SSH Forensics Analysis

Learn how to investigate SSH-related security incidents through forensic analysis of logs, configurations, and system artifacts.

SSH Forensics Analysis

What is SSH Forensics?

See More

SSH forensics involves the collection, preservation, and analysis of evidence related to SSH connections and activities. This process helps security professionals investigate potential security incidents, detect unauthorized access, and understand attack patterns.

SSH Forensics Investigation Process

SSH Log Analysis

SSH logs are a primary source of evidence in SSH forensic investigations. They record authentication attempts, successful logins, and various SSH-related activities.

Common SSH Log Locations

SSH Log Locations by OS

# Debian/Ubuntu
/var/log/auth.log

# RHEL/CentOS/Fedora
/var/log/secure

# OpenBSD
/var/log/authlog

# FreeBSD
/var/log/auth.log

# Systemd Journal
journalctl _COMM=sshd

Key Log Entry Types

  • Authentication Attempts: Records of login attempts, both successful and failed
  • Session Establishment: Information about established SSH sessions
  • Key-Based Authentication: Records of key-based authentication attempts
  • Connection Closures: Information about terminated SSH connections
  • Configuration Changes: Records of changes to SSH server configuration
SSH Log Entry Types

Log Analysis Techniques

Several techniques can be used to effectively analyze SSH logs:

Basic SSH Log Analysis Commands

# Find failed login attempts
grep "Failed password" /var/log/auth.log

# Find successful logins
grep "Accepted" /var/log/auth.log

# Count login attempts by IP
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr

# Find login attempts for specific user
grep "Failed password.*for root" /var/log/auth.log
SSH Log Analysis Dashboard
Advanced log analysis tools can visualize SSH activity patterns and anomalies

SSH Artifact Analysis

Beyond logs, various SSH-related artifacts can provide valuable forensic evidence.

SSH Configuration Analysis

Examining SSH server and client configurations can reveal unauthorized changes or security weaknesses.

Key SSH Configuration Files

# Server configuration
/etc/ssh/sshd_config

# Client configuration
/etc/ssh/ssh_config
~/.ssh/config

# Host keys
/etc/ssh/ssh_host_*_key
/etc/ssh/ssh_host_*_key.pub

SSH Key Analysis

Analyzing SSH keys can help identify unauthorized access methods or backdoors.

Key Files to Examine

  • Authorized Keys: ~/.ssh/authorized_keys files for all users
  • Known Hosts: ~/.ssh/known_hosts files for connection history
  • User Private Keys: ~/.ssh/id_* files for potential exfiltration
  • Host Keys: /etc/ssh/ssh_host_*_key files for potential tampering
SSH Key Forensic Analysis

Analyzing Authorized Keys

# Find all authorized_keys files
find / -name "authorized_keys" -type f 2>/dev/null

# Check creation/modification times
stat ~/.ssh/authorized_keys

# Extract key fingerprints
for key in $(cat ~/.ssh/authorized_keys); do echo $key | ssh-keygen -lf -; done

Memory Analysis

Analyzing system memory can reveal active SSH sessions, decrypted keys, and other volatile evidence.

SSH Memory Forensics

SSH Network Forensics

Analyzing network traffic can provide insights into SSH connection patterns and potential data exfiltration.

SSH Traffic Analysis

While SSH traffic is encrypted, metadata analysis can still provide valuable information.

SSH Traffic Analysis with tcpdump

# Capture SSH traffic
tcpdump -i eth0 -n "tcp port 22" -w ssh_traffic.pcap

# Analyze SSH connections
tcpdump -r ssh_traffic.pcap -n "tcp[tcpflags] & (tcp-syn|tcp-fin) != 0"

# Analyze SSH data transfer volumes
tcpdump -r ssh_traffic.pcap -n "tcp port 22" | awk '{print $3}' | sort | uniq -c
SSH Network Traffic Analysis
Network traffic analysis can reveal SSH connection patterns and anomalies

SSH Tunnel Detection

Detecting SSH tunnels used for data exfiltration or command and control.

SSH Timeline Analysis

Creating a timeline of SSH-related events can help understand the sequence and context of suspicious activities.

Creating an SSH Activity Timeline

Combining timestamps from various sources to create a comprehensive timeline.

Timeline Creation Example

# Extract SSH events with timestamps
grep sshd /var/log/auth.log | awk '{ $1=$1; $2=$2; $3="" ; print $0}' | sort -k1,2

# Combine with file modification times
find ~/.ssh -type f -exec stat --format="%y %n" {} \; | sort
SSH Forensic Timeline

SSH Forensics Case Studies

Case Study: Brute Force Attack Detection

Identifying and analyzing a brute force SSH attack through log analysis.

Brute Force Attack Indicators

  • Multiple failed login attempts from the same IP address
  • Failed attempts for multiple usernames
  • Regular timing patterns in login attempts
  • Attempts originating from known malicious IP ranges
SSH Brute Force Attack Pattern

Case Study: SSH Backdoor Detection

Identifying an SSH backdoor through configuration and artifact analysis.

Essential SSH Forensics Tools

Several specialized tools can assist in SSH forensic investigations:

  • Log2Timeline/Plaso: Timeline creation and analysis tool
  • Volatility: Memory forensics framework
  • The Sleuth Kit: Disk image forensics toolkit
  • Wireshark: Network traffic analysis tool
  • OSSEC: Host-based intrusion detection system with SSH monitoring
  • ELK Stack: Log collection, analysis, and visualization platform

SSH Forensics Best Practices

Follow these best practices for effective SSH forensic investigations:

SSH Forensics Best Practices

  • Preserve original logs and evidence
  • Maintain proper chain of custody
  • Use write blockers when analyzing disk evidence
  • Create timeline of events
  • Document all findings and procedures
  • Correlate evidence from multiple sources
  • Look for patterns and anomalies
  • Consider the context of SSH activities

Related Topics

SSH Hardening

Learn how to secure SSH servers against attacks and intrusions.

Post-Exploitation

Understand post-exploitation techniques to better detect them in forensic analysis.

SSH Tunnels

Learn about SSH tunneling techniques that may be detected during forensic analysis.

SSH Exploitation

Understand exploitation techniques to better identify them in forensic investigations.

Frequently Asked Questions

SSH forensics involves the collection, preservation, and analysis of evidence related to SSH connections and activities. This process helps security professionals investigate potential security incidents, detect unauthorized access, and understand attack patterns.
SSH logs are typically stored in different locations depending on the operating system:
  • Debian/Ubuntu: /var/log/auth.log
  • RHEL/CentOS/Fedora: /var/log/secure
  • OpenBSD: /var/log/authlog
  • FreeBSD: /var/log/auth.log
  • Systemd Journal: accessible via journalctl _COMM=sshd
Key artifacts to examine during SSH forensic analysis include:
  1. SSH server and client logs
  2. SSH configuration files (/etc/ssh/sshd_config, /etc/ssh/ssh_config)
  3. User SSH keys (~/.ssh/id_* files)
  4. Authorized keys files (~/.ssh/authorized_keys)
  5. Known hosts files (~/.ssh/known_hosts)
  6. System memory for active SSH sessions
  7. Network traffic captures
  8. Command history files (~/.bash_history)
To detect SSH tunneling during forensic analysis, look for:
  • Unusual SSH traffic patterns or volumes
  • SSH connections with port forwarding parameters in process listings
  • SSH server logs showing port forwarding requests
  • Connections to unusual ports from the SSH server
  • Long-lived SSH connections
  • SSH connections from unusual source locations
  • Network traffic analysis showing encapsulated protocols within SSH connections
Useful tools for SSH forensic analysis include:
  • Log2Timeline/Plaso: Timeline creation and analysis tool
  • Volatility: Memory forensics framework
  • The Sleuth Kit: Disk image forensics toolkit
  • Wireshark: Network traffic analysis tool
  • OSSEC: Host-based intrusion detection system with SSH monitoring
  • ELK Stack: Log collection, analysis, and visualization platform
  • Grep and other command-line tools for log analysis