Find evidence of a ...
 
Notifications
Clear all

Find evidence of a file viewed from within a tar file

6 Posts
3 Users
0 Likes
221 Views
mikevh
(@mikevh)
Posts: 4
New Member
Topic starter
 

I have a 6GB tar file on a linux machine. I want to know if
1) I do tar -tvf somefile.tar - will this leave a trail in some /tmp or swap space that can be discovered using something like Autopsy?

2) as in winzip one can view the contents of the archive and open a file withing the archive without permanently extracting it. With this in mind - would there be evidence of this ? Where would be the most likely place to find such evidence. I am sure it wouldd be a deleted file, but would it be in /tmp or the local directory.

Thanks in Advance.

 
Posted : 08/08/2013 1:03 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

There is a presumption in your trail of thought is that whatever is in the output, when viewing the internal structure of tar or ZIP files, it will be written to disk.

I am not aware of such need.

 
Posted : 08/08/2013 2:08 am
mikevh
(@mikevh)
Posts: 4
New Member
Topic starter
 

Thanks jhup - that is an assumption. However, I do realize that viewing the file from within the archive might have taken place in RAM if there was enough available. Otherwise it should have used swap and possibly temp space. Yes / No ?

 
Posted : 08/08/2013 2:29 am
athulin
(@athulin)
Posts: 1141
Noble Member
 

I have a 6GB tar file on a linux machine. I want to know if
1) I do tar -tvf somefile.tar - will this leave a trail in some /tmp or swap space that can be discovered using something like Autopsy?

Search for it. You never know what you'll find. You may even find it in the shell history file, or in any process accounting system you happen to have *on*the*computer*of*interest*.

If you can say that it is some open-source tar, well … you can inspect the code, and see what it does with information like that. And you can test it, using the same set up as you are faced with. (You clearly don't test it with something else, and draw any conclusions from that.)

But as you ask about an unspecified linux and an unspecified tar … the answer is 'no, you can't say that it leaves any consistent traces anywhere. There's just not enough information to draw that conclusion. It might.'

2) as in winzip one can view the contents of the archive and open a file withing the archive without permanently extracting it. With this in mind - would there be evidence of this ? Where would be the most likely place to find such evidence. I am sure it wouldd be a deleted file, but would it be in /tmp or the local directory.

But what application are you asking about? In general, a properly written man page will say what files are involved in the operation. You may have too read it closely, for example if there happens to be a '-T <folder-to-use-as-temp>' option, in which case you may be looking for the default value of that option. You may also be interested in finding out how it names any temporary files.

For GUI wrappers … there should be some kind of documentation, or (on Linux) there's usually source code available. But again, it's a question of what the program is, and most probably also what software revision of it.

In general, /tmp is the canonical place to put everything that is temporary on a Unix system. But there may be other areas that may be equally good in some particular setup (/usr/tmp, /var/tmp, …) /tmp will usually be cleaned out on reboot – but it's not a general truth. On some system, the environment is different, e.g. TMPDIR (or TEMP or TMP, dependning on what environment variable it looks for) points somewhere else. But what application is involved in your case, and how it has been configured in general, or how it was used in particular … well, you seem to be the person best placed to know all that.

 
Posted : 08/08/2013 1:50 pm
mikevh
(@mikevh)
Posts: 4
New Member
Topic starter
 

Thanks for the information and thoughts. The tar file is simply that of an existing jboss application before an upgrade. My system was compromised by the JBOSS authentication bypass vulnerability. A zecmd.war was deployed, and a DoS from pnscn.pl was running.
The tar file holds information that may be sensitive. This is why I am looking to see if there was any deleted files. I want to say with some certainty that the attacker did not view them.

Please keep your thoughts coming.
Thanks

 
Posted : 08/08/2013 5:40 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

[…] I want to say with some certainty that the attacker did not view them.[…]

In my opinion, it is very hard to prove the non-existence or non-occurrence of something when it comes to digital forensics.

Your "some certainty" will have to come from basically searching as previously noted by athulin. You could try carving for known and unique portions of the sensitive parts on the target device.

 
Posted : 08/08/2013 6:02 pm
Share:
Share to...