1 Linux Kernel Data Structures

!  Linux uses special data structures to store state

information in memory
!  Running processes
!  Open files
!  Memory blocks occupied by a process
Linux System Artifacts !  And more!
!  Memory analysis
!  We can parse a memory dump looking for these structures
COMP 2555: Principles of Computer Forensics
Autumn 2014
http://www.cs.du.edu/2555

L8: Linux System Artifacts

2 Linux Process State
3 task_struct

!  A process is a program in execution struct task_struct {!

!  Linux maintains the process’s state using a process !volatile long state; // state of the process!
descriptor !...!
!  A C datatype called task_struct // next/previous process in task list !
!  Description available in the source file include/linux/sched.h !struct list_head tasks; !
!  Contains information such as !...!
!  Process name !struct mm_struct *mm; // memory map!
!  Process state !..!
!  Process identifier !pid_t pid;!// process ID!
!  Parent process identifier
}!
!  Memory regions occupied
!  Files open by the process
Etc.
L8: Linux System Artifacts

L8: Linux System Artifacts

! 
!  The exact structure may vary from version to version
4 Linux Process State (contd.)
5 Process Descriptor List

!  Information is maintained in memory in the form of a MEMORY

list
!  One of the fields in a descriptor tells us where the descriptor
for the next process begins in memory
!  Another field tells us where the descriptor for the previous
process is next next next next
…
!  Also called a doubly linked list prev prev prev prev
!  Where is the beginning of this list?
!  The first task is the init_task
!  Memory offset of this task is stored in a special file
!  System.map-XXXXX in /boot/

L8: Linux System Artifacts

L8: Linux System Artifacts

!  Follow links on the init_task process descriptor to find
Process descriptor of init_task
other process descriptors

6 Virtual Image of a Running Program

4 GB
7 Keeping Track of the Memory In Use

Kernel Space
(Untouchable)
3 GB
Kernel Space
(Untouchable)
Stack
end
(local variables and other transient data) Stack
grows down
(local variables and other transient
data) virtual memory area
start

grows up
Heap Heap virtual memory area

BSS Section
(uninitialized global variables)
virtual memory area
BSS Section
(uninitialized global variables) Data Section
virtual memory area
(global variables initialized by you)
Data Section Code Section
(global variables initialized by you) (machine instructions of your virtual memory area
program)
L8: Linux System Artifacts

L8: Linux System Artifacts

Code Section
(machine instructions of your program)
0x08048000 = 0.125 GB
8 Virtual to Physical Mapping
9 Memory Usage

!  One of the fields in a process descriptor points us to

Kernel Space
another structure
(Untouchable)
!  Memory descriptor
Stack
(local variables and other transient
!  Named mm_struct in the source code
data)

Virtual Physical
!  A field in this structure points to a list of virtual memory
Address Address descriptors
Heap Page Table !  Named vm_area_struct in the source code
!  Another field in the memory descriptor takes us to the page
BSS Section
(uninitialized global variables) table
Data Section
(global variables initialized by you) !  Do you get the idea?
Code Section
(machine instructions of your
program)
!  Once you locate the process descriptor of a process in

L8: Linux System Artifacts

L8: Linux System Artifacts

memory, you can follow links to find additional pieces of
information

10 Memory Usage (contd.)

11 Process Info

!  Process descriptor offset

vm_start vm_start vm_start
!  0x00: state of the process (4 bytes)
vm_end vm_end vm_end !  0x7C: memory address of offset 0x7C of next process (4
vm_area_struct vm_area_struct … vm_area_struct bytes)
!  0x80: memory address of offset 0x7C of previous process (4
vm_area_struct bytes)
!  0x84: memory address where the memory descriptor for the
process begins (4 bytes)
!  0xA8: process identifier (4 bytes)
mm_struct !  0x194: name of the process (16 bytes)

next
L8: Linux System Artifacts

L8: Linux System Artifacts

… …
prev
!  Note: Offsets are specific to Red-Hat-2.6.18-8.1.15.el
12 Example: init_task
13 Example: Next Process Descriptor

next
0xD1957B1C – 0xC0000000
= 0x11957B1C

init_task begins here (obtained from System.map)

Must substract 0xC0000000 from any address we come

across. Kernel objects are stored from address 0xC0000000 next points directly to the
next process descriptor actually begins here next field
onwards in memory and this dump contains that memory
portion only.

L8: Linux System Artifacts

L8: Linux System Artifacts

14 Memory Mapping
15 Example: Memory Descriptors

!  Memory descriptor offset

!  0x00: address of first virtual memory area (all zeros mean
none) (4 bytes)
Address of memory descriptor
!  Virtual memory (VM) area descriptor offset
!  0x00: address of the memory descriptor (4 bytes)
!  0x04: start address of the VM area (4 bytes)
!  0x08: end address of the VM area (4 bytes)
!  0x0C: address of next VM area descriptor (4 bytes)

!  Note: Offsets are specific to Red-Hat-2.6.18-8.1.15.el Address of 1st virtual memory

descriptor
L8: Linux System Artifacts

L8: Linux System Artifacts

16 Example: Virtual Memory Descriptors
17 Assignment 3

!  Analyze a memory dump from a Linux system and list

1st virtual memory descriptor
process names, IDs, memory size, etc.
!  You will write a program to find your way through the
memory dump
2nd virtual memory descriptor
!  Interesting reading
!  DFRWS 2008 Forensics Challenge
!  http://www.dfrws.org/2008/challenge/
3rd virtual memory descriptor
!  DFRWS 2005 Forensics Challenge
!  http://www.dfrws.org/2005/challenge/

L8: Linux System Artifacts

L8: Linux System Artifacts

4th virtual memory descriptor

18 UNIX and Linux Boot Processes

19 Linux Loader and GRUB

!  Instruction code in firmware is loaded into RAM !  Linux Loader (LILO)

!  Instruction code then: !  Old boot manager
!  Checks the hardware !  Stage 1 in MBR
!  Load the boot program !  Loads stage 2
!  Can start two or more OSs
!  Boot program
!  Uses configuration file Lilo.conf
!  Loads kernel
!  Transfers control to kernel
!  Kernel’s first task is to identify all devices !  Grand Unified Boot Loader (GRUB)
!  More powerful than LILO
!  Knows how to read file systems
!  As LILO, part of it resides on MBR
L8: Linux System Artifacts

L8: Linux System Artifacts

!  Command line or menu driven
20 UNIX Drives and Partition Schemes
21 Examining Linux Disk Structures

!  Labeled as path starting at root (/) directory !  Most commercial computer forensics tools can analyze
!  Primary master disk (/dev/hda) Unix and Linux file systems
!  First partition is /dev/hda1 !  Ext2, Ext3, UFS, UFS2, ReiserFS, and Reiser4 file systems
!  Second partition is /dev/hda2
!  Primary slave is /dev/hdb !  Freeware tools include Sleuth Kit and its Web browser
!  And hdc, hdd, …
interface, Autopsy Browser
!  SCSI controllers
!  /dev/sda with first partition /dev/sda1
!  Linux treats SATA, USB, and FireWire devices the same way as SCSI
devices

L8: Linux System Artifacts

L8: Linux System Artifacts

22 Files, Ownership and Permissions
23 Linux User Accounts

!  Ownership: user or group of users that a file belongs !  File /etc/passwd

to !  List of users who can directly log in to the system
!  Permissions: operations that user, group or others can !  andreir:x:98:97:Andrei Roudik:/home/andreir:/bin/bash
do on a file !  File /etc/shadow
!  read (r), write (w), execute (x) !  Stores hashed values of passwords

!  Every file has permission levels defined for user, group !  Home directory
and others !  /home/<user name>
!  drwxr-x--- 1 bob staff 204 Jun 13 2012 wekafiles !  Subdirectories: Desktop, Documents, Downloads, Public, ...
!  Besides permissions, files can have other “attributes” !  Deleting user does not necessarily delete home directory
append only, immutable, no atime updates, etc.
L8: Linux System Artifacts

L8: Linux System Artifacts

! 
24 Linux User Accounts
25 Linux Hidden Files

!  Shell history !  Start file name with a dot (“.”) to hide from normal
!  Commands typed by user in terminal viewing
!  .bash_history file in users home directory !  ls -a displays all files
!  No time stamp !  Linux uses hidden files to store nonuser-serviceable data
!  Will have to correlate history entries with file system or log file
time information
!  /tmp directory
!  Writable by all users
!  Remote login via SSH
!  Great place to stage data
!  File .ssh/known_hosts tells what remote clients the user has
!  Untidy applications can leave traces here
ssh-ed into

L8: Linux System Artifacts

L8: Linux System Artifacts

26 Linux Logs
27 Scheduled Tasks

!  Most logs are stored in clear text
!  User activity records:
!  /var/run/utmp: active logons
!  /var/log/wtmp: all user logons
!  /var/log/lastlog: last login time of all users
!  System activity records
!  Bulk of it is in /var/log
/var/log/messages
/var/log/auth.log
/var/log/sulog
!  Tasks can be scheduled to run at specific points in time
!  at and cron methods
!  “At” jobs run once
!  Found under /var/spool/cron
!  “Cron” jobs run periodically
!  System cron job details in /etc/cron file
!  User cron jobs in /var/spool/cron
Catch all, non-specified logs !  Cron jobs are a method to maintain persistence on a
User authentication successes/failures
“su” attempts/success
compromised system
L8: Linux System Artifacts

L8: Linux System Artifacts

/var/log/httpd/* Apache Web Server
/var/log/mail.log Mail servers
/var/log/cups/access_log CUPS Printer Services
/var/log/xferlog FTP servers
28 References

!  Ch 8: B. Nelson, A. Phillips and C. Steuart, Guide to

Computer Forensics and Investigations. ISBN:
978-1-435-49883-9

L8: Linux System Artifacts