Skip to content

Latest commit

 

History

History
116 lines (92 loc) · 4.56 KB

project-3-Forensic Analysis of User Activity on Linux Systems.md

File metadata and controls

116 lines (92 loc) · 4.56 KB
Raw

Project: Forensic Analysis of User Activity on Linux Systems

Introduction

User activity on Linux systems can provide valuable insights during forensic investigations. This project will guide you through the process of analyzing user activity, including login records, shell history, and user-specific files. You will learn how to use various tools and techniques to gather and interpret evidence of user actions.

Objective

The objective of this project is to provide hands-on experience in analyzing user activity on Linux systems. By the end of this project, you will be able to effectively use forensic tools to investigate user actions and gather relevant evidence.

Lab Setup and Tools

To complete this project, you will need access to a Linux operating system. You can use a physical machine, set up a virtual machine using software like VirtualBox or VMware, or use a cloud-based Linux instance.

Pre-requisites

  • Basic understanding of Linux OS and command-line interface
  • Administrative privileges on the Linux machine

Tools Installation

For this project, we will use the following tools:

  1. last: A command-line tool to display login history.
  2. ausearch: A tool to query audit logs.
  3. Grep: A command-line utility for searching plain-text data.
  4. Logwatch: A log analysis tool.

Installing Logwatch

  1. Install Logwatch using the package manager: 
    sudo apt-get install logwatch

Exercises

Exercise 1: Analyzing Login Records with last

Objective: Learn how to analyze login records to understand user login activity.

Steps:

  1. Open a terminal.
  2. Use the last command to display the login history: 
    last
  3. Review the output to identify login times, durations, and user accounts.

Expected Output: You should be able to see a history of user logins, including login times, durations, and the accounts used.

Exercise 2: Investigating Shell Command History

Objective: Analyze shell command history files to identify commands executed by users.

Steps:

  1. Open a terminal.
  2. Navigate to a user's home directory: 
    cd /home/username
  3. Display the contents of the .bash_history file: 
    cat .bash_history
  4. Use grep to search for specific commands or keywords: 
    grep "sudo" .bash_history

Expected Output: You should be able to see the history of commands executed by the user and identify specific actions taken.

Exercise 3: Tracking User Activity with Auditd

Objective: Use Auditd to track and analyze user activity.

Steps:

  1. Ensure the auditd service is running: 
    sudo service auditd start
  2. Add an audit rule to track changes in the user's home directory: 
    sudo auditctl -w /home/username -p war -k user_activity
  3. Generate some user activity by creating, modifying, and deleting files in the home directory.
  4. Use ausearch to query the audit logs for user activity: 
    sudo ausearch -k user_activity

Expected Output: You should be able to track and analyze user activities such as file creation, modification, and deletion using Auditd.

Exercise 4: Analyzing User-Specific Logs with Logwatch

Objective: Use Logwatch to generate reports that include user-specific log entries.

Steps:

  1. Open a terminal.
  2. Run Logwatch to generate a report that includes user activity logs: 
    sudo logwatch --detail High --mailto [email protected] --range Today
  3. Review the generated report in your email or specified output location.

Expected Output: You should receive a detailed report generated by Logwatch that includes user-specific log entries.

Exercise 5: Investigating Sudo Activity

Objective: Analyze sudo logs to identify actions performed with elevated privileges.

Steps:

  1. Open a terminal.
  2. Navigate to the /var/log directory: 
    cd /var/log
  3. Display the contents of the auth.log file and filter for sudo activity: 
    sudo grep "sudo" auth.log
  4. Review the output to identify commands executed with sudo and the associated user accounts.

Expected Output: You should be able to see a log of commands executed with sudo and identify the users who performed these actions.

With these exercises, you will gain practical experience in forensic analysis of user activity on Linux systems. This will enhance your skills in digital forensics and help you effectively investigate user actions by uncovering valuable evidence of user activities.