained from the individual files on
the hard disk one by one and these hashes are
then compared with the hashes stored on the
external storage media. If two hashes which are
being compared are found dissimilar then it
means that the criminal has caused some
modification to the relevant file on the hard disk.
A report is prepared about all the files whose
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
182
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
hashes are found dissimilar from that of the
hashes in the external storage. In such situation,
the affected file can be restored back from the
external hard disk. Figure 4 depicts the process
for detecting the modification of the data on the
hard disk by the criminal.
Figure 4. Flowchart depicting operation for identification of
modified files using UbuntuForensic tool
5
55
5
SOFTWARE ARCHITECTURE AND
SOFTWARE ARCHITECTURE AND SOFTWARE ARCHITECTURE AND
SOFTWARE ARCHITECTURE AND
IMPLEMENTATION
IMPLEMENTATIONIMPLEMENTATION
IMPLEMENTATION
The software architecture of the UbuntuForensic
tool is illustrated in Figure 5. The analysis of
local and the external hard disk directory
structure can be performed using the
UbuntuForensic tool. The evidence and time of
the activity are extracted and the report is
generated for correlating the sequence of events
and their timings.
The software architecture consists of following
modules: Local File System Forensic, External
File System Forensic, Timestamp Generation,
Backup File System, Hash Generation and
Comparison, and Report Generation. The Local
and External File System Forensic deals with
extracting forensic evidence for various user
activities from the directory structure of the
system on which the tool is running and the
directory structure available on the external hard
disk. The time stamp generation module
generates the last modified timestamp for the
directory and files associated with the user’s
activity concerned. The forensic Report based on
the forensic evidence obtained and the generated
timestamp is obtained using Timestamp
Generation module.
The algorithm for the proposed tool is as follows:
Requires
RequiresRequires
Requires:
Activity (i, D(DIR))
returns the
extracted forensic information
forensic_info
for
each ith activity from the DIR directory of the
directory structure D.
Select(forensic_info(i))
selects the evidence from the
forensic_info
.
Timestamp (i, D( DIR))
returns the timestamp
for the directory DIR for the ith activity.
Generate_Report
generates the report from the
selected evidence and the timestamp. MAX
indicates the maximum number of user’s activity.
Input:
Input:Input:
Input: The directory structure D
Output:
Output:Output:
Output: Report in text format
1: For i є (1, MAX) do;
2:
forensic_info(i) Activity(i,D(DIR))
3:
forensic_evidence(i)Select(forensic_info(i))
4:
timestamp
i
Timestamp(i,D(DIR))
5: Report
Generate_Report(forensic_evidence,
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
183
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
timestamp)
The
Activity(i,D(DIR))
function extracts the
forensic information from the directory structure
for the ith activity of the user. Once the forensic
information is extracted, the forensic investigator
can select the digital evidence from it. The
Timestamp(i, D(DIR))
function generates the
timestamp for the ith activity of the user based on
the last access and modification timestamp of the
directory. As the contents of the directory are
accessed or changed, the timestamp of the
directory also gets changed. This procedure is
repeated for all the users’ activity in
consideration. Once all the activities are finished,
the forensic investigator generates the Forensic
report.
Figure 5. Software Architecture of UbuntuForensic tool
The backup of the files managed by the file
system is performed using Backup File System
module. The data backed up is then hashed by
the hash generation module to generate the md5
hash. The hash so obtained is stored on the
external storage in a relational table. Whenever
the threat is detected, the hashes are obtained for
the hard disk data and these hashes are then
compared with the hashes in the external storage.
If the mismatch is found then the affected data
are restored back from the external storage. The
structure definition of the table storing the hashes
on the external storage is as follows:
typedef struct {
Number int;
File_Name string[20];
Path_Name string[20];
Hash long int;
} table;
The field description is as follows:
Number: This field is an index for the
entry in the relation.
File_Name: The name of the backed up
file from the hard disk.
Path_Name: The path of the file
concerned.
Hash: The md5 hashes obtained on the
content of the file.
The UbuntuForensic tool is built using QT4, a
cross-platform application frame-work that is
widely used for developing application software
that can run on various software and hardware
platforms with little or no change in the
underlying code base while having the power and
speed of native applications. Qt uses standard
C++ with extensions including signals and slots
that simplify handling of events, and this helps in
the development of both GUI and server
applications which receive their own set of event
information and should process them
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
184
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
accordingly. The UbuntuForensic tool uses
QSetting class and its methods to extract the
information’s from the directory structure of the
Ubuntu file system.
6 EVALUATION
The comparison between the existing widely
used Linux forensic tools and the
UbuntuForensic tool is performed as in table 2.
The tool like TSK, autopsy can list file and
directories and perform timeline analysis of file
activity. DEFT and CAINE provides GUI based
forensic tools. i-Nex and History tools provide
information about the hardware connected to the
system and the recent command executed on the
system recently, respectively. However, it has
been observed that none of the Linux tools
provides the facility for extracting the evidence
for the specific activity of the user.
Comparatively, the UbuntuForensic tool
performs the extraction of forensic related
information about the various users’ activity
being performed on the system. The
UbuntuForensic tool also performs timeline
analysis using which the conviction of the
criminal can be performed based on the last
access, modification dates of the directories and
the login time of the suspicious user. The
UbuntuForensic tool supports local and external
file system forensics. In External file system
forensics, the external hard disk with Ubuntu
operating system is mounted on the system with
the UbuntuForensic tool to extract the forensic
evidence. The proposed UbuntuForensic tool also
performs the backup of the files and directories.
An approach to check the data integrity of all the
files managed by the file system is proposed.
Based on the advanced requirements mentioned
in the paper, UbuntuForensic tool improves over
the shortcoming of the existing tools.
7 CONCLUSION
The File System maintains historical information
about user activity in its directory structure. All
of this information can be extremely valuable to a
forensic analyst, particularly when attempting to
establish the timeline of activity on a system. It is
essential to perform the analysis of file system
and use timeline analysis to detect the suspicious
activities of the suspect. A wide range of cases
would benefit greatly from the information
derived or extracted from the file system.
A survey on the existing Linux forensic tools
revealed that they extract very little forensic
information from the file system. Comparatively,
the UbuntuForensic tool provides more evidence
from the file system as that of the existing tools;
saving the time and effort in searching the
evidence. The UbuntuForensic tool also covers
forensic analysis of the file system on the
external hard disk, thus enabling the forensic
investigator to conduct the forensic investigation
without changing the setup. The identification of
the files which are modified by the criminal can
be achieved by computing the hashes on the files
from the hard disk.
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
185
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
Table 2. Functional comparison with existing tools
Tool
ToolTool
Tool
Function
FunctionFunction
Function
Integrated
Analysis
Timeline
Analysis
Activity
Analysis
GUI support Any other feature
UbuntuForensicTool
(Proposed)
Running process,
Hash Generation
The Sleuth kit(TSK) X X X Recovers deleted
files
Autopsy X X Recovers deleted
files
Scalpel X X X Recover data from
disks
DEFT X Data Recovery and
hashing, Process
information
CAINE X Data Recovery
i-Nex X Display device
information,
generate report
History X X X Lists only
command history
8 REFERENCES
1. SophosLab: Botnets, a free tool and 6 years of
Linux/Rst-B,
https://nakedsecurity.sophos.com/2008/02/13/botn
ets-a-free-tool-and-6-years-of-linuxrst-b (2008)
2. Sophos: Don’t believe these four myths about
Linux Security,
http://blogs.sophos.com/2015/03/26/dont-believe-
these-four-myths-about-linux-security (2015)
3. McInnes J..: Linux Operating System don’t get
attacked by viruses,why?,
https://www.quora.com/Linux-Operating-System-
dont-get-attacked-by-Viruses-why (2015)
4. Tang L.: The study of Computer forensics on
Linux, International conference on computational
and Information Sciences (2013)
5. Kuo-pao Y., Wallace K.: File Systems in Linux
and Free BSD:A Comparative study, Journal of
6. Emerging Trends in Computing and Information
Sciences,2(9) (2011)
7. Wei C., Chun-mei L.: The Analysis and Design of
Linux File System Based on Computer Forensic,
International Conference on Computer Design and
Applications (2010)
8. Joonah C., Antonio C.,Paolo G., Seokhee L,
Sangjin L..: Live Forensic Analysis of a
Compromised Linux System using LECT(Linux
Evidence Collection Tool), International
Conference on Information Security and
Assurance (2008)
9. Grundy B.: Advanced artifact analysis, European
Union Agency for Network and Information
Security (2014)
10. ArchLinux:
https://wiki.archlinux.org/index.php/List_of_appli
cation/Utilities (2016)
11. Patil D., Meshram B.: Forensic investigation of
user activities on Windows7 and Ubuntu12
operating system, IJIET, 5(3) (2015)
International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186
186
The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)
... Ubuntu, or more generally Linux-based operating systems, forensics is an area that has been widely studied. Tools such as Autopsy and Scalpel are noted as being able to conduct Ubuntu forensics as they are able to read the most commonly used EXT file systems [11]. Fairbanks et al. [12] provide a helpful guide to understand and dive deeper into the EXT4 file system, which is also Ubuntu Touch's file system as investigated and reported further in this paper. ...
... For acquisition and analysis, the authors prefer Autopsy, which is a trusted and most updated open-source forensic tool for investigators [14]. Previous work conducted in this area has identified certain directories and specific files such as /etc/shadow, /user/lib, /etc/shadow and /etc/passwd as files of importance due to their contents being especially relevant to an investigator [11]. We will use this framework of known Linux file system directories and files to guide our own analysis of Ubuntu Touch to help us more efficiently look through the acquired image to determine where relevant forensic artifacts may be stored. ...
Article
Full-text available
New smartphones made by small companies enter the technology market everyday. These new devices introduce new challenges for mobile forensic investigators as these devices end up becoming pertinent evidence during an investigation. One such device is the PinePhone from Pine Microsystems (Pine64). These new devices are sometimes also shipped with OSes that are developed by open source communities and are otherwise never seen by investigators. Ubuntu Touch is one of these OSes and is currently being developed for deployment on the PinePhone. There is little research behind both the device and OS on what methodology an investigator should follow to reliably and accurately extract data. This results in potentially flawed methodologies being used before any testing can occur and contributes to the backlog of devices that need to be processed. Therefore, in this paper, the first forensic analysis of the PinePhone device with Ubuntu Touch OS is performed using Autopsy, an open source tool, to establish a framework that can be used to examine and analyze devices running the Ubuntu Touch OS. The findings include analysis of artifacts that could impact user privacy and data security, organization structure of file storage, app storage, OS, etc. Moreover, locations within the device that stores call logs, SMS messages, images, and videos are reported. Interesting findings include forensic artifacts, which could be useful to investigators in understanding user activity and attribution. This research will provide a roadmap to the digital forensic investigators to efficiently and effectively conduct their investigations where they have Ubuntu Touch OS and/or PinePhone as the evidence source.
... The difficulty for the examiner lies in the lack of a methodology for smartphones. Neither ad-hoc methods nor methods for computer examination are well suited for the examination of a smartphone due to their distinct issues [8]- [10]. These methods do not take into consideration the uniqueness of smartphones and therefore could lead to a loss or non-discovery of any information with evidentiary value. ...
Chapter
This paper details how forensic examiners determine the mobile device process and if the Platform Independent Forensics Process Model for Smartphones (PIFPM) helps them in achieving the goal of examining a smartphone. The researcher conducted interviews, presented the PIFPM process to the examiners, and supplied surveys that the examiners were exposed to. Using convenience sampling, the frequency and percent distribution of each examiner is given as well as strengths and weaknesses of PIFPM as it relates to the examiner. Based on the hypotheses given by the researcher, the results were either refuted or supported through sampling from the forensic examiners. The goal of this paper is to uncover interesting details that the researcher overlooked when examining a smartphone.
... The difficulty for the examiner lies in the lack of a methodology for smartphones. Neither ad-hoc methods nor methods for computer examination are well suited for the examination of a smartphone due to their distinct issues [8]- [10]. These methods do not take into consideration the uniqueness of smartphones and therefore could lead to a loss or non-discovery of any information with evidentiary value. ...
Conference Paper
This paper details how forensic examiners determine the mobile device process and if the Platform Independent Forensics Process Model for Smartphones (PIFPM) helps them in achieving the goal of examining a smartphone. The researcher conducted interviews, presented the PIFPM process to the examiners, and supplied surveys that the examiners were exposed to. Using convenience sampling, the frequency and percent distribution of each examiner is given as well as strengths and weaknesses of PIFPM as it relates to the examiner. Based on the hypotheses given by the researcher, the results were either refuted or supported through sampling from the forensic examiners. The goal of this paper is to uncover interesting details that the researcher overlooked when examining a smartphone.
... In most cases, without the needed equipment and software for each, the kernel is unreachable. In others, the kernel may still be inaccessible [1]. In order to help combat this issue, experiments were designed that can reveal how the kernel deals with file stores, edits, and deletes after certain operations. ...
Article
In this paper, the Apple iPhone, HTC Aria, and HTC TouchPro 6850 was used in an effort to generate the average change in file content by device while applying XRYv6.1 and DiffMerge in Experiment 2. XRY writes the data in the form of files at the root of the folder to determine the manual analysis phase for smartphones. RIM (Blackberry 7105, Blackberry 8530, and Blackberry 8703e) and Symbian Nokia 5230 Nuron were used to analyze data that averages the percent of change by category in Experiment 1, along with Apple iPhone, HTC Aria, and HTC TouchPro 6850. The manual analysis of smartphones can be obtained by comparing Experiment 1 with Experiment 2 to show what was altered and what did not change. Apple iPhone 3G A1242 has the greatest change of all the smartphones. Both the HTC TouchPro 6850 and HTC Aria have the same order in Experiment 1 as in the final order and the RIM OS' order is the same as well. The Nokia Nuron 5320 is not supported by XRYv.6.1 for MMS and Picture categories, but the final order was the same as Experiment 2; SMS, Contact, Picture, MMS.
Article
Full-text available
This paper compares file systems in Ubuntu Linux and FreeBSD and then analyzes the best utilization. The generic file systems, Extended File System (EXT2) of Linux and Fast File System (FFS) of FreeBSD operating systems, are evaluated using benchmark tests. It is proposed that a better file system could be assembled and implemented for improving performance and reducing bottleneck with consideration of modern intricacies.
Conference Paper
Nowadays, computer crime is becoming more and more prevalent. It has the characteristic of high technology, hard to be found and rapid spreading. It brings challenges to computer forensics. Computer forensics focuses on collecting and analyzing various evidences for these crimes. It is far different from the traditional forensics, and becoming more and more hot in enterprise and academic. This paper describes the current state as well as future trends in the research of computer forensics, and illustrates the support mechanism for computer forensics in Linux as a typical platform of widely used software system.
Article
Ext2, a basic file system of Linux operating system, can conserve and manage a lot of important file information. Mining and analyzing the useful data of the Linux operating system have become important means and research directions of computer forensic analysis. In this paper, after the detailed analysis and research of storage principle of Ext2 file system, the object-oriented method is proposed to design the parsing platform of Linux file system. By parsing the Binary data files storing on the disk, all the file information extracted is converted into the form of user-friendly interface. Meanwhile, it provides plenty of useful interfaces for the computer forensic analysis, which will be an important information-gaining tool for the computer forensics on Linux operating system.
Conference Paper
The Linux operating system has been used as a server system in plenty of business services worldwide. Nowadays, a lot of incident response approaches on such kind of platform have been established by many researchers active in the computer forensic discipline. Interestingly, many frameworks about how to deal with a live digital investigation on a Linux systems have been illustrated in the forensic literature. Conversely, as a matter of fact, there are not so many tools for approaching live forensic of a Linux system. Thus, we have developed and implemented a new framework to deal with a compromised Linux system in a digital forensic investigation. The resulting framework has been called LECT (Linux Evidence Collection Tool) ant aims to represent a significant contribution in the field of live forensic analysis of Linux based systems.
Advanced artifact analysis, European Union Agency for Network and Information Security
  • B Grundy
Grundy B.: Advanced artifact analysis, European Union Agency for Network and Information Security (2014) 10. ArchLinux: https://wiki.archlinux.org/index.php/List_of_appli cation/Utilities (2016)
Linux Operating System don't get attacked by viruses,why?, https://www.quora.com/Linux-Operating-Systemdont-get-attacked-by-Viruses-why
  • J Mcinnes
McInnes J..: Linux Operating System don't get attacked by viruses,why?, https://www.quora.com/Linux-Operating-Systemdont-get-attacked-by-Viruses-why (2015)
Forensic investigation of user activities on Windows7 and Ubuntu12 operating system
  • D Patil
  • B Meshram
Patil D., Meshram B.: Forensic investigation of user activities on Windows7 and Ubuntu12 operating system, IJIET, 5(3) (2015)
Live Forensic Analysis of a Compromised Linux System using LECT(Linux Evidence Collection Tool
  • C Joonah
  • C Antonio
  • G Paolo
  • L Seokhee
  • L Sangjin
Joonah C., Antonio C.,Paolo G., Seokhee L, Sangjin L..: Live Forensic Analysis of a Compromised Linux System using LECT(Linux Evidence Collection Tool), International Conference on Information Security and Assurance (2008)