Need two 100 words discussion responses for the following student discussions. Below in bold will the questions the students are answering.
Questions:
The Linux Operating System is becoming more popular every day due to its cost and availability. As in any operating system investigation, there are certain things that the investigator must look for, discuss these files and logs.
How would you conduct an investigation of a Linux system?
Apple Macintosh Operating System is also one of the top operating systems used. It differs from all of the other operating systems in many ways. Discuss how you would investigate an apple system, discuss the tools used and the files, logs and file systems.
Student one:
Greetings Class,
Conducting an investigation on any operating system requires due diligence in order to preserve the integrity of the evidence being evaluated. Therefore, to properly accomplish this a forensics copy must be made so the investigation can take place on the copy opposed to the original. In Linux, and other Unix based operating systems, a copy can be conducted directly from the shell with the command “dd”. Other beneficial commands that could be used directly from the shell are the “ps” command which will show all current running processes for the user logged in, and the “who” command which will identify the user(s) currently logged on the system.
Linux, like any other operating system contains areas of interest to forensics investigators that can help piece back a picture of what the device was being used for. Important areas of interest include the directories and logs which can be accessed directly through shell commands. One of the first logs of interest is the “/var/log/faillog” log which shows if and how many fail attempts in logging into the device. This can be beneficial in the case you are determining if the device was hacked or not. The “/var/log/mail.*” log will show data associated with the mail server which can contain incriminating evidence from messages sent or received from the device. Additionally the directories can contain valuable information when conducting ones investigation. To name a few, the “/root” directory contains user information for the root users which is usually the administrator and the “/usr” directory shows subdirectories for individual users
Apple utilizes an operating system that is based off of FreeBSD which is a Unix clone. Therefore investigators can utilize the same shell commands to work in the terminal and make a clone of the disk by using the “dd” command. Another benefit for investigators is that Apple has a “Target Disk Mode” which can be activated to prevent the disk being written to prior to making a disk image. Additionally you can view live running processes prior to shutdown without compromising the evidence. And just like Linux, the terminal can be used to extract information swap file, users logs, and other areas within the directory.
James Duran
Student two:
Class,
1.Linux files and logs are built within the system in order to keep track of what is going on within a system.The Linux files and logs can give an insight of the health of a system, errors that could be occurring, the actual security of a system as well.This system can help an administrator as well as the investigation but can be a very slow process in order to find that actual evidence that is being needed.The logs can give the investigator a general idea of what has happened within a system and the log represents a record log of sorts of what has happened within certain areas of a system.Every thing that happens with the system can be can be researched from the files and logs.
2.In order to conduct an investigation with a Linux system, the investigator would have to start with the fail logs.The fail logs help identify if that has been a number of failed attempts in trying to gain access to a system.This step would be a great starting point to get an idea of the attempted system cracking.
3.Apple systems can be investigated just like any other operating system when the investigator begin with the logs.The logs are the tell all of what is going on with a system.The directories will give an investigator a plethora of information just as the files and logs would.The different tools that can be used while investigating an apple system would be similar if there was an investigation with Windows or Linux.Target disk mode, shell commands, and searching virtual memory are tools that can be used.
Easttom, Chuck. System Forensics, Investigation, and Response PDF VitalBook.. [VitalSource].
-Eddie