Open in app

Sign in

Write

Sign in

Monitoring and Forensics in Linux

Audrey Betsy Rumapea
5 min readOct 31, 2021

--

Linux is one of the most commonly used operating system after Windows and macOS. Linux has its own tools for monitoring and forensics, which can be used to retrieve digital evidence and analyze a case. Here, we’re going to learn together about some of those tools.

In this article, we’re going to use Kali Linux in a VirtualBox virtual machine. Kali Linux is an open-source, Debian-based Linux distribution platform that is tailored for security and IT professionals regarding information security tasks. Computer forensics is actually just one of the things that we can do inside Kali. Besides forensics, we can perform penetration testing, security research, and reverse engineering, but let’s just focus in forensics for now.

Source: Kali Linux

Monitoring Process Using top & htop

Top command is a program to monitor performance of the operating system. It can display processes that are running and active real-time. It also shows detail for each process:

  • PID: identifier for process (process ID)
  • PR: priority of the process
  • SHR: amount of shared memory used by the process
  • VIRT: total virtual memory used by the process
  • USER: username of process’ owner
  • %CPU: CPU usage
  • TIME+: CPU Time with hundredths of a second granularity
  • SHR: shared memory size (kb) used by a process
  • NI: Nice value of process. Negative nice value means higher priority
  • %MEM: memory usage of process

This command is typically used by system administrator to monitor running processes. If there’s a process that takes up a lot of memory and CPU, it might be dangerous, so system administrator can take action (e.g. clarify to the user regarding the command used or killing the process right away by pressing ‘k’).

An advanced version of top command is htop. Compared to top, htop has some added features such as:

  • support of mouse operation
  • usage of color in output
  • visual indications about processor, memory and swap usage
  • full command lines for processes
  • vertical scrolling for processes and horizontal scrolling for command lines

htop has several interactive commands which might be useful for monitoring, such as:

  • Arrows, Page Up, Page Down, Home, End to scroll list of processes
  • s to trace process system calls
  • F1: Help
  • F2: setup
  • F3: search
  • F4: filter. We can filter processes that contain a specific part of a process command line
  • F5: Tree view.
Tree view example

It also has some syntax that can be used:

  • -u –user=USERNAME: Show only processes of a specific user. With this command, we can easily monitor what a user is currently doing.
  • -p –pid=PID, PID…: Show processes with specific PIDs.
  • -s –sort-key COLUMN : Show list of processes that are sorted based on a specific column

Forensics using ClamAV Malware Detector

ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware and other malicious threats. To use ClamAV, we will have to install it first by using command line below.

sudo apt-get install -y clamav

Next, we’re going to start scanning our Linux. In ClamAV, we can scan a file or folder. We can use the command lines below to run the scan.

clamscan <filepath> #to scan a file
clamscan <folderpath> #to scan the whole folder

In the example below, I scanned folder audreyb with path /home/audreyb.

Forensics using Log Analysis

Log is simply a history of things that happen in the OS. Logs can can help us to understand the order of events if something goes wrong. For example, we can see which malware is installed and at what time, or we can get list of usernames that were created around the time of incident. There are several commands that can be used to retrieve logs, and we’re going to talk about some of them below.

  1. Syslog
/var/log/syslog

Command above shows log of all activity throughout the system.

Log using /var/log/syslog

2. Authentication log

/var/log/auth.log

Keep authentication logs for logins (either successful or failed) and authentication processes.

Log using /var/log/auth.log

3. BTMP log

/var/log/btmp

Log which lists all failed login attempts. Using this command, we can examine potential security breaches, such as brute-force attacks to log in to the system.

Log using /var/log/btmp

4. Daemon log

/var/log/daemon.log

This log contains a list of running daemons. Daemons are background service processes that supervises the system or provides functionality to other processes.

Conclusion

To sum up, we’ve talked about several tools that we can use to monitor and perform forensics in Linux. For monitoring processes inside Linux, we can use htop and top. Meanwhile, for forensics, we can leverage log analysis and malware detector. Keep in mind that these tools only make up a tiny bit of an ocean full of available monitoring and forensics tools out there. To explore the other tools, you need to surf in the ocean (aka the internet).

By using monitoring tools, it can be easier to identify abnormal activities so we can kill the activity before the system gets infected. If the incident had occurred, we can use the forensics tools to analyze the incident and find out the ‘bad guy’.

This article is written by Audrey Betsy Rumapea (18218039)

Task 5: Linux Forensics

Course: II4033 Forensik Digital

--

--

Audrey Betsy Rumapea
Audrey Betsy Rumapea

Written by Audrey Betsy Rumapea

10 Followers
3 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams