Category: Linux

Linux Forensic Scenario

Hal PomeranzLeave a comment

Let’s try something a little different for today’s blog post!

I’ve been working on ideas for a major update on my Linux forensics class, including new lab scenarios. I recently threw together a rough draft of one of my scenario ideas: built a machine, planted some malware on it, and then used UAC to capture forensic data from the system. I was pleased with the results, and thought I would share them with the larger community.

And then I thought, why not turn it into a bit of a contest? For the moment I haven’t decided on any prizes other than bragging rights, but you never know. I have decided that the deadline for submissions for judging will be April 15th– tax day here in the USA.

The Scenario

You received an escalation from your SOC. They received an alert from their NMS about suspicious traffic to one of the Linux workers in the development group’s CI/CD pipeline. The alert was for unencrypted traffic on port 22/tcp, specifically the string “python3 -c 'import pty; pty.spawn("/bin/bash")'” which triggered the alert for “reverse shell promotion” in the NMS. They note that the system is showing signs of heavy CPU usage but that they don’t see any process(es) that account for this. Following their SOP, they acquired data from the system using UAC and have escalated to you as on-call for the internal IR/Threat team.

Other information about the system:

  • There is a single shared account on the system called “worker“. It has full Sudo privileges with the NOPASSWD option set.
  • All network access to the box is through a jump host at IP 192.168.4.35.
  • The UAC collection is uac-vbox-linux-20260324193807.tar.gz

Additional Comments

I threw this scenario together in a matter of hours, so when you look at the timeline of the system you will see that it got built and then compromised very quickly. For the final scenario I will doubtless do a more complete job running fake workloads for some time before the “attack” actually happens.

Similarly, you’ll probably discover that there is no significant network infrastructure around the compromised system. The “jump host” is really just another host in my lab environment that I was operating from.

But I still think there’s plenty of interesting artifacts to find in this scenario. I’m leaving things deliberately open-ended because I want to see what people come up with. But the goal would be to at least account for the issues raised by the SOC: why is there unencrypted traffic on 22/tcp, why is the system burning CPU, and why can’t the SOC see what is going on? Is the system compromised? When and how did that happen?

Submissions

Submissions for judging must be received no later than 23:59 UTC on 2026-04-15. I will accept submissions in .docx, PDF, or text. You may email your submissions to hrpomeranz@gmail.com. Please try to put something like “Linux Forensic Scenario Submission” in the Subject: line to make my life easier.

Depending on the number of submissions I get, I may need more folks to help with the judging. If you’re not planning to compete but would like to help judge, please drop me a line at the email address above. I’ll let you know if I need the help once I count the number (and length) of the submissions.

Happy forensicating! Have fun!

Linux Notes: ls and Timestamps

Hal Pomeranz2 Comments

There’s an old riddle in Unix circles: “Name a letter that is not an option for the ls command”. The advent of the GNU version of ls has only made this more difficult to answer. Even if you’re a Unix/Linux power user, you’ve probably only memorized a small handful of the available options.

For example, I have “ls -lArt” burned into my brain from my Sys Admin days. “-l” for detailed listing, “-A” to show hidden files and directories (but not the “.” and “..” links like “-a“), sort by last modified time with “-t“, and “-r” to reverse the sort so the newest files appear right above your next shell prompt.

$ ls -lArt
total 1288
-rw-r--r--  1 root root        9 Aug  7  2006 host.conf
-rw-r--r--  1 root root      433 Aug 23  2020 apg.conf
-rw-r--r--  1 root root       26 Dec 20  2020 libao.conf
-rw-r--r--  1 root root    12813 Mar 27  2021 services
-rw-r--r--  1 root root      769 Apr 10  2021 profile
-rw-r--r--  1 root root      449 Nov 29  2021 mailcap.order
-rw-r--r--  1 root root      119 Jan 10  2022 catdocrc
...
-rw-r--r--  1 root root    52536 Feb 23 11:44 mailcap
-rw-r--r--  1 root root   108979 Mar  2 09:24 ld.so.cache
-rw-r--r--  1 root root       75 Mar  3 18:08 resolv.conf
drwxr-xr-x  5 root lp       4096 Mar  5 19:52 cups

You’ll note that the timestamps are displayed in two different formats. The oldest files show “month day year”, while the newer files show “month day hh:mm”. The default for ls is that files more than six months old display year information.

Personally I prefer consistent ISO-style timestamps with “--time-style=long-iso“:

$ ls -lArt --time-style=long-iso
total 1288
-rw-r--r--  1 root root        9 2006-08-07 13:14 host.conf
-rw-r--r--  1 root root      433 2020-08-23 10:52 apg.conf
-rw-r--r--  1 root root       26 2020-12-20 11:21 libao.conf
-rw-r--r--  1 root root    12813 2021-03-27 18:32 services
-rw-r--r--  1 root root      769 2021-04-10 16:00 profile
-rw-r--r--  1 root root      449 2021-11-29 08:07 mailcap.order
-rw-r--r--  1 root root      119 2022-01-10 19:08 catdocrc
...
-rw-r--r--  1 root root    52536 2026-02-23 11:44 mailcap
-rw-r--r--  1 root root   108979 2026-03-02 09:24 ld.so.cache
-rw-r--r--  1 root root       75 2026-03-03 18:08 resolv.conf
drwxr-xr-x  5 root lp       4096 2026-03-05 19:52 cups

While “-t” sorts on last modified time by default, other options allow you to sort and display other timestamps. For example, “-u” sorts on and displays last access time. “-u” is hardly memorable as last access time, but remember “-a” is used for something else.

It’s a pain trying to remember the one letter options for the other timestamps– and note there isn’t even a short option for sorting/displaying on file creation time. So I just use “--time=” to pick the timestamp I want:

$ ls -lArt --time=birth --time-style=long-iso
total 1288
-rw-r--r--  1 root root     1013 2025-04-10 10:27 fstab
drwxr-xr-x  2 root root     4096 2025-04-10 10:27 ImageMagick-6
drwxr-xr-x  2 root root     4096 2025-04-10 10:27 GNUstep
...
-rw-r--r--  1 root root      142 2026-02-23 11:41 shells
-rw-r--r--  1 root root    52536 2026-02-23 11:44 mailcap
-rw-r--r--  1 root root   108979 2026-03-02 09:24 ld.so.cache
-rw-r--r--  1 root root       75 2026-03-03 18:08 resolv.conf

Here we’re sorting on and displaying file creation times (“--time=birth“). You can use “--time=atime” or “--time=ctime” for the other timestamps.

If this command line seems long and unwieldy, remember that you can create aliases for commands in your .bashrc or other startup files:

alias ls='ls --color=auto --time-style=long-iso'
alias lb='ls -lArt --time=birth'

With normal ls commands, I’ll get colored output always, and “long-iso” dates whenever I use “-l“. I can use lb whenever I want file creation times. Note that alias definitions “stack”– the “lb” alias will get the color and time-style options from my basic “ls” alias, so I don’t need to include the “--time-style” option in the “lb” alias.