| Back to Home 🏠 | Back to Introduction | Next: Stage: Analysis |
The first step in a digital forensics investigation is to identify the devices and resources containing the data that will be a part of the investigation (Gonzalez, 2022).
With Splunk storing its files within the /opt/splunk directory, the first step was to locate the config.conf file (Figure 1). Basic file navigation commands were utilized to navigate to the specified directory and confirm the presence of the file. This initial step ensured accurate file identification, which is crucial for precise modifications.
fstack@:~$ find /opt/splunk/ -name "config.conf"
/opt/splunk/etc/system/local/config.conf
Fig.1 Command to locate the config.conf file (find)
Subsequently, an assessment of the file permissions of config.conf was conducted using the ls -l command (Figure 2). The output revealed the permissions as 777, indicating full permissions for the file’s owner, group, and others. This information provided insights into potential issues affecting its integrity (Principle of least privileges).
fstack@~$ cd /opt/splunk/etc/system/local; ls -l
-rwxrwxrwx 1 root root 238 Feb 16:59 config.conf
Fig.2 Commands to list the config.conf file (cd, ls -l)
Ensuring the file’s integrity, the md5sum command was employed to calculate and record the MD5 hash value of config.conf. This served as a baseline for comparison after making modifications to the file, enabling verification of the integrity of changes made.
fstack@:/opt/splunk/etc/system/local$ md5sum config.conf
ad1f9b6cbcee6cd3efa6438149db5c1c config.conf
Fig.3 Command to hash the config.conf file (md5sum)
| Back to Home 🏠 | Back to Introduction | Next: Stage: Analysis |