forensicate.cloud

Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Lab 16: Review System Logs & Configs

GOAL:

Review logs looking for unusual activities, processes, and behavior

SUMMARY OF STEPS:

Examine the bash history
Examine local user accounts and groups
Look for accounts with passwords set
Examine bootup events & timing
Identify past IP addresses
Look at the yum log

Step 1: Examine the bash history

Examine the bash_history for the default ec2-user account and any other accounts on the system:

cat /mnt/linux_mount/home/ec2-user/.bash_history
cat /mnt/linux_mount/root/.bash_history

VIDEO: Lab 16 Step 1 - Examine the bash history

Step 2: Examine local user accounts and groups

diff /mnt/linux_base/etc/passwd /mnt/linux_mount/etc/passwd
diff /mnt/linux_base/etc/group /mnt/linux_mount/etc/group

VIDEO: Lab 16 Step 2 - Examine local user accounts and groups

Step 3: Look for accounts with passwords set

Look for accounts with passwords set, assuming this is a policy violation:

cat /mnt/linux_mount/etc/shadow | grep -F "$"

NOTE: We are looking for the presence of a literal $ in the password field. If there is a password set the format is $id$salt$hashed, The $id is the algorithm used On GNU/Linux as follows:

$1$ is MD5
$2a$ is Blowfish
$2y$ is Blowfish
$5$ is SHA-256
$6$ is SHA-512

VIDEO: Lab 16 Step 3 - Look for accounts with passwords set

Step 4: Examine bootup events & timing

Understanding when a system has been booted is important information for constructing a timeline of events in the life of the EC2 instance:

ls -als /mnt/linux_mount/var/log/dmesg*   # File Timestamp
grep Cloud-init /mnt/linux_mount/var/log/cloud-init.log
cat /mnt/linux_mount/var/log/boot.log

VIDEO: Lab 16 Step 4 - Examine bootup events & timing

Step 5: Identify past IP addresses

grep -A4 -B1 "Net device info" /mnt/linux_mount/var/log/cloud-init-output.log

VIDEO: Lab 16 Step 5 - Identify past IP addresses

Step 6: Look at the yum log

cat /mnt/linux_mount/var/log/yum.log
diff /mnt/linux_base/var/log/yum.log /mnt/linux_mount/var/log/yum.log \
  > /cases/yum-diff.txt

cut -d" " -f5 /mnt/linux_base/var/log/yum.log > /cases/yum-base.txt
cut -d" " -f5 /mnt/linux_mount/var/log/yum.log > /cases/yum-mount.txt
diff /cases/yum-base.txt /cases/yum-mount.txt | cut -d" " -f2 \
  > /cases/yum-new.txt

grep -C1000 -f /cases/yum-new.txt /cases/yum-diff.txt

VIDEO: Lab 16 Step 6 - Look at the yum log