Solaris Digital Forensics: Part 2

This series of articles is a primer on Solaris forensics. As such each article will build upon the last and should be read from start to finish for those new to Unix. Part 1 is available at https://blogs.sans.org/computer-forensics/2010/10/15/solaris-forensics-part-1/.

Reading ls output

Being able to correctly read the ls command's output is critical for moving around the OS and to looking for signs of compromise. As you go through the filesystem, keep in mind you may not be truly seeing an accurate picture of the filesystem. If the machine has a rootkit installed on it, some of the files and directories may be hidden.

In the UNIX filesytem we have some basically defined file types:

• Regular files
• Directories
• Symbolic Links (hard and soft)
• Device files (character and block)

Listing of a directory with "ls -al" we see:

drwxr-x---  24 user1 users  2048     Jul  5 11:57 .
drwxr-xr-x 100 root  root   3072     Jun 29 09:30 ..
-rw-r?r---   1 user1 users  557      Feb  9 15:20 file1
drwxr-xr-x   2 user1 users  4096     Apr 13 17:20 directory1
lrwxrwxrwx   1 user1 users  33       Jun 17 11:09 softlink1 -> file1
brw-r-----   1 root  sys   118, 208 Jun 20 12:32 /devices/pci@8,600000/SUNW,qlc@2/fp@0,0/ssd@w21000000871c4358,0:a
crw-r-----   1 root  sys   118, 208 Jun 20 12:40 ssd@w21000000871c4358,0:a,raw

The very first character means:

• "-" — When this is the first character in on the line then this is a file.
• "d" — Directory
• "l" — Soft symbol link file
• "b" — Block device file
• "c" — Character device file

The next 9 characters positions represent permissions for the file. There are three sets of three characters. Each set may consists of r, w, and x. "r" stands for read, while "w" stands for write. Finally, a "x" means execute. The first set corresponds to the user permissions, and the second set, the group permissions. The last set is related to the Other permissions.

So for file1, the user permissions are read (r), write (w); for the group permissions it shows read(r); and the Other permissions are read also. A "-" in the permissions positions is just a place holder showing that the permissions is not turned on. In the case of file1, the Other and group do not have write or execute permissions.

The Other group permissions are special in that if there are permissions set, then anyone can do what those permissions imply. If it said rwx for the third set, then anyone could read, write, and execute the file.

Side Note: To delete files, the user must have write permissions on the directory. Technically the second thing that is needed is that the user needs write permissions on the file. I used the word technically because if the user has write permissions on the directory, then the rm command will ask them if they wish to override the read-only permissions to delete the file. If the user says yes, then the file is unlinked. At the time of writing this I have only tested this on Solaris 9.

The next field is the link count. I will get to what that is in a little bit after the explanation of what link files are. You can think of links as Windows shortcuts. For a soft link, it simply points to the file. If you look at the ls output above, softlink1 points at file1 and it is an example of a soft link. If file1 gets deleted, the soft link file will point to nowhere. However, if a new file was created where the soft link pointed to, the soft link would work again. Keep in mind that it is now pointing at the new file.

Hard links are a bit different. The link points at the inode (see https://blogs.sans.org/computer-forensics/2008/12/24/understanding-indirect-blocks-in-unix-file-systems/ for an excellent blog on inodes by Hal Pomeranz). With a hard link, the original file can be deleted and the hard link will still work correctly because it still points to the inode for the file. Here is an example listing for a file and a hard link:

-rw-------   2 user1 users          0 Jul  5 12:02 file1
-rw-------   2 user1 users          0 Jul  5 11:57 hardlink1

One of the ways to tell if the file you are looking at is a hard link is by looking at the link count field. In the above output, it shows 2 for the file1 and hardlink1. This tells us that there are two links for "each" file. If hardlink1 is deleted, the link count for file1 will go back to 1.

Another way is to use "ls -i". This will list the inode for each file. The output for the command is:

201945 file1          201945 hardlink1      201944 softlink1

So the inode for file1 is 201945. As stated before the hard link points to the inode of the file. In the above output, it shows that hardlink1 points at inode 201945. Again, if I delete file1, hardlink1 can still be read, written, or executed as it still points to the inode of the file.

Going back to the file listing below:

-rw-r--r--  1 user1 users  557      Feb  9 15:20 file1

User1 owns the file and anyone belonging to the users group can access the file. The first two sets of permissions corresponds to the user1 and users group.

In the next field where it says 557, this is the file size of the file. After that is the last modified timestamp. Finally, we come to the filename/directory name.

Keven Murphy, GCFA Gold #24, is the Senior Forensics/Incident Handler for General Dynamics Land Systems.