Files and File System
File and File System Analysis in Incident Response (Linux Systems)
When investigating a security incident on Linux systems, analyzing the file system is crucial. Attackers frequently manipulate files and directories to maintain persistence, escalate privileges, or hide their activities. Here's a systematic approach to detect, analyze, and remediate malicious activity on the file system.
Key Linux Directories and Their Relevance in Incident Response
Directory | Purpose | Risk/Notes |
| Boot files, kernel images | Rarely altered but critical for boot integrity. |
| Configuration files | Targeted for persistence (e.g., |
| Essential binaries | Rarely changes; modifications can indicate rootkits. |
| Superuser binaries | Altered to replace critical admin commands. |
| Temporary files | Commonly used for dropping malicious files. |
| Logs, variable data | Stores logs that can be tampered with to hide tracks. |
| User directories | Holds user-specific data and potential malware. |
| Root user’s home | Contains sensitive root data. |
| User binaries and libraries | Could be targeted for persistent malicious binaries. |
| Device files | May be used for hiding malicious payloads. |
Steps for File and File System Analysis
1. Identify Suspicious Files
Target Common Exploitation Points:
Temporary Directories:
/tmp,/var/tmp,/dev/shmWeb Application Directories:
/var/www,/usr/share/nginx/html
Search by File Extensions
Scan for scripts or binaries with potentially malicious extensions:
Extensions to watch:
.php,.jsp,.asp(Webshells).sh(Shell scripts).elf,.out,.bin(Executable binaries)
Search by File Modification Time
Find files modified in a specific timeframe:
Other time-based filters:
Files modified in the last X days:
Files modified more than X days ago:
Search by Ownership
Locate files created or modified by specific users:
Search Recently Changed Metadata
Identify files with recent permission or ownership changes:
2. Analyze Suspicious Files
Examine File Metadata
Get detailed metadata about a file:
Details Provided:
Access, modification, and change times.
Ownership: Who owns the file?
Permissions: What operations are allowed?
Check File Contents
For readable files (e.g., scripts, logs):
Identify Binaries
For binary executables:
Hash the File
Compare file hashes against threat intelligence or virus scanning services:
Use platforms like VirusTotal for quick analysis.
3. Remediate Malicious Files
Delete Malicious Files
Once identified, remove them securely:
Restore Critical System Files
If critical files like /etc/passwd or binaries in /bin are compromised:
Restore from clean backups:
Reinstall affected system components:
Correct File Permissions and Ownership
Ensure correct permissions for critical files:
4. Review Logs for Tampering
Locate and Analyze Logs
Check logs for signs of tampering or deletion:
System logs:
Web server logs:
Look for Gaps or Unusual Activity
Search for log entries around the timeframe of the compromise:
Key Commands Cheat Sheet
Command | Purpose |
| Find files by extension. |
| Find files modified in a time range. |
| Get detailed file metadata. |
| Hash file for verification. |
| Review system logs. |
| Remove malicious file. |
| Set proper permissions for system file. |
Key Points
File and file system analysis are foundational in identifying and mitigating threats on compromised Linux systems. By systematically searching for unusual files, analyzing their properties, and reviewing log entries, responders can detect malicious activity, remove threats, and restore system integrity. Implementing strong monitoring and file integrity tools enhances proactive security efforts.
Last updated