USD ($)
$
United States Dollar
Euro Member Countries
India Rupee
Your cart is empty
Empty notifications
Login Register

Linux and Unix-Like System Forensics

Lesson 21/47 | Study Time: 20 Min
Course: Computer and Cyber Forensics Professional – Course

Linux and Unix-like system forensics focuses on analyzing artifacts from file systems, logs, user histories, and configurations unique to these operating systems, revealing user actions, system changes, and potential compromises in server and embedded environments.

These systems lack centralized registries like Windows, relying instead on distributed logs, shell histories, and process states, demanding investigators understand distribution-specific variations (e.g., Debian vs. Red Hat).

Key artifacts provide timelines of logins, command execution, package installations, and network activity, essential for reconstructing incidents in cloud-native or IoT investigations.

System Logs and Authentication Artifacts

Linux logs centralize in /var/log, capturing authentication, system events, and service activities.


1. auth.log/secure: Tracks SSH logins, sudo usage, failed authentications—reveals brute-force or privilege escalation.

2. syslog/messages: Kernel events, service starts/stops, general system activity.

3. wtmp/btmp/utmp: Login histories (successful/failed/current); parse with 'last'/'lastb'.

4. lastlog: Most recent login per user.


Rotation creates numbered backups; correlate timestamps across files.


User Activity and Shell Artifacts

Command histories and profiles expose terminal-based actions.


1. .bash_history/.zsh_history: User-specific command logs in home directories; timestamps via HISTTIMEFORMAT.

2. Cron jobs: /var/spool/cron/crontabs/, /etc/cron.d/ for scheduled tasks.

3. Environment variables: .bashrc, .profile show custom paths or aliases.


Multi-user systems require per-user analysis; cleared histories recoverable from backups.

File System and Process Forensics

ext4 and similar structures yield persistence evidence.

Timeline with stat, fls for MACB times.

Network and Service Artifacts

Connectivity traces attackers' entry/exfiltration.


1. SSH artifacts: ~/.ssh/authorized_keys, known_hosts; /var/log/auth.log entries.

2. Network configs: /etc/network/interfaces, ifconfig history.

3. Wget/curl logs: ~/.wgetrc, command history.

4. iptables/ufw logs: Firewall rules, blocked connections.


tcpdump or netstat captures complement.


​Configuration and Persistence Files

System setups indicate tampering.


1. /etc/passwd/shadow: User accounts, hashed passwords.

2. /etc/sudoers: Privilege escalation paths.

3. systemd journals: journalctl for modern services (binary logs).

4. Kernel modules: lsmod, /lib/modules for rootkits.


Chroot/jail environments complicate paths.

Acquisition and Analysis Tools

Linux forensics demands live response tools.Workflow: Live volatiles → Shutdown → Disk image → Parse logs/hives.

Previous Lesson Next Lesson
Alexander Cruise

Alexander Cruise

Product Designer
Profile

Class Sessions

1- Evolution of Digital Crime and Cyber Forensics 2- Key Terminology and Scope 3- Digital Evidence Lifecycle and Forensic Principles 4- Legal, Regulatory, and Standards Context 5- Roles and Career Paths in Computer and Cyber Forensics 6- Structured Digital Investigation Methodologies 7- Scoping and Planning an Investigation 8- Evidence Sources in Enterprise Environments 9- Documentation, Case Notes, and Evidence Tracking 10- Working with Multidisciplinary Teams 11- Computer and Storage Architecture for Investigators 12- File System Structures and Artifacts 13- File and Artifact Recovery 14- Common User-Activity Artifacts 15- Principles of Forensically Sound Acquisition 16- Acquisition Strategies 17- Volatile vs Non-Volatile Data Acquisition 18- Handling Encrypted and Locked Systems 19- Evidence Handling, Transport, and Storage 20- Windows Forensics Essentials 21- Linux and Unix-Like System Forensics 22- macOS and Modern Desktop Environments 23- Memory Forensics Concepts 24- Timeline Construction Using OS and Memory Artifacts 25- Network Forensics Fundamentals 26- Enterprise Logging and Telemetry 27- Cloud Forensics (IaaS, PaaS, SaaS) 28- Email and Messaging Investigations 29- Timeline Building from Heterogeneous Logs 30- Modern Malware and Ransomware Landscape 31- Malware Forensics Concepts 32- Host-Level Artifacts of Compromise 33- Ransomware Incident Artifacts 34- Dark Web and Anonymous Network Forensics 35- Common Anti-Forensics Techniques 36- Detection of Anti-Forensics 37- Countering Anti-Forensics 38- Resilient Evidence Collection Strategies 39- Incident Response Frameworks and Phases 40- Forensics-Driven Incident Response 41- Threat Hunting Linked with Forensics 42- Post-Incident Activities 43- Forensic Report Structure 44- Writing for Multiple Audiences 45- Presenting and Defending Findings 46- Ethics, Confidentiality, and Professional Conduct 47- Continuous Learning and Certification Pathways

Sales Campaign

Sales Campaign

We have a sales campaign on our promoted courses and products. You can purchase 1 products at a discounted price up to 15% discount.

View Courses
View Products