In my previous blog post I demonstrated a method for persisting a Linux LKM rootkit across reboots by leveraging systemd-modules-load. For this method to work, we needed to add the evil module into the /usr/lib/modules/$(uname -r) directory and then run depmod. As I pointed out in the article, while the LKM could hide the module… Continue reading A Little More on LKM Persistence→| Righteous IT
Some thoughts on how to persist your Linux LKM rootkits and some ideas for detection.… Continue reading Linux LKM Persistence→| Righteous IT
My good friend Matt and I graduated college the same year. I went off into the work world and he headed for a graduate degree program in nuclear engineering. Much of the research effort in nuclear engineering is centered around developing sustainable fusion technology. Matt quickly realized that something was off. So he went to… Continue reading The Emperor’s New Clothes→| Righteous IT
The actual largest date that can be represented in an EXT4 file system is 2446-05-10 22:38:55. Curious about why? Read on for a breakdown of how EXT4 timestamps are encoded, or skip ahead to “…| Righteous IT
While I haven’t been happy about Systemd’s continued encroachment into the Linux operating system, I will say that the Systemd journal is generally an upgrade over traditional Syslog. We’ve reached the point where some newer distributions are starting to forgo Syslog and traditional Syslog-style logs altogether. The challenge for DFIR professionals is that the Systemd… Continue reading Systemd Journal and journalctl→| Righteous IT
Lately I’ve been thinking about Stephan Berger’s recent blog post on hiding Linux processes with bind mounts. Bottom line here is that if you have an evil process you want to hide, use a bind mount to mount a different directory on top of the /proc/PID directory for the evil process. In the original article,… Continue reading Hiding Linux Processes with Bind Mounts→| Righteous IT
In my earlier write-ups on XFS, I noted that when a file is deleted: This combination of factors should make it straightforward to recover deleted files. Let’s see if we can document this recovery process, shall we? For this example, I created a directory containing 100 JPEG images and then deleted 10 images from the… Continue reading Recovering Deleted Files in XFS→| Righteous IT
I recently was given a survey to fill out by an organization I do training for. I suppose it’s a pretty predictable set of questions about who I am and how I got into the industry, and advice I have for people who are just starting out. But it caught me at just the right… Continue reading “You Caught Me In An Introspective Moment”→| Righteous IT
In my last blog post, I covered Systemd timers and some of the forensic artifacts associated with them. I’m also a fan of Thiago Canozzo Lahr’s UAC tool for collecting artifacts during incident response. So I wanted to add the Systemd timer artifacts covered in my blog post to UAC. And it occurred to me… Continue reading Working With UAC→| Righteous IT
You know what Linux needs? Another task scheduling system! said nobody ever Important Artifacts Command output: File locations: Also Syslog logs sent to LOG_CRON facility. The Basics If you’ve been busy trying to get actual work done on your Linux systems, you may have missed the fact that Systemd continues its ongoing scope creep and… Continue reading Systemd Timers→| Righteous IT