EC2 DFIR Workshop
Lab 16: Review System Logs & Configs
GOAL:
Review logs looking for unusual activities, processes, and behavior
SUMMARY OF STEPS:
- Examine the bash history
- Examine local user accounts and groups
- Look for accounts with passwords set
- Examine bootup events & timing
- Identify past IP addresses
- Look at the yum log
Step 1: Examine the bash history
Examine the bash_history for the default ec2-user account and any other accounts on the system:
cat /mnt/linux_mount/home/ec2-user/.bash_history
cat /mnt/linux_mount/root/.bash_history
VIDEO: Lab 16 Step 1 - Examine the bash history
Step 2: Examine local user accounts and groups
diff /mnt/linux_base/etc/passwd /mnt/linux_mount/etc/passwd
diff /mnt/linux_base/etc/group /mnt/linux_mount/etc/group
VIDEO: Lab 16 Step 2 - Examine local user accounts and groups
Step 3: Look for accounts with passwords set
Look for accounts with passwords set, assuming this is a policy violation:
cat /mnt/linux_mount/etc/shadow | grep -F "$"
NOTE: We are looking for the presence of a literal $ in the password field. If there is a password set the format is $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:
- $1$ is MD5
- $2a$ is Blowfish
- $2y$ is Blowfish
- $5$ is SHA-256
- $6$ is SHA-512
VIDEO: Lab 16 Step 3 - Look for accounts with passwords set
Step 4: Examine bootup events & timing
Understanding when a system has been booted is important information for constructing a timeline of events in the life of the EC2 instance:
ls -als /mnt/linux_mount/var/log/dmesg* # File Timestamp
grep Cloud-init /mnt/linux_mount/var/log/cloud-init.log
cat /mnt/linux_mount/var/log/boot.log
VIDEO: Lab 16 Step 4 - Examine bootup events & timing
Step 5: Identify past IP addresses
grep -A4 -B1 "Net device info" /mnt/linux_mount/var/log/cloud-init-output.log
VIDEO: Lab 16 Step 5 - Identify past IP addresses
Step 6: Look at the yum log
cat /mnt/linux_mount/var/log/yum.log
diff /mnt/linux_base/var/log/yum.log /mnt/linux_mount/var/log/yum.log \
> /cases/yum-diff.txt
cut -d" " -f5 /mnt/linux_base/var/log/yum.log > /cases/yum-base.txt
cut -d" " -f5 /mnt/linux_mount/var/log/yum.log > /cases/yum-mount.txt
diff /cases/yum-base.txt /cases/yum-mount.txt | cut -d" " -f2 \
> /cases/yum-new.txt
grep -C1000 -f /cases/yum-new.txt /cases/yum-diff.txt
VIDEO: Lab 16 Step 6 - Look at the yum log