Auditing File Events in Linux

Audit Linux is an open source framework which monitors files/folders and provides useful accounting information whenever an event occurs. For example you can deploy the framework to detect policy violations in your company. The information which is logged provides a probative inference for forensic purpose . Audit linux is going to answer the following questions,

1. How can I track the changes when my file is modified?

2. How will I know which user in my computer accessed a file?

3. Which application program is used to access the file?

4. At what time a particular event happened?

5. Inode number and more.

Not only the above 4, it can also provides variety of information. Audit Linux is comprised of auditctl, ausearch, aureport, auditd, audispd, autrace, aulast, aulastlog, ausyslog, auvirt. But today we are going to see only the following the tools,

auditctl – This is a tool which is going to monitor all the events of a file we are interested.

ausearch – A tool which can be used to display the logged events

aureport – Prepares a brief report based on the collected logs.

To install the framework in Ubunt,

$ sudo apt-get install auditd audispd-plugins

This is how we usually monitor a file,

➜  ~ [255] sudo auditctl -w /home/h1dd3ntru7h/demo.txt -p rwxa -k pattern1

-p – if any reads/writes/executes/appending happens on the file demo.txt it will be logged. The -k flag can be used to uniquely identify the particular activity when there are too many log entries.

To see the applications which has accessed the file, we use ausearch. If you have setup log watching for multiple files, then you may leverage the -k flag, which can uniquely identify the logs of demo.txt file. You can also use like this  $ sudo ausearch -f demo.txt -k pattern1

➜  ~ [0] sudo ausearch -f  demo.txt
time->Sun Dec 28 20:01:41 2014
type=PATH msg=audit(1419777101.038:189): item=0 name="demo.txt" inode=2883912 dev=08:06 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419777101.038:189):  cwd="/home/h1dd3ntru7h"
type=SYSCALL msg=audit(1419777101.038:189): arch=c000003e syscall=2 success=yes exit=3 a0=7fffd1b3978a a1=0 a2=1fffffffffff0000 a3=7fffd1b38b70 items=1 ppid=8610 pid=16233 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 comm="cat" exe="/bin/cat" key="pattern1"

i) uid=1000 is the user who accessed this file, here it is me. You can use the command id to see the user-name.

ii) tty=pts1 – If I am correct there are 7 controlling terminal in Linux (Ubuntu), which you can check using Ctrl+Alt+(F1 | F2 .. | F7). By default we log in tty1. Try opening the file from tty2, it will show tty’s value as tty2. Now, you may ask me, why the value of tty is not tty1|tty2..|tty7 instead of pts1..pts7. If you use a terminal then the value can be any of the tty’s. But when you use a Xterm terminal or a ssh terminal then the value would be either of any pts. If you have accessed the same file from another machine using ssh, the tty value will be from any of the seven controlling terminal. For example, below shows the tty value to be from a different console (pts6) when I displayed a file from another machine.

time->Sun Dec 28 23:34:44 2014
type=PATH msg=audit(1419789884.132:336): item=0 name="file.txt" inode=2883678 dev=08:06 mode=0100664 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1419789884.132:336):  cwd="/home/h1dd3ntru7h"
type=SYSCALL msg=audit(1419789884.132:336): arch=c000003e syscall=2 success=yes exit=3 a0=7fff68de3c3a a1=0 a2=1fffffffffff0000 a3=7fff68de1da0 items=1 ppid=21137 pid=21277 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts6 ses=2 comm="cat" exe="/bin/cat" key="pattern2"

You can also check who is currently logged in your machine using the “last” command.

iii) audit(1419777101.038:189) == Sun Dec 28 20:14:18 IST 2014. The converted epoch time can be found above audit() or manually you can check using date command,

➜  ~ [0] date -d @1419777858.320
Sun Dec 28 20:14:18 IST 2014

iv) inode=2883912 : To get more information about the inode entry, you can give the inode number in debugfs tool,

➜  ~ [0] sudo debugfs /dev/sda6  #sda6 is where my / is mounted
debugfs 1.42.9 (4-Feb-2014)
debugfs:  stat <2883912> # inode entry for demo.txt

Inode: 2883912   Type: regular    Mode:  0600   Flags: 0x80000
Generation: 1756762240    Version: 0x00000000:00000001
User:  1000   Group:  1000   Size: 3811
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
ctime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
atime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
mtime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
crtime: 0x54a01453:4085c294 -- Sun Dec 28 20:01:47 2014
Size of extra inode fields: 28

Inode gives much more information now with 3 timestamps: Changed time, Modified time and Access time. If you delete the file, and then if you do the following then you can notice another time stamp dtime, which logs the time at which the file is deleted.

v) I guess rest are self explanatory. 🙂

If you append -i to ausearch then you can see the user-name(not user-id) as well as the system call name instead of the system call number.

➜  ~ [0] sudo ausearch -f demo.txt -i

type=PATH msg=audit(Sunday 28 December 2014 �@.320:220) : item=0 name=demo.txt inode=2883987 dev=08:06 mode=file,664 ouid=h1dd3ntru7h ogid=h1dd3ntru7h rdev=00:00 nametype=NORMAL
type=CWD msg=audit(Sunday 28 December 2014 �@.320:220) :  cwd=/home/h1dd3ntru7h
type=SYSCALL msg=audit(Sunday 28 December 2014 �@.320:220) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7ffffae07cbf a1=O_RDONLY a2=0x1fffffffffff0000 a3=0x7ffffae05aa0 items=1 ppid=16673 pid=16886 auid=unset uid=h1dd3ntru7h gid=h1dd3ntru7h euid=h1dd3ntru7h suid=h1dd3ntru7h fsuid=h1dd3ntru7h egid=h1dd3ntru7h sgid=h1dd3ntru7h fsgid=h1dd3ntru7h tty=tty2 ses=unset comm=cat exe=/bin/cat key=pattern1

You can also find the logs using,

Process id : ➜  ~ [0] sudo ausearch -f demo.txt --pid 16886
User id : ➜  ~ [0] sudo ausearch -f demo.txt --uid h1dd3ntru7h
Using an application : ➜  ~ [0] sudo ausearch -f demo.txt -x cat

Some cool stuff that we can do using Audit LInux.

Login attempts : ➜  ~ [0] sudo aureport -i -au –success         |  –failure ( for failed attempts)

For a detailed report : ➜  ~ [1] sudo aureport


Installing Linux Profile in Volatility

As I said, in my previous blog, it is necessary to note, that you need a compatible system profile to analyse a RAM memory dump.  That is, if you have a profile built for kernel 3.2.15, then you can only analyse the memory dump from a machine which runs the same kernel version 3.2.15. In case if you want to analyse some other kernel version’s RAM memory then you need to build a profile for the kernel version separately in your Volatility tool.  Before going to the building part, let me put it clearly what I meant by a profile. Actually it refers to a file ( a zip file ) where we compress the  kernel data structures and debug symbols. Volatility uses this zip file to mine critical information and to parse the objects inside the memory. In the next blog I will tell you the tools which you can use to collect the memory dumps from various OS’s and a demonstration with any one of a sample RAM memory dump. For now, I will tell you, how you can successfully build a Linux profile with your Volatility tool.

Determine your kernel version:

bios@bios-VirtualBox:~$ uname -mrs
Linux 3.13.0-24-generic x86_64

Installing a pre-requisite package:

bios@bios-VirtualBox:~$ sudo apt-get install dwarfdump

Creating vtypes:

Some of you might have encountered this issue while creating the vtypes.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux$ make
make -C //lib/modules/3.13.0-24-generic/build CONFIG_DEBUG_INFO=y M=/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-3.13.0-24-generic’
  CC [M]  /home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o
/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.c:70:33: fatal error: linux/net_namespace.h: No such file or directory
 #include <linux/net_namespace.h>
compilation terminated.
make[2]: *** [/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-24-generic’
make: *** [dwarf] Error 2

This is not the right way of doing this. Here is the solution, follow the steps properly.

bios@bios-VirtualBox:~/Desktop/volatility-2.3.1$ cd tools/linux

bios@bios-VirtualBox:~$ sudo chown -R bios Desktop/volatility-2.3.1/tools/linux/


Now make:


Now you should not get any errors at the end of the make.

bios@bios-VirtualBox:~/Desktop/volatility-2.3.1/tools/linux$ make

make -C //lib/modules/3.5.0-49-generic/build CONFIG_DEBUG_INFO=y M=/home/bios/Desktop/volatility-2.3.1/tools/linux modules

make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’

CC [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.o

Building modules, stage 2.

MODPOST 1 modules

CC /home/bios/Desktop/volatility-2.3.1/tools/linux/module.mod.o

LD [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.ko

make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’

dwarfdump -di module.ko > module.dwarf

make -C //lib/modules/3.5.0-49-generic/build M=/home/bios/Desktop/volatility-2.3.1/tools/linux clean

make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’

CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/.tmp_versions

CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/Module.symvers

make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’


Making the Profile:

 Go to the /boot directory and create a profile by zipping the kernel file.

bios@bios-VirtualBox:/boot$ ls -l

total 48888

-rw-r–r– 1 root root 848290 Jan 25 2013 abi-3.5.0-23-generic

-rw-r–r– 1 root root 853859 May 3 03:16 abi-3.5.0-49-generic

-rw-r–r– 1 root root 147880 Jan 25 2013 config-3.5.0-23-generic

-rw-r–r– 1 root root 148168 May 3 03:16 config-3.5.0-49-generic

drwxr-xr-x 3 root root 12288 May 22 10:42 grub

-rw-r–r– 1 root root 15543822 May 2 14:44 initrd.img-3.5.0-23-generic

-rw-r–r– 1 root root 15694176 May 22 10:42 initrd.img-3.5.0-49-generic

-rw-r–r– 1 root root 176764 Nov 27 2011 memtest86+.bin

-rw-r–r– 1 root root 178944 Nov 27 2011 memtest86+_multiboot.bin

-rw——- 1 root root 3023265 Jan 25 2013

-rw——- 1 root root 3025898 May 3 03:16

-rw-r–r– 1 root root 5189248 Aug 2 2013 vmlinuz-3.5.0-23-generic

-rw——- 1 root root 5191616 May 3 03:16 vmlinuz-3.5.0-49-generic

bios@bios-VirtualBox:~$ sudo zip Desktop/volatility-2.3.1/volatility/plugins/overlays/linux/ Desktop/volatility-2.3.1/tools/linux/module.dwarf /boot/

updating: Desktop/volatility-2.3.1/tools/linux/module.dwarf (deflated 90%)

adding: boot/ (deflated 79%)


Checking the installation:


If everything goes smooth without any error then you are done with creating Linux profile. Hurray! Now you can check, whether everything went in your way!

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “linux”

Volatility Foundation Volatility Framework 2.3.1

linux_arp – Print the ARP table

linux_banner – Prints the Linux banner information

linux_bash – Recover bash history from bash process memory

linux_check_afinfo – Verifies the operation function pointers of network protocols

linux_check_creds – Checks if any processes are sharing credential structures

linux_check_evt_arm – Checks the Exception Vector Table to look for syscall table hooking

linux_check_fop – Check file operation structures for rootkit modifications

linux_check_idt – Checks if the IDT has been altered


You could see the plugins listed out, which confirms the building the linux profile.


Checking for the Linux profile version:


h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “Linux”

Volatility Foundation Volatility Framework 2.3.1

linux_banner – Prints the Linux banner information

linux_yarascan – A shell in the Linux memory image

LinuxUbuntu1204x64 – A Profile for Linux Ubuntu1204 x64

Linuxubuntu-14_04-desktop-amd64_3_13_0-24-genericx64 – A Profile for Linux ubuntu-14.04-desktop-amd64_3.13.0-24-generic x64

If you face any issues while building the Linux Profile, will help you out in fixing it. Let me know through the comments.

Installing Volatility in Ubuntu

Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile. By default the Windows profile is built inside Volatility. Other than Windows, if you are analysing a Linux or a Mac memory dump, then you have to build the profiles accordingly. Most important thing to note is, you cannot build a profile for a Ubuntu 3.13 system to analyse a memory dump from Ubuntu 3.10 system. In this article, I am going to show you how you can install volatility in your machine and in the next blog I will show you how to create linux profiles to analyse Linux based RAM memory. Please see, I am using Ubuntu 12.04, amd_64. Also, install the packages in the order which is followed before. Make sure that there are no errors appearing while installing the dependencies and libraries.

[Update] You can also refer to Volatility’s github for the latest updates about dependencies.

Step 1: Installing dependencies

h1dd3ntru7h@bi0s:~$ sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Step 2: Installing PyCrypto

You can either use pip to install the library or you can download the source from here and install.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf pycrypto-2.6.1.tar.gz

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ python build

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ sudo python build install

Step 3: Installing Distrom

Distrom is a disassemble library for x86/AMD64. You can download the source from here.

h1dd3ntru7h@bi0s:~/Apps/distorm3$ unzip

h1dd3ntru7h@bi0s:~/Apps$ cd distorm3/

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python build

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python build install

Step 4: Installing Yara

Volatility supports many plugins which helps to identify malwares from memory dumps. Many plugins which are based on malwares uses Yara library. You can download the recent version availabe, but for this demo I am using the older version of the yara.

h1dd3ntru7h@bi0s:~/Apps$ wget

h1dd3ntru7h@bi0s:~/Apps$tar -zxvf yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-1.4/
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo ./configure

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make install

Step 5: Installing Yara Python

Please follow the instructions in Step 4 before installing Yara Python. You can download the Yara Python1.4a source from here. Please see, if you downloaded a different version of Yara in step 4, then do download a compatible version of Yara Python.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf yara-python-1.4a.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-python-1.4a/

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python build

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python build install

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ echo “/usr/local/lib” >> /etc/
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ ldconfig

We are done with installing the dependencies, now  will install the Volatility framework. Please download the source from here. You can download and use it wherever you want. Once after downloading, extract to a directory.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python build

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python build install

This will complete the installation and if everything went in the right way, then you should get a similar stdout,

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility – A memory forensics analysis platform.

  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file

Internal and External Commands

Internal Commands:

As part of my OS Security Course, we had an assignment about differentiating Internal  and External commands in Linux. Internal commands are those which are built inside the shell, i.e they are already loaded into the system. It is directly executed in the system. They don’t require a separate process to execute them. They are PATH independent and they are not coded in files. PATH is represented as “$PATH”,  and it is an environment variable that tells the shell, which directories to search for executables, which are provided by the user. Just type and check, $PATH and env in your terminal. Oh…. btw env is an 32-bit LSB executable file, where we can see a list of current environmental variables, and their values for the current user. “env” file can be found in /usr/bin directory. We can locate the PATH variable inside the env executable by using grep command and with a pipe.

shankie@ubuntu:~/Desktop$ env | grep "$PATH"

OK coming back to the topic, in Linux we can differentiate the Linux commands, using the type command. If it is an internal command, type command will pop a message, that it is shell built-in. Else it will mention the directory of the command, i.e the directory where the executable is located.

shankie@ubuntu:~/Desktop$ type cd
cd is a shell builtin

External commands are not executed directly in the system. More clearly they are not loaded into the system. For Eg. cat, ifconfig, firefox( if installed) .They will have an individual process. They seek the help of the $PATH variable. Usually, normal linux commands are found in /bin or in /sbin. If the path of a particular command provided by the user is not mentioned in the variable means, it won’t be executed.

shankie@ubuntu:~/Desktop$ type ifconfig
ifconfig is hashed (/sbin/ifconfig)
shankie@ubuntu:~/Desktop$ type cat
cat is hashed (/bin/cat)
shankie@ubuntu:~/Desktop$ type firefox
firefox is /usr/bin/firefox

So this is the assignment, implemented in Python, HOPE IT IS COMPLETE NOW! given a list of terminal commands, which sorts the terminal commands issued by the user, based on internal and external commands and executes the terminal commands. You can also download the below code with a Sample Input from my Repository.


Variable Descriptions:

commands ( Terminal commands issued by the User )
final ( STDOUT of the terminal commands, issued by user )


#Header File
import os

# User Input
commands,final = [],[]
no = input("Enter the number of commands:")
for i in range(no):
    commands.append(raw_input("Enter the commands:"))

for i in range(no):
    dif = 'type '
    temp = commands[i]
    temp = dif+temp
    output = os.popen(temp).readlines()

# Special Case: Directory execution
def SHELL(catch):

#Generalization of Getting HOME DIR
    path = '/home/shankie'
    path = 'env|grep "HOME"'
    path = os.popen(path).readlines()
    path = str(path)
    end  = path.find('\\n')
    path = '/' + path[8:end]

# Normal Commands Other Than CD
if 'cd' not in catch:

# Moving Forward
    if len(catch) == 2:
        print "Your Directory is Changed! Select a option!"
        print "1. List the files and Subdirectory"
        print "2. Print the Path"
        catch = input()
        if catch == 1:
        elif catch == 2:
            print "Wrong Option"

# Moving Backward
        strip = catch[3:]
        print "Your Directory has Changed! Now you are inside the path!"

# Classifying Internal or External Command
while i < no:
    temp = str(final[i])
    index = temp.find('shell')
    if index > 0:
        print commands[i]+ ' is Internal Command'
        print commands[i]+ ' is External Command'
    temp = commands[i]

Encryption and Decryption using gpg

GPG stands for GNU Privacy Guard, which is a command line tool and a free implementation of  the OpenPGP standard. It allows us to encrypt and decrypt various data. The tool comes handy during  message or file transfer. It allows us to have a pair of keys namely Public and Private Keys, which  falls under stream of  Asymmetric Key Cryptography. By using these techniques, we can forget the nightmare of  data privacy. That means, you can be confident, that others, except the recipient can not read the message, which is sent by you. Even if the file is passed over the network, and if anyone tampers your file, it will  not be an easy task, to decrypt the encrypted files, without the Private Key of the recipient. This technique makes sure,of secure file transfer between the communicating parties.

Process :

Consider two devils Sow and Bow want to share a secret file. Using gpg tool Sow and Bow will create their own pair of Private and Public Keys. If Sow wants to send a encrypted file to Bow, she will use Bow’s public key (which will be shared in common) to encrypt the file. On the other side, Bow will use her private key to decrypt the file which is sent by Sow and vice-versa. Private key is the pass-phrase, which is confidential and it is private only to the user who created it. It shouldn’t be shared. Public key can be made public. It has to be made public so that the other party who wants to share a file with you can encrypt the file.


Generating the Key Pairs:

Follow the below steps for creating a Public and Private Key. Private Key is the pass-phrase which you are going to give during the Public-Key generation. I gave my key to be encrypted as RSA and you can choose your own choice.

shankie@ubuntu:~$ gpg --gen-keygpg

(GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.There is NO WARRANTY,
to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Your selection? 1

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days<n>
w = key expires in n weeks<n>
m = key expires in n months<n>

<strong>y = key expires in n yearsKey is valid for? (0)</strong>

Key does not expire at all

Is this correct? (y/N) y

You need a user ID to identify your key;
the software constructs the user ID from
the Real Name, Comment and Email Address in this
form:"Heinrich Heine (Der Dichter) <>"

Real name: Shankar Raman.R

Email address:

Comment: Private-Public Key using GPG

You selected this USER-ID:"Shankar Raman.R
(Private-Public Key using GPG) <>
<strong>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o</strong>
You need a Passphrase to protect your secret key.

can't connect to server: ec=255.16777215gpg: problem with the agent -
disabling agent useWe need to generate a lot of random bytes.
It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks)
during the prime generation;
this gives the random numbergenerator a better chance to gain enough entropy
We need to generate a lot of random bytes. It is a good idea to performsome other action
(type on the keyboard, move the mouse, utilize thedisks) during the prime generation;
this gives the random numbergenerator a better chance to gain enough entropy
key 9FA49BD0 marked as ultimately trustedpublic and secret key created
and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed,
PGP trust modelgpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3upub
2048R/9FA49BD0 2013-01-07Key fingerprint = D3E5 39B0 E4B3 C06C A68E  13E4 6994 5DF6 9FA4 9BD0uid
Shankar Raman.R (Private-Public Key using GPG) <>
sub   2048R/0385B97F 2013-01-07

 Exporting the Public Key

This will be your public key, and this key will be used by the other people to send encrypted files to you. You need your email id as an argument for generation of Public Key.

shankie@ubuntu:~$ gpg --export > Shanky-Public_k3y.gpg

Importing Public Key:

First step of encryption is, importing the recipients Public Key. Assuming Bow’s public key is BOW.gpg, and importing can be done by

shankie@ubuntu:~$ gpg --import > BOW.gpg

Encryption  :

After importing the the Public Key of the recipient, we can now encrypt the message to be sent. Assuming Sow wants to send a file named rchan.txt. Remember encryption is achieved only with the Public Key of the recipient.

shankie@ubuntu:~$ gpg  --recipient BOW.gpg --armor --encrypt rchan.txt


After executing the above command, an encrypted file will be created namely “chan.txt.asc”. Sow will now send the encrypted file to Bow through email or by sharing or anything. Once Bow receives the Encrypted file, she will use her private key (The pass-phrase which you gave for generating the Public Key) to decrypt the file and finally she unravels the original file, which Sow has sent! Use this command to decrypt the file.

shankie@ubuntu:~$ gpg --decrypt rchan.txt.asc > bit.txt

Hardening Grub

The best way to delve into others Linux machine is by editing the grub. We don’t need any passwords to get access; just edit the grub and do either of these notorious things, change the root user’s password or the user’s passwords. If  you are using your PC, for  normal or for a rough use, it’s not too necessary that you need to take stringent precautionary steps. Indeed, you have to be secure, choice is yours. A computer without security is similar to having a house without gate, doors, and fence. For some people who works in industries, banks, system administrators, security is mandatory and it is inevitable. What happens if someone keeps a trove of confidential information such as Passwords of users, Bank accounts, Personal information etc! What happens if your enemy deletes all your sedentary works, which you kept inside your PC? If your PC has two operating systems running, say Linux and Windows, then you can easily break Windows user password by bypassing the Linux grub! So i learned few methods to secure a grub recently, and i shared it. Please follow these steps, and i can usher you that, you can eliminate the aforementioned problems to some extent.

I am going to use Ubuntu Operating system for hardening! So firstly you should know the ways how people will get into the system. Many will start by, editing the line “ro quite splash” as rw init=/bin/bash during the startup(usually by pressing button “e” on the list). Second is using the recovery mode. So the solution will be, put a GRUB password for your system and disable the recovery mode. Follow the steps carefully.

Part 1: Disabling the Recovery mode

1. Get into the /etc/default directory

2. Open the grub file

shankie@ubuntu:~$ cd /etc/default/
shankie@ubuntu:/etc/default$ sudo vim grub

3. By default the recovery mode will be commented. Just uncomment the GRUB_DISABLE_RECOVERY” line to disable the recovery mode during startup. After uncommenting it will look like this.

recovery mode1

4. Save the file and update the grub

Use sudo to update the grub!


Part 2: Setting up a Password for your grub!

1. Be a root user

2. Move into /etc/grub.d/ directory


Description of each file:

i. 00_header – Password Protection

ii.05_debian_theme – Set background color, text and themes

iii. 10_linux – Locates Linux kernels based on results of the “lsb_release” command

iv. 20_memtest86+ – If the file /boot/memtest86+.bin exists, it is included in the menu item.

v. 30_os-prober – Searches for OS and adds in the menu

vi. 40_custom – A template for adding custom menu entries.

3. Make a backup of the 00_header file

root@ubuntu:/etc/grub.d# cp 00_header 00_header.BKP


4. Creating a GRUB password

root@ubuntu:/etc/grub.d# grub-mkpasswd-pbkdf2

Enter password:

Reenter password:

Your PBKDF2 is grub.pbkdf2.sha512.10000.0DCEEC2D624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD3A




5. Copy Paste the output in a text file! from—-“grub.pbkdf2.sha512.1000…..”

6. Edit the 00_header file:

Type the following commands at the end of the file.  After entering the username in the third line (i.e  password pbkdf2 username ), copy paste the output which we copied in a text file.I am using my username as “h1dd3ntru7h”. Enter your username in the set superuser and password option.

cat << EOF

set superusers=”h1dd3ntru7h”

password pbkdf2 h1dd3ntru7h grub.pbkdf2.sha512.10000.0DCEEC2D624BA3DBDFACF2AE311617236143EE7E930E862706D3A4089AD3ADA1C0E1274EA0F53DC4




And it looks like this

7. Save the file and update the grub.


Now you are done with Part1 and Part2. Your grub is safe now. Make sure that you are not forgetting the grub password.  Reboot your system and try to edit the grub, it will prompt for username and password. Now, no one can edit the grub without the grub password which is generated by you.


How to install Autopsy and Sleuthkit in Ubuntu

 Sleuth Kit and Autopsy

Sleuth Kit and Autopsy are investigation tools for Digital Forensics. Autopsy Forensics Browser is a graphical interface to the command line digital investigation analysis tool in Sleuth Kit. Like other Disk Analysis tools like Photo Rec and Foremost, this tool will be used for recovering the lost files from the file system. It can be run both in Windows and Linux. First download the files from the website.

1. Autopsy

2. Sleuth Kit

After the download extract the files into a directory.

1. First get into the Sleuth Kit directory.

2. Run the configure file. P.S: This should be run without any errors

3. Then run the make command. This may take some time 🙂

4. Then type make install, you should be a super user to run this command

shankie@ubuntu:~/Desktop/Download/Tools$ cd sleuthkit-4.0.1/
shankie@ubuntu:~/Desktop/Download/Tools/sleuthkit-4.0.1$ ./configure
shankie@ubuntu:~/Desktop/Download/Tools$ make
shankie@ubuntu:~/Desktop/Download/Tools/sleuthkit-4.0.1$ sudo make install

Sleuth Kit Configuration is finished next moving to Autopsy,

1. Get into the autopsy folder

2. Run the configure file. If you run it, it will prompt for the NIST NSR library hash file configuration and press no for it. Next prompt will be regarding the Evidence Locker directory path. Autopsy saves the configuration files, logs, output everything in this directory. Create a directory of your own name and provide it’ path name in the prompt. I am creating a directory with name  “Evidence_Locker” in my home directory.

shankie@ubuntu:~/Desktop/Download/Tools$ cd autopsy-2.24/
shankie@ubuntu:~/Desktop/Download/Tools/autopsy-2.24$ ./configure

3. Creating the Evidence Locker folder. P.S:

shankie@ubuntu:~$ mkdir Evidence_Locker
shankie@ubuntu:~/Evidence_Locker$ pwd

P.S: Paste your path name of the directory in the prompt. This is mine :p

Enter the directory that you want to use for the Evidence Locker:


Yep, you are done with the installation part! Will execute and see what happens!

shankie@ubuntu:~/Desktop/Download/Tools/autopsy-2.24$ ./autopsy


Autopsy Forensic Browser

ver 2.24


Evidence Locker: /home/shankie/Evidence_Locker

Start Time: Fri Nov 16 12:02:32 2012

Remote Host: localhost

Local Port: 9999

Open an HTML browser on the remote host and paste this URL in it:


Keep this process running and use <ctrl-c> to exit

There you go, paste the URL in your browser. Should come like this in your browser