Scribd
Upload
137 views

Linux Forensics Cheatsheet

The document lists various locations on a Linux system that may contain forensic evidence including system configuration files containing OS release information, user and group accounts, sudoers lists, and login information found under /etc. Persistence mechanisms like cron jobs and services are also noted. Evidence of execution may be found in authentication logs under /var/log/auth.log, bash and vim histories in user home directories, and log files like syslogs in /var/log/syslog. Network information can be obtained from files like /etc/network/interfaces and commands like ip address show, while running processes can be viewed with ps aux.

Uploaded by

Trong Nguyen
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
137 views

Linux Forensics Cheatsheet

The document lists various locations on a Linux system that may contain forensic evidence including system configuration files containing OS release information, user and group accounts, sudoers lists, and login information found under /etc. Persistence mechanisms like cron jobs and services are also noted. Evidence of execution may be found in authentication logs under /var/log/auth.log, bash and vim histories in user home directories, and log files like syslogs in /var/log/syslog. Network information can be obtained from files like /etc/network/interfaces and commands like ip address show, while running processes can be viewed with ps aux.

Uploaded by

Trong Nguyen
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

System and

OS information Persistence mechanism


OS release information: Cron jobs:
Location: /etc/os-release Location: /etc/crontab
Can be read using cat, vim or any text editor or viewer Can be read using cat, vim or any text editor or viewer

User accounts information: Services:


Location: /etc/passwd Location: /etc/init.d/
Can be read using cat, vim or any text editor or viewer Registered services are present in this directory

User group information: Bash shell startup:


Location: /etc/group Location: /home/<user>/.bashrc for each user
Can be read using cat, vim or any text editor or viewer
Locations: /etc/bash.bashrc and /etc/profile for system wide
Sudoers list: settings. Can be read using cat, vim or any text editor or viewer
Location: /etc/sudoers
Can be read using cat, vim or any text editor or viewer.
Needs sudo or root permissions to access

Login information: Evidence of


Location: /var/log/wtmp
Can be read using last utility execution
Authentication logs: Authentication logs:
Location: /var/log/auth.log Location: /var/log/auth.log* |grep -i COMMAND;
Can be read using cat, vim or any text editor or viewer. the grep can be used to filter the results. Can be read using cat,
Use grep for better filtering. vim or any text editor or viewer
Might also have auth.log1, auth.log2 etc as log files that
have been rotated. Bash history:
Location: /home/<user>/.bash_history
Can be read using cat, vim or any text editor or viewer
System configuration
Vim history:
Hostname: Location: /home/<user>/.viminfo
Location: /etc/hostname Can be read using cat, vim or any text editor or viewer
Can be read using cat, vim or any text editor or viewer

Timezone information:
Location: /etc/timezone
Can be read using cat, vim or any text editor or viewer
Log files
Network Interfaces:
Location: /etc/network/interfaces
Syslogs:
Can be read using cat, vim or any text editor or viewer
Location: /var/log/syslog
Can be read using cat, vim or any text editor or viewer.
Command: ip address show
Use grep or similar utility to filter results as per requirement
The above command is suitable only for live analysis
Authentication logs:
Open network connections:
Location: /var/log/auth.log
Command: netstat –natp
Can be read using cat, vim or any text editor or viewer.
The above command is suitable only for live analysis
Use grep or similar utility to filter results as per requirement
Running processes:
Third-party logs:
Command: ps aux
Location: /var/log
The above command is suitable only for live analysis
Logs for each third-party application can be found in their
specific directories in this location
DNS information:
Location: /etc/hosts for hostname resolutions
Can be read using cat, vim or any text editor or viewer

Location: /etc/resolv.conf for information about DNS servers


Can be read using cat, vim or any text editor or viewer

To learn more about Linux Forensics click here: https://tryhackme.com/room/linuxforensics

You might also like