Essential Linux Commands for Log Analysis
Prepare Sample SSH Log Files
Log download the log files contain relevant SSH events, including timestamps, source IP addresses, usernames, actions (login, logout), etc.
Commands for Hashing Log Files
1. Generating a Hash (SHA-256)
The most common and secure standard for forensic imaging and log analysis is SHA-256.
Command:
sha256sum ssh.log
Explanation: This command calculates the SHA-256 hash of the file
ssh.log. It will output a 64-character hexadecimal string followed by the filename.
2. Saving the Hash to a Verification File
In a forensic investigation, you must save the hash immediately after collecting the evidence.
Command:
sha256sum ssh.log > ssh.log.sha256
Explanation: The
>operator redirects the output into a new file namedssh.log.sha256. This file acts as your "Evidence Reference".
3. Verifying the Integrity
To check if the log file has been tampered with or corrupted later:
Command:
sha256sum -c ssh.log.sha256Explanation: The
-c(check) flag tells the system to read the hash from the.sha256file and compare it with the current state ofssh.log.Result
OK: The file is identical to the original.
Result
FAILED: The file has been modified or corrupted.
Essential Linux Commands for Log Analysis
1. grep (Global Regular Expression Print)
Used to search for specific text patterns within the log file.
Command:
grep "success" ssh.logPurpose: To filter and display only the lines where a login was successful.
Command:
grep "failure" ssh.log | wc -lPurpose: To count the total number of failed login attempts.
Steps to Analyze SSH Log Files
#cat Desktop/Web_Server_Logs/ssh.log
Analyze failed login attempts:
#cat Desktop/Web_Server_Logs/ssh.log | grep failure
Investigate SSH sessions from unusual or suspicious source IP addresses:
awk (Pattern Scanning and Processing)
Used to extract specific columns (fields) from the log.
Command:
awk '{print $3}' ssh.logPurpose: To extract the Source IP address (which is in the 3rd column)
Command:
awk '{print $5}' ssh.logPurpose: To extract the Destination IP address (which is in the 5th column).
Step-by-step breakdown:
awk '{print $3}': Get all Source IPs.sort: Group identical IPs together.uniq -c: Count how many attempts each IP made.sort -nr: Sort numerically in reverse (highest count at the top).head -n 10: Show only the top 10 results.
Top Target (Destination) IPs:
192.168.28.254(High frequency of attempts)
192.168.23.203(High frequency of attempts)
192.168.27.203(High frequency of attempts)
- 1331904022.010000→ Unix Timestamp (เวลาที่เกิดเหตุการณ์)
-
CU46Bb2UypzdF4eTW→ Session ID / Connection ID ของ SSH
-
192.168.202.110→ Source IP (เครื่องที่พยายามเชื่อมต่อ)
-
36586→ Source Port
-
192.168.27.203→ Destination IP (เครื่องปลายทาง = SSH Server)
-
22→ Destination Port (SSH)
-
undetermined / failure→ สถานะการเชื่อมต่อ
-
undetermined= ยังไม่ทราบผล (handshake) -
failure= login ล้มเหลว
-
INBOUND→ เป็นการเชื่อมต่อขาเข้า (incoming connection)
-
SSH-2.0-OpenSSH_5.8p1 Debian-ubuntu3→ Banner ของ SSH
- The SSH log indicates repeated inbound connection attempts from IP address 192.168.202.110 targeting the SSH service on 192.168.27.203 over port 22.
Multiple sessions resulted in authentication failures, which is consistent with a brute-force or unauthorized login attempt.
Time Conversion Command
Since the log uses Unix Epoch Time, you can convert it to a human-readable format using the date command.
Command:
date -d @1332017793.040000Purpose: Converts the timestamp 1332017793.040000 into a standard Date/Time format.
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
