1.9 KiB
Linux Forensics
Search for known Malware
Modified System Files
Some Linux systems have a feature to verify the integrity of many installed components, providing an effective way to identify unusual or out of place files. For instance, rpm -Va on Linux is designed to verify all packages that were installed using RedHat Package Manager.
#RedHat
rpm -Va
#Debian
dpkg --verify
debsums | grep -v "OK$" #apt-get install debsums
Malware/Rootkit Detectors
Read the following page to learn about tools that can be useful to find malware:
{% page-ref page="../malware-analysis.md" %}
Search installed programs
Package Manager
On Debian-based systems, the /var/ lib/dpkg/status file contains details about installed packages and the /var/log/dpkg.log file records information when a package is installed.
On RedHat and related Linux distributions the rpm -qa --root=/ mntpath/var/lib/rpm command will list the contents of an RPM database on a subject systems.
#Debian
cat /var/lib/dpkg/status | grep -E "Package:|Status:"
cat /var/log/dpkg.log | grep installed
#RedHat
rpm -qa --root=/ mntpath/var/lib/rpm
Other
Not all installed programs will be listed by the above commands because some applications are not available as packages for certain systems and must be installed from source. Therefore, a review of locations such as /usr/local and /opt may reveal other applications that have been compiled and installed from source code.
ls /opt /usr/local
Another good idea is to check the common folders inside $PATH for binaries not related to installed packages:
#Both lines are going to print the executables in /sbin non related to installed packages
#Debian
find /sbin/ -exec dpkg -S {} \; | grep "no path found"
#RedHat
find /sbin/ –exec rpm -qf {} \; | grep "is not"