TechQA.

Forensic analysis - process log

869 views Asked by At

I am performing Forensic analysis on Host based evidence - examining partitions of a hard drive of a server.

I am interested in finding the processes all the "users" ran before the system died/rebooted.

As this isn't live analysis I can't use ps or top to see the running processes.

So, I was wondering if there is a log like /var/log/messages that shows me what processes users ran.

I have gone through a lot of logs in /var/log/* - they give me information about logins, package updates, authorization - but nothing about the processes.

linux unix process computer-forensics
Original Q&A
3

There are 3 answers

2
Jean-Baptiste Yunès On

If there was no "command accounting" enabled, there is no.

0
kestasx On

Chances to find something are not too big, anyway a few things to consider:

  • depends how gracefull death/reboot was (if processes were killed gracefully, .bash_history and similar files may be updated with recent session info)
  • utmp and wtmp files may give the list of active users at the reboot.
  • OS may be saving crash dump (depends on linux distribution). If so - You may be able to examine OS state at the moment of crash. See RedHat's crash for details (http://people.redhat.com/anderson/crash_whitepaper/).
  • /tmp, /var/tmp may hold some clues, what was running
  • any files with mtime and ctime timestamps (maybe atime also) near the time of crash
  • maybe You can get something usefull from swap partition (especially if reboot was related to heavy RAM usage).
0
labgeek On

So, I was wondering if there is a log like /var/log/messages that shows me what processes users ran

Given the OS specified by the file system path of /var/log, I am assuming you are using ubuntu or some linux based server and if you are not doing live forensics while the box was running or memory forensics (where a memory capture was grabbed), AND you rebooted the system, there is no file within /var/log that will attribute processes to users. However, if the user was using the bash shell, then you could check the .bash_history file that shows the commands that were run by that user which I think is 500 (by default for the bash shell).

Alternatively, if a memory dump was made (/dev/mem or /dev/kmem), then you could used volatility to pull out processes that were run on the box. But still, I do not think you could attribute the processes to the users that ran them. You would need additional output from volatility for that link to be made.

Related Questions in LINUX

Related Questions in UNIX

Related Questions in PROCESS

Related Questions in COMPUTER-FORENSICS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions