We just finished Windows Forensics part 1 and 2, now we are moving on to Linux. Unlike Windows, I have no experience in finding artifacts in Linux, so I may struggle here. That being said, I also had no experience using some tools in the entire training module and I seem to be doing well. Let’s hope this one won’t give me too hard of a time.
Task 3 OS and account information
1: Which two users are the members of the group audio?
I modified the example code given in the reading to help format it nicely for us. cat /etc/group | column -t -s :
Answer: ubuntu, pulse
2: In the attached VM, there is a user account named tryhackme. What is the uid of this account?
I used the following command that was found in the reading, cat /etc/passwd | column -t -s : . This help gave me a list of users on the machine. Now we just need to look for the account and the corresponding UID.
Answer: 1001
3: A session was started on this machine on Sat Apr 16 20:10. How long did this session last?
For this one, I used the last command to help display login information.last -f /var/log/wtmp
Answer: 01:32
Task 4 System Configuration
1: What is the hostname of the attached VM?
I typed cat /etc/hostname as per the reading and the terminal will output the hostname.
Answer: Linux4n6
2: What is the timezone of the attached VM?
The readings will provide the command.
Answer: Asia/Karachi
3: What program is listening on the address 127.0.0.1:5901?
I followed the example given in the reading. Look at the IP address, port, state, and Program name.
Answer: Xtigervnc
4: What is the full path of this program?
I used the hint for this. I combined ps to list the processes and grep to display results that has Xtigervnc so the output would not be too big.
Answer: /usr/bin/Xtigervnc
Task 5 Persistence mechanisms
1: In the bashrc file, the size of the history file is defined. What is the size of the history file that is set for the user Ubuntu in the attached machine?
Typing cat ~/.bashrc that was given from the reading, we can see the file size allocated to us in this machine.
Task 6 Evidence of Execution
1: The user tryhackme used apt-get to install a package. What was the command that was issued?
I used the example command given in the reading. I didn’t use -i option since it just ignores cases. I didn’t think the cases were important here. Look for the correct user!
Answer: sudo apt-get install apache2
2: What was the current working directory when the command to install net-tools was issued?
Not particularly sure what happened but I started getting error messages when typing cat /var/log/auth.log* |grep net-tools . I decided to sudo it and it fixed. I searched for net-tools to reduce the results. Look for PWD for present working directory.
Answer: /home/ubuntu
Task 7 Log files
1: Though the machine’s current hostname is the one we identified in Task 4. The machine earlier had a different hostname. What was the previous hostname of the machine?
I decided to check the syslogs first. Using grep, I searched for logs that had mentions hostname. Seems like we found it!
Answer: tryhackme
Thoughts:
Definitely on the lighter side than the Windows one. Admittedly, I didn’t feel as invested as Windows one. I’m not entirely sure why. That being said, I’m still going to download that cheat sheet because I’ll never know if I need to investigate artifacts in a Linux machine.