Linux Forensics: Analyzing Artifacts from Unix-like Artifacts Collector (UAC)

By /

Listen to this Post

The Unix-like Artifacts Collector (UAC) is a powerful live response collection script for Incident Response, automating artifact collection across AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD, and Solaris systems.

🔗 UAC GitHub Repository: https://github.com/tclahr/uac
🔗 Linux Forensics Analysis with UAC: https://medium.com/@DFIRanjith/linux-forensics-analyzing-artifacts-from-unix-like-artifacts-collector-uac-a350f038f565
🔗 Defensive Security CheatSheet: https://www.defensive-security.com/storage/uploads/Advanced%20Linux%20Detection%20and%20Forensics%20Cheatsheet%20by%20Defensive%20Security.pdf

You Should Know:

1. Key Linux Forensic Artifacts Collected by UAC

UAC gathers critical forensic data, including:

  • System Logs (/var/log/)
  • User Activity (Bash history, SSH logs)
  • Process Information (ps aux, lsof)
  • Network Connections (netstat -tulnp, ss -tuln)
  • File Timestamps (stat, `find` with -mtime, -atime)

2. Analyzing UAC Output with Mactime

The `mactime` tool (from The Sleuth Kit) helps analyze file timestamps (MACB: Modified, Accessed, Changed, Birth).

Command Example:

mactime -b bodyfile.txt -d -y -m -z UTC

3. Extracting & Parsing Logs

  • Auth Logs (SSH & Sudo Attempts): 
    grep "Failed password" /var/log/auth.log
  • Bash History Analysis: 
    cat ~/.bash_history | grep -e "sudo" -e "ssh"

4. Detecting Malicious Processes

  • List Open Files by Process: 
    lsof -i -n -P
  • Check Hidden Processes: 
    ps -ef | grep -i "[net]"

5. Timeline Analysis with `find`

  • Find Recently Modified Files (Last 7 Days): 
    find / -type f -mtime -7 -exec ls -la {} \;

6. Defensive Security CheatSheet Tips

  • Check for Rootkits: 
    rkhunter --check
  • Analyze Kernel Modules: 
    lsmod

What Undercode Say:

Linux forensics requires deep knowledge of system artifacts, and UAC simplifies collection. However, manual analysis with tools like mactime, lsof, and `find` is crucial. Always verify logs, check for unusual timestamps, and monitor unauthorized processes.

Expected Output:

A structured forensic report with:

  • Timeline of file modifications
  • Suspicious login attempts
  • Unusual network connections
  • Anomalous process activity

For advanced forensics, combine UAC with memory analysis (Volatility) and disk forensics (The Sleuth Kit).

End of Report.

References:

Reported By: Jeffersonsmacedo Forensicators – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: