Linux Forensics
OS and account information
OS release information
/etc/os-release
User accounts
/etc/passwd
/etc/shadow
Group Information
/etc/group
Sudoers List
/etc/sudoers
Login information
/var/log
In the /var/log directory, we can find log files of all kinds
including wtmp and btmp .
The btmp file saves information about failed logins,
while the wtmp keeps historical data of logins. (session times)
These files are binary files, which have to be read using the last utility.
user@machine$ sudo last -f /var/log/wtmp
reboot system boot 5.4.0-1029-aws Tue Mar 29 17:28 still running
reboot system boot 5.4.0-1029-aws Tue Mar 29 04:46 - 15:52 (11:05)
reboot system boot 5.4.0-1029-aws Mon Mar 28 01:35 - 01:51 (1+00:16)
wtmp begins Mon Mar 28 [Link] 2022
Authentication logs
/var/log/[Link]
It can be read using the cat utility, however, given the size of the file, we can
use tail , head , more or less utilities to make it easier to read.
Linux Forensics 1
� System Configuration
Hostname
/etc/hostname
Timezone
/etc/timezone
Network Configuration
/etc/network/interfaces
Similarly, to find information about the MAC and IP addresses of the different
interfaces, we can use the ip utility.
Active network connections
We can use the netstat utility to find active network connections on
a Linux host.
netstat -natp
Running processes
ps
ps aux
DNS information
The file /etc/hosts contains the configuration for the DNS name assignment
The information about DNS servers that a Linux host talks to for DNS
resolution is stored in the [Link] file. Its location is /etc/[Link] .
Persistence mechanisms
Cron jobs (scheduled tasks)
/etc/crontab
Service startup
/etc/init.d
.Bashrc
When a bash shell is spawned, it runs the commands stored in
the .bashrc file.
Linux Forensics 2
� This file can be considered as a startup list of actions to be performed. Hence
it can prove to be a good place to look for persistence.
System-wide settings
are stored in /etc/[Link] and /etc/profile files, so it is often a good idea to
take a look at these files as well.
Evidence of Execution
Sudo execution history
All the commands that are run on a Linux host using sudo are stored in the
auth log
cat /var/log/[Link]* |grep -i COMMAND|tail
Bash history
Any commands other than the ones run using sudo are stored in the bash
history.
Every user's bash history is stored separately in that user's home folder.
Therefore, we need to get the bash_history file from each user's home
directory. (and the root user aswell)
Files accessed using vim
The Vim text editor stores logs for opened files in Vim in the file
named .viminfo in the home directory.
This file contains command line history, search string history, etc. for the
opened files.
Log files
Logs are generally found in the /var/log directory.
Syslog
The Syslog contains messages that are recorded by the host about system
activity.
/var/log/syslog
Since the Syslog is a huge file, it is easier to
use tail , head , more or less utilities to help make it more readable.
Linux Forensics 3
� it shows the system time, system name, the process that sent the log [the
process id], and the details of the log.
Auth logs
The auth logs contain information about users and authentication-related
logs.
/var/log/[Link]*
Third-party logs
the /var/log/ directory contains logs for third-party applications such as
webserver, database, or file share server logs.
such as /var/log/apache2/
Linux Forensics 4
