(EN) Bash History - Forensic Cheatsheet

## Introduction There is a special environment called shell in Linux ecosystem. They are available in the windows system but systems such as Mac and Linux uses CLI environments due to insufficient Graphic User Interfaces. You may know if you have ever experienced shell there is a function that remembers the command that you used in the past. Reusing the command lines used in the past indicates that there should be a memory space where the used commands take place. Then the first thing that comes into our mind will be volatility of the data written in the memory. If it is a involatile memory, the commands should be saved in a certain form of a file or a variable. The questions is : How do we find it? Easy peasy. You just have to turn your computer off. By checking the commands being remembered will be your answer. ( By the way, the commands are saved. ) Likewise, the commands are saved into some sort of file. The file name is “history” which depends of which shell that user have chosen. Today we will learn about the most commonly used shell : “The Bash Shell” ## Path There is a command called `history` that allows a user to recall used command even if the location of previous commands are not found. Unfortunately, there are some cons that the output of the command is identical to the contents in the bash history file. Moreover, timestamp of commands can’t be found in this way. Ultimately, the path of a bash history file must be known. The file name of bash history is `.bash_history` and the path is set depending on the logged on user. ``` ~/.bash_history ``` ## Data Before we treat data inside bash history, lets take a look at how it process data. When a user is logged on, bash history data is saved in the RAM. When logged off, system copies data on the RAM to `.bash_history` file. So it is useful to know that data gets lost when system suddenly goes off. ![[Pasted image 20231126164257.png]] Let’s look at the example. The image above is the bash_history file with multiple `ls` commands after computer is rebooted. As shown in the image, there is no trace left on the bash_history file. What happens when reboot is attempted? ![[Pasted image 20231126164312.png]] The contents are updated just like in the red box. At this moment we are sure that memory has the data before saving it in the bash_history file. If there is a memory dump, we might analyze the bash_history part which requires memory forensic. Its too much for us now, but we’ll handle it in other articles such as [[Projects/Forensic-Cheatsheet/EN/Tools/(EN) Volatility#Linux]] with [Volatility](https://github.com/Rajpratik71/volatility-wiki/blob/master/Linux-Command-Reference.md#linux_bash) The data inside the file looks pretty simple. There are no other data besides command lines. Something like command line timestamps which are considered crucial would help if they were present. If user sets a timestamp option using environment variables, we can find timestamps. When HISTTIMEFORMAT variable is set, there will be lines with timestamp in a given format. ``` export HISTTIMEFORMAT="%F %T " ``` But in the perspective of digital forensic, a general user must be assumed. Therefore informations that are written without a special user interaction must be considered first. So keep in mind that bash history file saves only commands, but when environment variables are set there could be some timestamps. Without additional information such as timestamp does not make our data worthless. It’s totally not. Because the bash_history file is created by the user respectively so we can make a inference that the command is used by a certain user which is also important. Moreover, file open actions or executing a program should be delivered in a command line format that uses CLI environments, so the traces of commands must be recorded. Because there is high importance with bash_history file, it is the 1st place for deletion when there is anti-forensic activity by user or malware. So try to recover bash_history file when you work on these cases. ## Conclusion Today in this article, we looked in the basics of .bash_history file. We only dealt bash shell files, but there are various shell that uses history file having similar locations. It had the defect that there was no time values by default but we should keep in mind that there is a possibility of bash_history file having a timestamp. Also it has high priority of removal when there is anti-forensic activity, so try to recover these files when there is a chance.