Chapter 1. Answers

1. Answer:

    Hard link:
    A hard link is an additional name for an existing file that points directly to the inode (data structure) on disk. It is indistinguishable from the original file. Deleting the original file does not affect the hard link.
   
    Symbolic (soft) link:
    A symlink is a special file that contains a path to another file or directory. If the target is deleted, the symlink becomes broken (dangling).
   
    Forensically, symlinks can hide access paths or redirect programs; hard links can be used to obscure the presence or deletion of files.
   

2. Answer:

    Historically:
   
    /bin and /sbin contain essential system binaries required for early boot and maintenance.
   
    /usr/bin and /usr/sbin contain user applications and non-essential system binaries.
   
    Modern systems (especially on systemd-based distros) often symlink /bin to /usr/bin and /sbin to /usr/sbin as part of the merged /usr initiative.
   
    Forensically, it’s important because tampered binaries or privilege escalation tools may hide in any of these paths.
   

3. Answer:

    /etc stores system-wide configuration files.
   
    Examples of forensic artifacts:
   
    /etc/passwd – user account information
   
    /etc/shadow – hashed passwords
   
    /etc/ssh/sshd_config – SSH configuration (useful for tracing remote access setup)
   
    Also relevant:
   
    /etc/sudoers – privilege escalation rules
   
    /etc/crontab and /etc/cron.* – scheduled tasks (possible persistence mechanisms)
   

4. Answer:

    /var/log contains log files generated by system processes, daemons, and applications.
   
    Common logs:
   
    /var/log/auth.log or /secure – authentication and login events
   
    /var/log/syslog or /messages – general system events
   
    /var/log/audit/ – Linux audit daemon logs (security-critical)
   
    /var/log/cron – scheduled job executions
   
    /var/log/httpd/ or /nginx/ – web server logs
   
    Forensically, /var/log is crucial for investigating logins, persistence, privilege escalations, and attacks.
   

5. Answer:

    /tmp is a temporary storage location, often world-writable (777).
   
    It’s frequently used by:
   
    Applications to store temporary files.
   
    Malware or attackers for file staging, script execution, or dropping payloads.
   
    It may contain:
   
    Unusual executables, shell scripts
   
    Exploitation artifacts
   
    Session files or stolen data caches
   
    Files here can be volatile, especially if the system uses tmpfs or clears /tmp on reboot.
   
    Forensic analysts should check /tmp for suspicious activity during live analysis or immediately after compromise.
   

Chapter 2. Answers

1. Answer:

    utmp: Tracks current logins and user sessions. Used by commands like who and w.
   
    wtmp: Maintains a historical log of all logins and logouts. Used by the last command.
   
    btmp: Logs failed login attempts. Useful for spotting brute-force attacks. Read with lastb.
   
    lastlog: Shows the most recent login for each user account. Accessed via the lastlog command.
   
    🛡️ These files are binary and must be parsed with proper tools.
   

2. Answer:

    lastb -f /var/log/btmp
    last -f /var/log/btmp
   

3. Answer:

    It logs cron job executions — both user and system jobs.
   
    Useful for:
   
    Investigating scheduled persistence mechanisms (e.g., malware in cron).
   
    Attributing actions to scheduled jobs in forensics.
   

4. Answer:

    auditd (Linux Audit Daemon) logs security-relevant events.
   
    Captures:
   
    Syscalls (e.g., open, execve)
   
    File access or permission changes
   
    Policy violations (SELinux/AppArmor)
   
    User actions (sudo, login, group changes)
   
    Useful in compliance, intrusion detection, and traceability.
   

5. Answer:

    Laurel is a high-performance userspace auditd plugin.
   
    Advantages:
   
    JSON output
   
    Enrichment capabilities
   
    Useful in containers, high-performance systems, and for structured logs suitable for SIEMs.
   

6. Answer:

    Volatile: Logs are stored in RAM (/run/log/journal) and lost on reboot.
   
    Persistent: Stored in /var/log/journal, survives reboots.
   
    For forensic use, enabling persistent logs is critical to retain evidence post-crash/reboot.
   

7. Answer:

    rsyslog is a modern syslog daemon that:
   
    Collects, filters, and forwards logs
   
    Writes logs to files, databases, or remote servers
   
    Syslog: A standardized logging protocol (RFC 5424) for sending log messages.
   
    Rsyslog enhances traditional syslog with modularity, encryption, and centralized logging.
   

8. Answer:

    /var/log/auth.log or /var/log/secure – authentication attempts
   
    /var/log/wtmp & /var/log/btmp – login history & failures
   
    /var/log/lastlog – most recent user logins
   
    /var/log/sudo.log or /var/log/audit/audit.log – privilege escalation
   
    journalctl – for systemd events, especially with filters:
   
   

9. Answer:

    Use a common timestamp as the pivot point.
   
    Example approach:
   
    Extract timestamp of suspicious login from /var/log/auth.log.
   
    Search same timestamp range in:
   
    journalctl for system activity
   
    /var/log/cron for scheduled tasks
   
    audit.log for executed binaries
   
    Tools like Plaso, Elastic Stack, Splunk, or simple grep, awk, and timelining scripts can help automate this.
   

10. Answer

    Tampering Techniques:
    Log Deletion: rm /var/log/auth.log
    
    Log Truncation: > /var/log/auth.log (overwrites with empty file)
    
    Log Manipulation: Edit log lines using sed, vim, etc., to remove or modify incriminating entries.
    
    Detection and Security Techniques:
    
    remote centralized logging.
    
    Auditd and File Integrity Monitoring:
    
    Use auditd to log access/modification to log files.
    
    Use tools like AIDE, Tripwire, or auditctl rules to track changes:
    

Chapter 3. Answers

1. Answer:

    The /proc filesystem is unique because it doesn’t contain actual files on disk; 
    instead, it represents runtime system information in the form of virtual files. 
    This is why it’s called a "pseudo-filesystem." 
    When you access a file in /proc, the kernel dynamically generates the data, 
    providing real-time information about system and process states. 
    This is different from typical filesystems, which store persistent data.
   

2. Answer:

    The /proc/sys directory allows real-time kernel parameter tuning by providing access to various kernel and system settings. 
    Changes made to these files can alter system behavior without requiring a reboot. 
    For instance, /proc/sys/net/ipv4/ip_forward controls IP forwarding, 
    which can be enabled for routing purposes. 
    However, altering these parameters can lead to security vulnerabilities, 
    such as enabling packet forwarding without adequate firewall settings, 
    which can expose the system to attacks.
   

3. Answer:

    The /proc/sys/net/ipv4 directory contains configurations for IPv4 networking, affecting performance and security. For example:
    ip_forward: Enabling this allows the machine to route packets, useful in routers but potentially dangerous on exposed hosts.
    tcp_syncookies: Setting this to 1 enables SYN cookies, helping mitigate SYN flood attacks by preventing resource exhaustion in TCP handshakes.
   

4. Answer:

    To investigate a suspicious process, examine:
    cmdline: Shows command-line arguments; unusual commands can indicate malicious behavior.
    fd/: Lists open file descriptors; unusual network connections (like persistent connections to external IPs) can be suspicious.
    status: Provides memory and CPU usage; high usage could indicate resource abuse.
    exe: link to the original process executable even if it was deleted, useful incident response.
   

5. Answer:

    The kernel dynamically generates data in /proc files when they’re accessed. Unlike regular files, /proc files are generated on-the-fly by kernel code, pulling real-time system metrics or process information directly from memory structures. 
    This design minimizes storage overhead and ensures up-to-date information.
   

6. Answer:

    /proc/kcore is a file that represents the system's physical memory as if it were a core dump, used for debugging. 
    It provides access to kernel memory, but reading it can slow the system and requires root privileges, as it exposes sensitive data. 
    Caution is advised due to potential security risks and system impact.
   

7. Answer:

    An inode is a data structure used in Linux filesystems to store information about a file or directory, 
    excluding its name or its actual data. Each inode contains metadata such as the file type, 
    permissions, owner, size, timestamps, and pointers to the data blocks where the file's content is stored. 
    Inodes are crucial for the filesystem's ability to manage and access files efficiently.
   

8. Answer:

    The xfs_db tool is essential for low-level examination of XFS file systems, 
    allowing investigators to inspect superblocks, inodes, and raw blocks. 
    By converting addresses and performing block lookups, 
    xfs_db helps trace data structures back to files, 
    facilitating analysis of both active and deleted files on an XFS volume
   

9. Answer:

    When a file is deleted on XFS, 
    its directory entry is marked as free space, 
    and the inode is partially overwritten to signify deallocation. 
    The ctime (change time) for the inode updates to the deletion time, 
    while the file size and extent counts are zeroed out. 
    However, extent data remains intact, making it possible to recover data by examining the raw inode and its extents in the absence of a dedicated undelete tool​
   

10. Answer:

    Forensic support for XFS is limited compared to EXT file systems, 
    with tools like X-Ways and a development branch of Sleuthkit providing partial support. 
    Given the complexity of XFS structures and limited tool compatibility, 
    investigators often rely on manual methods and low-level tools like xfs_db and dd to analyze XFS systems, 
    especially when dealing with deleted or hidden data.
    

11. Answer:

    /sys is part of the sysfs virtual filesystem and exposes information about devices, kernel subsystems, and hardware configuration. In contrast, /proc focuses more on processes, kernel parameters, and runtime system information. While both are virtual and non-persistent, /sys is more structured and used for hardware-related information and control interfaces.
    

Chapter 4. Answers

1. Answer:

    A persistence mechanism is a method used by attackers to maintain access to a compromised system across reboots or updates. It's valuable because it allows the attacker to regain control without re-exploiting the system.
   

2. Answer:

    Example Persistence techniques:
   
    Cron jobs: Attackers set malicious cron jobs that run periodically, ensuring re-execution at specific intervals or on reboot.
    Systemd services: By creating custom or altering existing systemd service files, attackers can start malicious services automatically at boot.
    rc.local modifications: Commands placed in /etc/rc.local execute on startup, though less common now in systemd-based systems. These techniques are often hard to detect without thorough monitoring of these files and services.
   

3. Answer:

    With systemd services, defenders can regularly audit and review active services, searching for unknown or unexpected entries. Checking service files in /etc/systemd/system/ and /lib/systemd/system/ for unauthorized changes and comparing them with baselines helps detect alterations. Automated alerts on file modifications and enabling auditd logging for service file access further strengthen detection.
   

4. Answer:

    Overlooking persistence mechanisms can lead to an attacker’s re-entry into the system even after initial cleanup, allowing further data theft, lateral movement, or destructive actions. Persistent footholds enable attackers to bypass perimeter defenses, escalate privileges, and reestablish full control, causing prolonged security risks and potential reputational damage.
   

5. Answer:

    Both LD_PRELOAD and ld.so.preload allow attackers to load malicious shared libraries before standard libraries during program execution. This enables them to intercept function calls and alter the behavior of applications without modifying the binaries themselves. The security implications are significant, as these methods can evade detection by traditional security measures. For defenders, monitoring ld.so.preload and checking for unauthorized shared libraries can help identify potential compromises.
   

Chapter 5. Answers

1. Answer:

    Example artifacts in Linux: 
    /proc/modules: Used to detect loaded kernel modules, which may include rootkits in a compromised system. For example, an investigator might find an unknown module loaded, which could point to a hidden malicious process.
    /etc/sshd_config: Useful for examining SSH settings to check for altered configurations. For example, if PermitRootLogin is set to "yes" on a production server, this could indicate that unauthorized remote access was enabled.
    /var/log/auth.log: Monitors authentication attempts. If logs show repeated failed login attempts from an unfamiliar IP, this could suggest a brute-force attack.
    uptime: Can help correlate system uptime with an incident timeline, such as a recent reboot after malware installation.
    lsmod: Detects loaded kernel modules, which might reveal malicious drivers. For example, an investigator might find a module with no associated file on disk, indicating a possible rootkit.
   

2. Answer:

    ss: Useful for quickly accessing real-time socket information, providing detailed data on active connections. This is particularly valuable when monitoring a live system with high network traffic.
    netstat: Offers insights into network connections by querying information stored in /proc, useful for both real-time and historical analysis.
    Comparison Utility: Comparing ss and netstat outputs can help verify accuracy, detect discrepancies, and identify connections or services that may appear in one output but not the other—an indication of stealthy connections or tampering.
   

3. Answer:

    Purpose: lsof lists open files and associated processes, making it essential for identifying files that are open even if deleted, as well as for monitoring files tied to specific network connections.
    Scenario: During an investigation, lsof could expose files open by processes communicating with suspicious IPs, potentially identifying data exfiltration or malicious scripts running in memory despite deletion from disk.
   

4. Answer:

    Example Artifacts:
    /var/log/secure(or auth.log): Shows authentication attempts, highlighting brute-force attacks or repeated login failures.
    lastlog: Lists last login information, allowing for detection of unusual access based on time, source, and user.
    who command: Lists currently logged-in users, enabling real-time checks for unauthorized active sessions.