EC2 DFIR Workshop
Lab 15: Check for Suspicious Files
GOAL:
Use a variety of techniques to identify suspicious files
SUMMARY OF STEPS:
- Look in the /tmp directory
- Identify unusual SUID files
- Check for large files
- Look for files with high entropy
Step 1: Look in the /tmp directory
Look in the /tmp directory and the recovered /tmp directory. Pay attention to size, name, executables, etc.
ls -als /mnt/linux_mount/tmp
find /mnt/linux_mount/tmp | xargs file
ls –als /cases/recovered/tmp
find /cases/recovered/tmp | xargs file
VIDEO: Lab 15 Step 1 - Look in the /tmp directory
Step 2: Identify unusual SUID files
Perform a comparison of SUID files against the baseline:
find /mnt/linux_mount/ -uid 0 -perm -4000 -print > suid_evidence
find /mnt/linux_base/ -uid 0 -perm -4000 -print > suid_base
cut suid_base -d"/" -f4- > suid_base_relative
cut suid_base -d"/" -f4- > suid_evidence_relative
diff suid_base_relative suid_evidence_relative
VIDEO: Lab 15 Step 2 - Identify unusual SUID files
Step 3: Check for large files
Check for large files. The following commands look for files greater than 10 MB
find /mnt/linux_mount/ -size +10000k
find /cases/recovered/ -size +10000k
VIDEO: Lab 15 Step 3 - Check for large files
Step 4: Look for files with high entropy
Use densityscout to look for files with high entropy:
densityscout -r -p 0.1 -l 0.1 -o high_density_evidence.txt /mnt/linux_mount/
densityscout -r -p 0.1 -l 0.1 -o high_density_base.txt /mnt/linux_base/
cut high_density_evidence.txt -d"/" -f4- > high_density_evidence_relative.txt
cut high_density_base.txt -d"/" -f4- > high_density_base_relative.txt
diff high_density_base_relative.txt high_density_evidence_relative.txt
VIDEO: Lab 15 Step 4 - Look for files with high entropy