Detecting Linux Anti-Forensics Log Tampering
When forensically examining Linux systems for malicious intrusion, responders often rely on the following three artefacts to determine logins and logouts:
- /var/run/utmp – currently logged in users
- /var/run/wtmp – current, past logins and system reboot
- /var/log/btmp – bad login attempts
Of course, these artefacts are not all you can forensically investigate for malicious access (there are other artefacts you can examine), however, these will be the focus of this anti-forensics blog post.
Method 1 – Nulling the Entry
This method is almost trivial to perform but leaves at least two methods of detection for a responder. The picture below shows the untampered output of the /var/log/wtmp binary. Please note that I will be using this file for the examples, but this technique can be used across all 3 artefacts.
- Values are zeroes (null) as this is not normal at all
- Detect entries with the datetime stomped to “1970*”
- Bash history (if HISTSIZE isn’t 0)
- Values of zero (null) in wtmp, btmp, utmp
- Entries with a timestamp containing the year 1970 (default time)
- Timestamp mismatch between the last entry and the file timestamp of the file