Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Lab 15: Check for Suspicious Files


Use a variety of techniques to identify suspicious files


  1. Look in the /tmp directory
  2. Identify unusual SUID files
  3. Check for large files
  4. Look for files with high entropy

Step 1: Look in the /tmp directory

Look in the /tmp directory and the recovered /tmp directory. Pay attention to size, name, executables, etc.

ls -als /mnt/linux_mount/tmp
find /mnt/linux_mount/tmp | xargs file

ls –als /cases/recovered/tmp
find /cases/recovered/tmp | xargs file

VIDEO: Lab 15 Step 1 - Look in the /tmp directory

Step 2: Identify unusual SUID files

Perform a comparison of SUID files against the baseline:

find /mnt/linux_mount/ -uid 0 -perm -4000 -print > suid_evidence
find /mnt/linux_base/ -uid 0 -perm -4000 -print > suid_base
cut suid_base -d"/" -f4- > suid_base_relative
cut suid_base -d"/" -f4- > suid_evidence_relative
diff suid_base_relative suid_evidence_relative

VIDEO: Lab 15 Step 2 - Identify unusual SUID files

Step 3: Check for large files

Check for large files. The following commands look for files greater than 10 MB

find /mnt/linux_mount/ -size +10000k
find /cases/recovered/ -size +10000k

VIDEO: Lab 15 Step 3 - Check for large files

Step 4: Look for files with high entropy

Use densityscout to look for files with high entropy:

densityscout -r -p 0.1 -l 0.1 -o high_density_evidence.txt /mnt/linux_mount/
densityscout -r -p 0.1 -l 0.1 -o high_density_base.txt /mnt/linux_base/
cut high_density_evidence.txt -d"/" -f4- > high_density_evidence_relative.txt
cut high_density_base.txt -d"/" -f4- > high_density_base_relative.txt
diff high_density_base_relative.txt high_density_evidence_relative.txt

VIDEO: Lab 15 Step 4 - Look for files with high entropy