Posted on

Forensics Tips – Linux Platform

On This Page


Basic Steps in Forensic Analysis of Unix Systems

MacForensics.com Tips - Gaining Root Access in Linux

An excellent article written by Dave Dittrich.


Quoted from the article

Your job, as a forensic investigator, is to do your best to comb through the sources of evidence — disc drives, log files, boxes of removable media, whatever — and do two things: make sure you preserve as much of this data in its original form, and to try to re-construct the events that occurred during a criminal act and produce a meaningful starting point for police and prosecutors to do their jobs.

 


Gaining Root Access in Linux

MacForensics.com Tips - Gaining Root Access in Linux

There may be times when it can be beneficial to an investigation for the investigator to be able to login to a suspect machine as the root user to explore. Such access may allow an investigator access to items that may be locked without root access to the machine.

 

Boot Linux into single-user mode

  1. Reboot the machine.
  2. Press the ESC key while GRUB is loading to enter the menu.
  3. If there is a Recovery Mode option, select it and press B to boot into single user mode. Otherwise, the default boot configuration should be selected. Press E to edit it.
  4. Highlight the line that begins with kernel. Press E again to edit this line.
  5. At the end of the line, add an additional parameter: single. Hit Return to make the change and press B to boot.

Change the admin password

The system should load into single user mode and you will be left at the command line automatically logged in as root. Type passwd to change the root password or passwd username to change the password for your username admin account. Reboot and you now have Linux root access.