Unix Forensics: Unearthing Hidden Data in Memory-Only Filesystems
Attackers love hiding tools in /dev/shm or tmpfs, but what happens when you can’t dd these filesystems? Explore a method to collect metadata and file contents without triggering timestamp updates, ensuring forensic soundness. Perfect for your Unix/Linux incident response toolkit—because it’s not just tech, it’s an art form.
Hot Take:
Who knew that fighting cybercrime in 2023 would involve a lot of rummaging around in memory-only filesystems like a digital Marie Kondo? Attackers are stashing their dirty laundry in /dev/shm and tmpfs, and we’ve got Linux forensics experts like Jim Clausing doing digital spring cleaning with nothing but a trusty ‘stat’ command and a bit of old-school Unix magic. It’s like trying to catch a ghost with a butterfly net, but hey, someone’s gotta do it!
Key Points:
- Attackers are increasingly using memory-only filesystems like /dev/shm to hide their tools and data.
- Standard imaging tools like ‘dd’ can’t capture these tmpfs filesystems, requiring alternative methods.
- Jim Clausing devised a method to collect metadata and file contents from tmpfs, preserving timestamps.
- This method involves using Unix commands like ‘find’, ‘stat’, and ‘tar’ to gather evidence.
- The technique has been successfully applied to various Unix-like systems, including Juniper routers and Solaris.