Answered You can hire a professional tutor to get the answer.
Create a 12 pages page paper that discusses e-crime investigation. security breach on a linux operation system.
Create a 12 pages page paper that discusses e-crime investigation. security breach on a linux operation system. If we elaborate these further, the first time stamp named as ‘modify’ or the ‘mtime’ is updated when there is some change or modification. Likewise, in case of a directory, the time stamp is updated when there are changes / modifications or deletion occurs within the file in that particular directory. The second time stamp known as the ‘atime’ is updated for a file when it is executed or accessed. The third time stamp Change that is called as ‘ctime’ is updated when the data structure enclosing metadata of a file is accessed by the file system to define information of a file including owner, group name, access rights etc. are modified. However, during a forensic investigation, MAC times can provide a comprehensive clues if remains unchanged. Likewise, it illustrates the changes that occurred on the file system. Andy will use the TCT mactime program that is a part of the TCT tool kit for printing the MACtimes for a series of files to get an in depth view of what actually happened and how the hacker has compromised the system. Likewise, the mactime program develops a database of time stamps linked with the files of the system (Nemeth, Snyder et al. 2007). It was detected that on September 20 i.e. few days after the initial compromise of the system, the hacker entered in the system via a telnet command and started manipulating file system and server. The command below demonstrates evidence:
Sep 20 00 15:46:05 31376 .a. -rwxr-xr-x root root/mount/usr/sbin/in.telnetd
Sep 20 00 15:46:39 20452 .c -rwxr-xr-x root root/mount/bin/login
...
-rwxr-xr-x root root/mount/usr/sbin/in.telnetd Sep 20 00 15:46:39 20452 .c -rwxr-xr-x root root/mount/bin/login After one hour of the system being compromised, a directory was established named as /dev/ttypq/ on the file system and soon a distrustful and unknown file starts appearing and modified on the file system. The most suspicious files were named as ipv6.0, rpc.status and rc.local. Sep 20 00 16:49:47 949 ..c -rwxr-xr-x root root /mount/etc/rc.d/rc.local 209 ..c -rwx------ root root /mount/usr/sbin/initd Sep 20 00 16:50:11 4096 .a.
