The /root directory is the home directory for the root user. The root in Linux is the same as the administrator in Windows. This directory is where any data for the administrator will be located.

The /bin directory holds binary or compiled files. This means programs, including some malware, may be found here. You absolutely should examine this directory. You can see an example of this directory in FIGURE 9-3.

This directory is similar to /bin, but it contains binary files that are not intended for the average computer user. For example, the mke2fs command, a file system utility that is usually utilized by administrators, is in this directory.

The /etc folder contains configuration files. Most applications require some configuration when they start up. The web servers, boot loaders (LILO and GRUB), and many other applications have configuration files. Obviously, an intruder into a system may want to change how a given application behaves. Web server, boot loader, and security software configuration files would be attractive targets for any hacker.

This is where the boot-up process and operation is set. For example, the init level for the system on start-up is set in this file. Again, a sophisticated attacker might want to change the inittab to change the behavior of the system. Even some advanced malware might alter your inittab.

The inittab has a number of entries. Each is defined by four fields separated by colons. Those fields include the following:

• label—A unique identification label of up to four characters.

• run_level—The init level at which the entry is executed.

• action:a—A keyword indicating the action that init is to take on the process.

• process—The process init executes upon entering the specified run level.

  

• boot—Starts the process and continues to the next entry without waiting for the process to complete. When the process dies, init does not restart the process.

• bootwait—Starts the process once and waits for it to terminate before going on to the next inittab entry.

• initdefault—Determines which run level to enter initially, using the highest number in the run_level field. If there is no initdefault entry in inittab, then init requests an initial run level from the user at boot time.

• sysinit—Starts the process the first time init reads the table and waits for it to terminate before going on to the next inittab entry.

This directory contains device files. Device files are really interfaces to devices, including drives. Storage devices, sound devices, and, in fact, all of your devices should have a device file located in this directory. Some naming conventions can help you navigate this directory; for example, all hard drives start with hd, floppy drives start with fd, and CD drives start with cd. So, the main hard drive might be named /dev/hd0. The floppy drive would be called /dev/fd0.

Many devices, such as floppy and CD-ROM drives, are mounted in the /mnt directory. Any drive must be mounted prior to its use. The process of mounting a drive simply involves the operating system accessing it and loading it into memory. Modern Linux distributions do this for you. From a forensic perspective, checking this directory lets you know what things are currently mounted on the system.

The /boot directory contains those files critical for booting. Your boot loader (whether it is LILO or GRUB) looks in this directory. It is a common practice to keep kernel images in this directory.

This directory contains the subdirectories for individual users. In cases of suspected corporate espionage, these directories might contain valuable evidence.

The /var directory contains data that is changed during system operation. This directory is only useful on a live system. Once you shut down the system, the contents of this directory will be different the next time the system is booted up.

This directory contains the print queue, so it can be very important if something is currently in the print queue.

The /proc directory is different from any other directory in that it is not really stored on your hard disk. It is created in memory and keeps information about currently running processes. If you have a live Linux system and you want to see what is running on that system before powering it down, the contents of this directory can be very useful. You can see an example of the contents of a /proc directory in FIGURE 9-4.

This directory has subdirectories that can be used to recover files and evidence. Consider this scenario: Assume that an intruder has downloaded a password cracker and is attempting to crack system passwords. The tool is attempting a number of passwords in a text file called pass. The intruder subsequently deletes both the executable and the text file, but the process is still running in memory. You can use ps or pstree to find the running processes and get the process ID. Assume the process ID is 3201. Now in the /proc directory, you can find /proc/3201. If you simply copy the executable from /proc to some other directory, it recovers that deleted executable. Of course, this works only on a live system, prior to shutting it down.