Profiling Binaries in Linux Systems
Linux commands used in this demo.
An effective analyst must be able to conduct investigations on any operating system and knows how to retrieve on-disk evidence.
Scenario: A suspicious file was found on /tmp/mal_dir and you are tasked to perform live forensics on one of your organization’s Linux systems to investigate the file and gather its metadata.
In this demo, we will tackle about binary profiling in Linux systems and understand when the binary first existed on the system.
In Linux systems, we are limited to perform the investigation using only the terminal console.
First, let us check the directory where the binary was discovered using the built-in command “ls -al” is the first step in performing triage.
In our case, we can see a non-directory file named “credstealer“.
Next, we can check the binary’s file header by using “readelf -h” command.
In our case, readelf reveals us the binary’s header.
Key Points to Remember:
Magic Number = 7f 45 4c .. .. (ELF Magic Number)
Class = ELF64 (MZ Dos in Windows, means credstealer is a x64bit executable)
Type = EXEC (executable file)
Entry Point = 0x4006e0
The stat command gives information about the file and filesystem’s size, access permission, user ID, group ID, birth time, access time and modified time of the file.
We can use this command to profile our binary by running the command “stat credstealer“.
Key Points to Remember:
Inode: 1836028 (What inode does is it keeps track of all the files and directories within Linux System.)
Uid – 1000/linux-analyst (User = 1000, Root = 0)
Gid – 1000/linux-analyst (Group = 1000, Root = 0)
Access, Modify, Birth and Change Time (This provides valuable information when it comes to timelining an attack)
Note: Notice that birth time is blank which gives us less info when the file was first existed on disk.
In the previous steps, we extracted file’s metadata which reveals the Inode of the file.
Now, let’s use the Inode to extract additional information.
First, list mounted disk information by using “fdisk“. #command: sudo fdisk -l | grep sda
Next, Use Sleauthkit’s istat tool. #command: sudo istat /dev/<diskname> <inode>
Note: Sleauthkit’s istat displays the uid, gid, mode, size, link number, modified, access, changed times, and all the disk units a structure has allocated.
At this moment, we have revealed additional information but we still don’t know when the file first existed in the disk.
To answer this, we can use the tool “debugfs“. command: sudo debugfs -R ‘stat <inode>’ /dev/<diskname>
In this case, crtime or birthime reveals that on Aug 12 17:35:26 2022 the file “credstealer” was created in the disk.
Note: The debugfs program is an alternative file system debugger. It can be used to examine and change the state of an ext2, ext3, or ext4 file system.
In real world scenario, crtime/birthtime information can be used as starting point to perform your triage during incident response on Linux systems. This is information can also be used to correlate to different data sources (e.g., Network, System, and Event logs)
Live forensics should be done after duplicating the system’s volatile image/disk to avoid tampering and maintain the system’s integrity.