Professional Documents
Culture Documents
Report a snapshot of the current processes in long listing format containing User ID, Process ID, etc.
4. Examining the system uptime
Uptime indicates how long the system has been running since the last reboot. For example, if uptime
is only a few minutes, the system has been rebooted recently and it may not be worthwhile to collect
volatile data. And it may not be worthwhile if the security incident occurred before the beginning of
the uptime period.
Examining the system user shell history
.bash_history (bash shell), .history (sh), etc., -- these files provides us all the commands used by the
user since the last reboot.
Path: /home/<username>/.bash_history
Command: history
10. Use “netstat-anp” to list all applications associated with open ports.
This command is used to print network connections routing tables, interface statistics, masquerade
connections and multi memberships.
11. Route Command
The native “netstat –rn” route commands display the current routing table and gateways for all
routes on the suspicious computer.
For Linux, the /etc/resolv.conf file holds the DNS search suffixes and the assigned name servers. On a
DHCP(Dynamic Host COnfiguration Protocol) system, this file may not be fully populated by the
DHCP client script, therefore the file /etc/resolv.conf, /etc/hosts needs to be checked.