SSH Known Hosts

Overview

Evidence: SSH Known Hosts Description: Collect SSH known hosts Category: System Platform: AIX Short Name: sshknown Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

SSH known hosts files on AIX systems contain public keys of remote hosts that have been previously connected to, providing host verification and preventing man-in-the-middle attacks. This data is essential for understanding SSH connection history, detecting potential security breaches, and investigating SSH-related security incidents. SSH known hosts provide evidence of network connections and host trust relationships.

Data Collected

This collector gathers structured data about ssh known hosts.

Ssh Known Hosts Data

Collection Method

This collector parses the necessary data from SSH known hosts files.

This collector collects files from the following locations:

• ~/.ssh/known_hosts

• /etc/ssh/ssh_known_hosts

Usage

This evidence is crucial for forensic investigations as it provides information about SSH connection history and host trust relationships on AIX systems. It helps investigators understand network connections, detect potential security breaches, and investigate SSH-related attacks. The data can reveal connection patterns, host relationships, and potential security vulnerabilities. Analysts can use this information to identify suspicious connections, trace network activity, and assess AIX system security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.