Python Forensics in Linux
Python Forensics in Linux
A major concern in digital investigations is protecting valuable evidence or data using encryption or any other format. A fundamental example is storing passwords. Therefore, it is essential to understand how the Linux operating system is used in digital forensics to secure this valuable data.
All local user information is primarily stored in two files –
- /etc/passwd
- etc/shadow
The first file is mandatory and stores all passwords. The second file is optional and stores information about local users, including hashed passwords.
Storing password information in a file that is readable by all users creates security issues. Therefore, hashed passwords are stored in /etc/passwd, where the content is replaced with a special value “x“.
The corresponding hash value must be found in /etc/shadow. Settings in /etc/passwd may override details in /etc/shadow.
Both text files in Linux have one entry per line, with each entry consisting of multiple fields separated by colons.
/etc/passwd has the following format
| Sequential Number: Sr. No. | Field Name and Description |
|---|---|
| 1 | Username This field consists of attributes in human-readable format. |
| 2 | Password Hash This field contains the password encoded using a Posix encryption function. |
If the hashed password is stored as empty, the corresponding user will not need any password to log in. If this field contains a value that cannot be generated by the hashing algorithm, such as an exclamation mark, the user will not be able to log in using a password.
Users with locked passwords can still log in using other authentication mechanisms, such as SSH keys. As mentioned earlier, the special value “x” means that the password hash must be found in the shadow file.
Password Hash consists of the following: –
- Encryption Salt – Encryption Salt helps maintain security for screen locks, PINs, and passwords.
-
Numeric User ID – This field represents the user’s ID. The Linux kernel assigns this user ID to the system.
-
Numeric Group ID – This field refers to the user’s primary group.
-
Home Directory – New processes are started with reference to this directory.
-
Command Shell – This optional field represents the default shell that will be started after a successful login to the system.
Digital forensics involves collecting information related to tracing evidence. Therefore, user IDs are useful in maintaining records.
Using Python, all of this information can be automatically analyzed into metrics to reconstruct recent system activity. This is achieved through the Linux Shell’s implementation, making tracing simple and easy.
Python programming for Linux
Example
import sys
import hashlib
import getpass
def main(argv):
print 'nUser & Password Storage Program in Linux for forensic detection v.01n'
if raw_input('The file ' + sys.argv[1] + ' will be erased or overwrite if
it exists .nDo you wish to continue (Y/n): ') not in ('Y','y') :
sys.exit('nChanges were not recordedn')
user_name = raw_input('Please Enter a User Name: ')
password = hashlib.sha224(getpass.getpass('Please Enter a Password:')).hexdigest()
# Passwords which are hashed try:
file_conn = open(sys.argv[1],'w')
file_conn.write(user_name + 'n')
file_conn.write(password + 'n')
file_conn.close()
except:
sys.exit('There was a problem writing the passwords to file!')
if __name__ == "__main__":
main(sys.argv[1:])
Output
The passwords are stored in hexadecimal format in pass_db.txt, as shown in the following screenshot. These text files are saved for further use in computer forensics.
