Linux Forensics
Analysis
Linux forensics focuses on log analysis, user activity reconstruction, and identifying persistence mechanisms used by attackers. Key artifacts include bash history, cron jobs, and system logs.
Key Linux Artifacts
bash
# User activity
/home/*/.bash_history # Command history
/home/*/.bashrc # Shell configuration (persistence)
/home/*/.ssh/ # SSH keys and known hosts
/root/.bash_history # Root command history
# Authentication logs
/var/log/auth.log # Debian/Ubuntu authentication
/var/log/secure # RHEL/CentOS authentication
/var/log/wtmp # Login records (use 'last')
/var/log/btmp # Failed logins (use 'lastb')
/var/log/lastlog # Last login times
# System logs
/var/log/syslog # General system log
/var/log/messages # System messages
/var/log/kern.log # Kernel messages
/var/log/cron # Cron job execution
# Persistence locations
/etc/crontab # System cron
/etc/cron.*/* # Cron directories
/var/spool/cron/crontabs/* # User crontabs
/etc/init.d/ # Init scripts
/etc/systemd/system/ # Systemd services
/etc/rc.local # Startup script
# Parse auth.log for SSH
grep "sshd" /var/log/auth.log | grep "Accepted"
grep "sshd" /var/log/auth.log | grep "Failed"
# Recent file modifications
find / -mtime -7 -type f 2>/dev/null # Files modified in last 7 days
find / -ctime -1 -type f 2>/dev/null # Files changed in last dayVolatile Data First
On a live system, collect volatile data first: running processes (
ps aux),
network connections (netstat -tulpn), and memory before disk imaging.