Hello Reader,Another Sunday Funday behind us and another winning answer given. This week we did a Linux challenge and from the lack of responses and high readership I would say that this is a weak point for most of you. I have noted this and will devote some future blog posts to Linux forensics. This weeks winner is Tony Micah Lambert congratulations Tony! By having the confidence to give the contest a try you have won! Here was this weeks challenge:
The suspect is believed to have taken source code from his past employer and made use of it in the development of a new product. For a Ubuntu Linux system (any modern version 11 forward) where the user is using Gnome and CVS answer the following:
1. Where would you look to see what devices had been connected
2. Where would you look to see what files/directories had been accessed
3. Where would you look for user activity related to source code development
Here is Tony's answer:
You can view what devices have been recently connected by consulting the syslog at /var/log/syslog. Depending on how much time has passed, you may have to look for /var/log/syslog.x or syslog.x.gz where x= a sequential number. This log will have enough unique information about a device for it to be identified
For files/directories and user activity in CVS, all checkouts, commits, and updates can be checked from the history file located at $CVSROOT/CVSROOT/history (assuming proper configuration). This information can be easily accessed using the CVS "history -u
" command to filter results for a specific developer's username.
Tony is correct in his answer, but there is much more to find! The clue I left here was Gnome and I'll focus on what the additions to Linux to make it user friendly have created in terms of artifacts in the Linux forensic series. Until then, well done Tony! Let me know which prize you would prefer.