Introduction
Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris. Our first few steps involves:
- How the filesystem is laid out (i.e. what kinds of files are in the main directories),
- A brief discussion on reading ls output as this sets up for:
- How permissions work
- What users and groups are
- Soft and hard links
- Link counts
- Basic file types (regular files, directories, links, character devices, and block devices)
- Breakdown on Solaris slices (partitions)
- Imaging Solaris drives remotely
- More stuff to follow :)
I think it is important to understand the basics of how Solaris functions, or any OS for that matter, in order to know where to start looking for the forensic evidence. This way you can quickly assess what needs to be captured during a incident and then move into your analysis for the post-mortem.
For the Windows folks, one of the things I would recommend is picking up one of the O'Reilly In A Nutshell books either the Linux or the UNIX one. These books are great references on what the commands do, their arguments (and what they do), syntax of the commands, and information on the shells. If you're really interested in Linux, then get that book as the commands and syntax are pretty much the same for Solaris.
Filesystem
First, before we can even start talking about forensics on Solaris machines, we need to go over how the filesystem is laid out. The Solaris filesystem is like most Linux/Unix filesystems in that we have the traditional root directory and basic OS directories. It looks like this:
/ (Root) — For Linux/UNIX filesystems, this is lowest level in the filesystem. For the Windows folks, think of this as the C:\ drive. Thinking of it as C:\ is not really correct way to picture it, but it will help you to paint the picture in your mind as we go through the rest of the filesystem.
Everything in the filesystem starts off with the / (Root) directory. A couple of definitions are required for the Windows folks. A absolute path is where a directory path starts out with a / and then followed by the rest of the directory path. For example, /bin means that I am referencing from the start of the filesystem (/ Root) and referencing the bin directory. A relative path is where we start from the current working directory and reference a another file or directory at that same level. So if my current working directory was /home/user1 and I referenced a directory called Documents it would look like ./Documents. There will be more examples of relative paths to come throughout the articles.
Below is a short list of some of the default directories that are found on a Solaris system. Notice that I am referencing everything with absolute paths.
| Directory | Contents |
| /bin | System binaries |
| /boot | Ramdisk |
| /dev | Device files |
| /dev/dsk | Block disk devices; Not to be used for imaging |
| /dev/rdsk | Raw disk devices; Used to image devices |
| /devices | Physical device files |
| /etc | Configuration files |
| /export | Filesystems shared out via NFS or may contain mounts of drives (depends on the admin) |
| /home | Users home directories |
| /kernel | Kernel loadable modules that are required during the boot process |
| /mnt | This is the default mount point for temporary mounts |
| /net | The default location for mounts mounted by the autmounter |
| /opt | 3rd party software |
| /platform | Platform-specific modules that are required for boot |
| /proc | The root subtree for the processes |
| /sbin | System administration binaries |
| /system | Mount point for CTFS and OBJFS file systems. |
| /tmp | Temporary files created by the OS and users |
| /usr | Contains system binaries and administration binaries |
| /var | Contains the spooling files, and more importantly the log files |
Keven Murphy, GCFA Gold #24, is the Senior Forensics/Incident Handler for General Dynamics Land Systems.
.png "Anastasia Sentsova")
