Shell command history can provide valuable insights during forensic investigations by revealing the actions performed by users on a Linux system. This project will guide you through the process of extracting and interpreting Linux shell command history from various shell environments. You will learn how to analyze these command histories to uncover potential security incidents and user activities.
The objective of this project is to provide hands-on experience in extracting and interpreting shell command history on Linux systems. By the end of this project, you will be able to effectively use forensic tools to analyze shell command history and gather relevant evidence.
To complete this project, you will need access to a Linux operating system. You can use a physical machine, set up a virtual machine using software like VirtualBox or VMware, or use a cloud-based Linux instance.
- Basic understanding of Linux OS and command-line interface
- Administrative privileges on the Linux machine
For this project, we will use the following tools:
- Grep: A command-line utility for searching plain-text data.
- Auditd: A userspace component to collect audit data.
- Last: A command-line tool to display login history.
- Install Auditd using the package manager:
sudo apt-get install auditd
Objective: Learn how to extract and analyze command history from the Bash shell.
Steps:
- Open a terminal.
- Navigate to a user's home directory:
cd /home/username - Display the contents of the
.bash_historyfile:cat .bash_history
- Use
grepto search for specific commands or keywords:grep "sudo" .bash_history
Expected Output: You should be able to see the history of commands executed by the user in the Bash shell and identify specific actions taken.
Objective: Learn how to extract and analyze command history from the Zsh shell.
Steps:
- Open a terminal.
- Navigate to a user's home directory:
cd /home/username - Display the contents of the
.zsh_historyfile:cat .zsh_history
- Use
grepto search for specific commands or keywords:grep "sudo" .zsh_history
Expected Output: You should be able to see the history of commands executed by the user in the Zsh shell and identify specific actions taken.
Objective: Use Auditd to track and analyze shell commands executed by users.
Steps:
- Ensure the
auditdservice is running:sudo service auditd start
- Add an audit rule to track all executed commands:
sudo auditctl -a always,exit -F arch=b64 -S execve -k exec_commands
- Generate some user activity by executing various commands in the shell.
- Use
ausearchto query the audit logs for executed commands:sudo ausearch -k exec_commands
Expected Output: You should be able to track and analyze shell commands executed by users using Auditd.
Objective: Correlate shell command history with login records to understand user sessions.
Steps:
- Use the
lastcommand to display the login history:last
- Note the login times and user accounts.
- Compare the login records with the timestamps in the shell command history files (e.g.,
.bash_history). - Identify the commands executed during specific user sessions.
Expected Output: You should be able to correlate shell command history with login records to understand user sessions and actions.
Objective: Identify and investigate suspicious commands executed by users.
Steps:
- Extract the shell command history for the user as described in Exercises 1 and 2.
- Use
grepto search for potentially malicious commands or keywords (e.g.,wget,curl,nc,rm):grep -E "wget|curl|nc|rm" .bash_history - Review the output to identify any suspicious commands.
- Investigate the context and potential impact of the identified commands.
Expected Output: You should be able to identify and investigate suspicious commands executed by users, providing insights into potential security incidents.
With these exercises, you will gain practical experience in extracting and interpreting Linux shell command history. This will enhance your skills in digital forensics and help you effectively investigate user actions by uncovering valuable evidence from shell command histories.