I only managed to get half the solution to last weeks challenge.
Finding the first half of the solution was pretty straight-forward.
In the File system view (or via your image mounting directory traversal of choice) navigate to \var\log\apt.
Here we find the history.log file which keeps track of applications installed via apt.
If you scroll to the end of the log you can see that a lot of packages were installed or upgraded on 2017-11-08. From there on we have no (logged) activity until 2019-10-07 when php [Flag] is installed.
Part 2 I’m afraid eluded me. I’m looking forward to seeing the other write-ups to see the solve for the Why?
Unlike the Fighting Irish, I don’t have a perfect record this year – but I’m still loving the game. I never did get to finish the week 6 challenge, but with week 7, I’m back in it.
Challenge 7 (Nov 16-23) Part 1, Domains and Such. What is the IP address of the HDFS primary node?
As I was gathering information about Linux forensics, I came across LinuxForensicsForNon-LinuxFolks from Hal Pomeranz. (Google it). It’s chock full of pointers on where to find particular artifacts as the correspond to their Windows counterparts, and as the title indicates it’s meant for novices to Linux.
To identify the IP address of a Linux host there are a few places to check. If the address is assigned statically it will be in /etc/hosts. If the address is assigned by DHCP there should be a reference in /var/lib/dhclient and/or /var/log/*.
Bringing up our evidence in the File System view in Magnet Axiom, we navigate to /etc/hosts.
We can see that the primary node has the IP assignment of 192.168.2.100. [Flag 1]
After not being able to finish the challenge the week before, I was so excited to get the flag I nearly (or did) miss the fact that this was a 3-part question. It was only later in the afternoon watching the video introducing the challenge that I realized it had multipe sections.
Part 2: Is the IP address on HDFS-Primary dynamically or statically assigned?
Based on the fact that the address was in the hosts file, that indicates that the address was assigned statically. [Flag 2]
Part 3: What is the interface name for the primary HDFS node?
For this answer we navigate to /etc/network/interfaces.
Previewing the content of the file we see that ens33 [Flag 3] is the name of the interface. Had we identified this file first we would have been able to surmise all 3 flags from the same source. As with all things forensics, there are many ways to get to the same information. Understanding how those compare and what the outliers are, is all part of the challenge.
That’s all for this week. Now I’m off to watch the next video so I can see what I missed in last weeks challenge.