Here is my write-up for the mini linux forensics challenge. In this challenge, each participant received 2 E01 files aka Encase image files, which are mate and kubuntu disk image. At first I was put the E01 image into FTKImager, but I found that it is not so convenient for me to perform investigation from there. So, I’m thinking of mounting the image in my Linux machine to make my life easier.
Therefore, after some google-fu and bash-fu, I managed to created a script to mount Linux partition from E01 image. \o/
Let’s begin our investigation.
MATE case
Q#1 What is the ID of the last boot?
There’s only 3 user-1000 journal file that we need to inspect.
Using the command below to last boot timeline for user-1000.
journalctl --file <user-1000.journal> -o verbose --no-pager -n 1
user-1000.journal contains the latest boot timeline. We can further investigate the metadata output and its _BOOT_ID can be found!
Q#2 How did the user install Google chrome on MATE?
Based on .bash_history , the installation is through apt command.
Q#3 What date and time did the user install it?
I thought that it always starts with the date time at line install, but after looking through the sequence of package install, the package installation will always starts with archive unpack first.
Q#4 The name of a repository from which more than one extra application was installed from?
Answer is in .bash_history.
Q#5 What is the name of the desktop session?
We have to find the value of XDG_CURRENT_DESKTOP which can be find inside .xsession-errors.
Q#6 What was the name of the suspicious domain the user visited from MATE?
Inside folder /mnt/ewf_mount/home/user1/.mozilla/firefox/qkpl6zix.default-release, there is a file called places.sqlite which contains the browsing history of the current user. It can be open using sqlitebrowser.
Kubuntu case
Q#1 How did the user install Google chrome, date, time?
In .bash_history, Chrome is installed via dpkg
Q#2 How did the device go to sleep?
In auth.log.1, lid closed action is mentioned for before the PC suspend/sleep.
Q#3 How many privileged commands did the user run?
Look for sudo in auth.log and you can find 6 command runs with privileged user (root).
OR
In journal/ folder, look for any system* journal file and grep for USER=root
Q#4 What application was used to open the Top devices file?
When talks about application, we may look around things in .local folder.
Keyword Top devices can be found in .local/Kate
Q#5 What was the UUID of the main root volume?
It can be found in /etc/fstab.
Others
Here are the folder/file list which contains the answers for this challenge.
/var/log/dpkg.log*
/var/log/auth.log*/home/user/.local/*
/home/user/.bash_history
/home/user/.xsession-error/mnt/ewf_mount/home/user1/.mozilla/firefox/<rand_char>-release/etc/fstab
Scoreboard
