Forensic analysis - process log

877 views Asked by At

I am performing Forensic analysis on Host based evidence - examining partitions of a hard drive of a server.

I am interested in finding the processes all the "users" ran before the system died/rebooted.

As this isn't live analysis I can't use ps or top to see the running processes.

So, I was wondering if there is a log like /var/log/messages that shows me what processes users ran.

I have gone through a lot of logs in /var/log/* - they give me information about logins, package updates, authorization - but nothing about the processes.

3

There are 3 answers

2
Jean-Baptiste Yunès On

If there was no "command accounting" enabled, there is no.

0
kestasx On

Chances to find something are not too big, anyway a few things to consider:

  • depends how gracefull death/reboot was (if processes were killed gracefully, .bash_history and similar files may be updated with recent session info)
  • utmp and wtmp files may give the list of active users at the reboot.
  • OS may be saving crash dump (depends on linux distribution). If so - You may be able to examine OS state at the moment of crash. See RedHat's crash for details (http://people.redhat.com/anderson/crash_whitepaper/).
  • /tmp, /var/tmp may hold some clues, what was running
  • any files with mtime and ctime timestamps (maybe atime also) near the time of crash
  • maybe You can get something usefull from swap partition (especially if reboot was related to heavy RAM usage).
0
labgeek On

So, I was wondering if there is a log like /var/log/messages that shows me what processes users ran

Given the OS specified by the file system path of /var/log, I am assuming you are using ubuntu or some linux based server and if you are not doing live forensics while the box was running or memory forensics (where a memory capture was grabbed), AND you rebooted the system, there is no file within /var/log that will attribute processes to users. However, if the user was using the bash shell, then you could check the .bash_history file that shows the commands that were run by that user which I think is 500 (by default for the bash shell).

Alternatively, if a memory dump was made (/dev/mem or /dev/kmem), then you could used volatility to pull out processes that were run on the box. But still, I do not think you could attribute the processes to the users that ran them. You would need additional output from volatility for that link to be made.