Process Execution

Shell History

Shell history, such as .bash_history, can record the list of commands that users ran. However, they are also the least reliable. For example, somebody can easily manipulate the shell history, modify it or clear it completely. Deleting the .bash_history file will also delete all records with it.

The history is also only written when the shell is closed. If a user has multiple simultaneous shell sessions, then commands can get overridden, and the ordering of the history will be lost. Shell history also does not track when a command was executed or its output. This lack of context further limits its suitability for forensic analysis.

Live Process

Live process information can be obtained from the /proc directory ¹. Each currently running process has a subdirectory named with its PID under/proc. This directory contains a great deal of information about the process, including its current status, the command line that started the process, working directory etc.

For forensic examination, the following attributes are valuable.

Process Identifier (PID): The unique ID assigned to each process during its creation. It is crucial for process management and control.

Parent Process Identifier (PPID): The unique ID of the process that created the current process. This can be useful in understanding process hierarchies and dependencies.

Path: The file path to the executable file running as this process. This indicates the process's origin.

Arguments: The command-line arguments that were passed to the process at its launch. These can affect the process's behavior in significant ways.

Execution Start Time: The start time of a process.

Loaded Objects: Information about shared libraries and other objects that the process has loaded into memory. This could be key in diagnosing issues related to libraries.

User: The user account that owns and controls the process. This is important for considerations of permissions and security.

`/proc/[pid]/stat` / `/proc/[pid]/status`file

The /proc/[pid]/stat file ¹ in the Linux filesystem provides a wealth of information about a specific process, identified by its process ID (PID). The file contains a single line of text, with different fields separated by spaces.

The /proc/[pid]/status also provides much of the same information in a human readable form.

The fields that are of interest for analysis here are Name, Pid, PPid. The PPid can be used to lookup the parent process and check to see if there are any abnormal process launch or hierarchy issues.

[tlasso@rhel-richmondfc 71520]$ cat /proc/71520/status 
Name:	nc
Umask:	0022
State:	S (sleeping)
Tgid:	71520
Ngid:	0
Pid:	71520
PPid:	40918
...

Command line arguments used

The command line used to launch the process can be looked up from the cmdline file.

cat cmdline

`/proc/[pid]/exe`

The executable as well as the launch time can be found by listing the exe.

[tlasso@rhel-richmondfc 71520]$ ls -l exe
lrwxrwxrwx. 1 tlasso tlasso 0 Jul 10 01:38 exe -> /usr/bin/ncat

Loaded shared lib

Shared libs loaded by the process can be displayed using the ldd command.

[tlasso@rhel-richmondfc 71520]$ ldd /usr/bin/ncat
	linux-vdso.so.1 (0x00007ffc8b373000)
	libssl.so.3 => /lib64/libssl.so.3 (0x00007fad435f5000)
	libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007fad43000000)
	libpcap.so.1 => /lib64/libpcap.so.1 (0x00007fad435a7000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fad434cc000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fad42c00000)
	libz.so.1 => /lib64/libz.so.1 (0x00007fad434b2000)
	libibverbs.so.1 => /lib64/libibverbs.so.1 (0x00007fad4348e000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fad4370f000)
	libnl-route-3.so.200 => /lib64/libnl-route-3.so.200 (0x00007fad42f6f000)
	libnl-3.so.200 => /lib64/libnl-3.so.200 (0x00007fad4346a000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fad4344f000)

Digital forensics & Intrusion Response Playbook - *nix OS