Chapter 11: Forensic Examination of Unix Systems

Overview

Over the past three decades many different types of UNIX have developed, resulting in commercial systems such as Solaris, AIX, and HP-UX as well as free operating systems like Linux, OpenBSD, and FreeBSD. UNIX operating systems are generally designed to be powerful, stable, and networked, creating an ideal platform for critical components of the Internet and smaller networks. As a result, many e-commerce Web sites, corporate financial databases, and other likely targets of criminal abuse run on UNIX systems. In addition to being a common source of digital evidence, Linux systems provide an excellent platform for forensic examination with tools for acquiring and examining digital evidence.

Although UNIX systems may seem complex, this is largely due to the fact that most of the information about the system is available for review. For instance, configuration and log files are often in plain text, allowing examiners to review quickly important aspects of a system. Additionally, individuals have easy access to the underlying source code, enabling a deeper understanding of the operating system. The openness of UNIX operating systems presents both opportunities and challenges for digital evidence examiners. For instance, this openness allows offenders to modify the system to conceal or destroy evidence. Conversely, this openness can make it easier to find evidence and examiners can compare evidence with the original source code to find any modifications.

Given the variety of UNIX operating systems and applications, it is not possible to describe or even identify every possible source of information that might be useful in an investigation. This chapter concentrates on Linux - one of the many varieties of UNIX. Furthermore, each case is different, requiring digital evidence examiners to explore and research components. The following sections provide examples of important aspects of UNIX systems with the expectation that the reader will carefully consider each area more closely to find new ways to extract information from them using the techniques covered in Chapter 9.