Perform the recovery of data or traces of a hacker attack in GNU Linux (Computer forensics)

In any computer system, no matter how much you want to have the best security, or an impregnable system, it will be almost impossible, someone will always make a way to manage to violate your security, in this article it is explained in a summarized way what steps should be followed when you detect an intrusion or when your “software or Operating System” that has been hacked.

Before describing the steps below, it will be explained with what software and in what way each step can be performed.

Intrusion or hacking detection

In this first step is to realize that the software or operating system or server has been compromised, how can we know this if a black hat hacker usually hides his traces? The answer is easy by determining if the behavior of the server is correct or has a strange operation, or if there are open ports in it that should not be open (this can be verified with nmap) and finally if the information stored in the server or computer is corrupted having methods at hand for verification, it is very important not to try to review in depth because there may be installed rootkits or scripts that can be triggered and damage all the information when trying to verify the strange operation or if the service is online the service may be down.

Putting in quarantine

This process creates an image of the disk where the operating system is data and software elements as they are in an exact copy to an image file and the hard disk or solid state disk uninstalls it to protect a true copy, another image is created in the same way for analysis and forensic analysis tools will be used to determine the level of damage caused and collect clues and possible traces.

To create this image in the case of a personal computer, you must have a disk unit with greater or equal capacity and then with a GNU Linux Live distribution to make a disk clone from one disk to another or to an image which is You can do it as follows remember to be in super user (root) mode to be able to run all the tools necessary for the creation of images and for the forensic analysis software and techniques applications:

dd if =/dev/sda of=/dev/sdb

or create the disk image with:

mkdir /media/disk

mount /devs/sdb1 /media/disk

dd if =/dev/sda of=/media/disk/imgeFile_sceneCriminal.img

It should be noted that, if you already have the disk image or the disk clone in a disk drive and you have physical access to the computer, you can practice or implement techniques and software for forensic analysis directly on the computer.

In the case of being a server which does not have physical access, the process is to create 2 images, one to apply forensic analysis techniques, and another without handling for backup, the process to generate them can be in 2 ways one by one Through the server management web interface, which is possibly an instance of it in a VPS, or if it is clearly a server, you should enter by ssh and do the image creation process to a storage service in the cloud.

Applying basic forensic analysis techniques and software

This topic begins by explaining a little what a forensic analysis is; It is a series of techniques and procedures for obtaining evidence, clues, traces, among others, to determine those responsible for a criminal act. This led to the world of cyberspace has been the same, in the world of free software and GNU / Linux distributions there is a set of software tools that allows us to perform forensic procedures on the information contained in a computer victim of an attack, which In distributions based on Debian or Ubuntu or including them, we can install a package that installs all these tools automatically and this does not facilitate the process of having to install all the software tools separately each one, below is the process to install the package:

apt-get install forensics-all forensics-all-gui forensics-extra-gui

Already having this set of tools, it only remains to mount the unit with the following commands to begin the forensic analysis process.

mkdir /media/diskOrFile_sceneCriminal

mount /dev/sdb1 /media/diskOrFile_sceneCriminal

Later, after mounting the unit, proceed to verify the directory tree of the mounted disk or image with:

cd /media/diskOrFile_sceneCriminal


ls -la *

If the operating system directory tree is displayed, you just have to start a series of steps to start verifying log files, file modification dates, creation date of certain files, among another series of steps to perform, the The first action is to extract all the log files for analysis and interpretation, below are some of the commands to execute for it:

mkdir /home/user/scenecrimine /home/user/scenecrimine/systemfilelogs

ls -lah /var/log --full-time> /home/user/systemlogfiles.log

The above command lists the system log files showing their permissions, owner, size, long-format date, and filename with extension.

cp -r /var/log/* /home/user/systemfilelogs

The above command copies all the log files to the user home of the GNU / Linux operating system that is being used for the analysis.

ls -lah /usr/bin --full-time /home/user/systembinfiles.log

List the system executable files showing their permissions, owner, size, long format date and file name with extension.

ls -lah /usr/sbin --full-time /home/user/systembinfiles.log

Lists the system executable files that only the super user (root) has access, showing their permissions, owner, size, date in long format and file name with extension.

More information can be obtained and most of the times hackers tend to erase their traces in the log files but it is possible that an executable file will be observed in the system whose creation date is more current than others if the operating system is not has recently updated it is very possible that by the date this is an indication that certain executables of the operating system were changed during the intrusion, the forensic analysis process is usually a tedious and time-consuming process but it is always possible to find evidence in this regard, in some cases it will be required to test the running system and obtain more information about it.

The data recovery shown here is a basic data recovery, in most cases it will require going deeper in obtaining clues, executing tools such as:


netstat -atu




Among other tools to recover data, including data that has been deleted by the intruder within the operating system of the affected computer or server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.