Linux Home:

Determine if its Debian/RedHat

Command which rpm OR which dpkg

If nothing above returns the result, run following: cat /etc/os-release | grep -E '^NAME=|PRETTY_NAME='

Get Hostname

cat /etc/hostname

Get System timezone:

cat /etc/timezone

Get OS Version: cat /etc/os-release

Get OS details. uname -a and lsb_release -a

Get Env Variables: The $PATH displays a list of directories that tells the shell which directories to search for executable files, in order to check for directories that are in your path you can use.:

echo $PATH

Now towards:

  1. User Artifacts

  2. Persistence

  3. System & File Artifacts

  4. Process Artifacts

  5. Network Artifacts

  6. Linux Memory Collection

  7. Application Logs

  8. Investigating Rootkits

  9. Collection Scripts

References:

  1. https://tho-le.medium.com/linux-forensics-some-useful-artifacts-74497dca1ab2

  2. https://library.mosse-institute.com/cyber-domains/digital-forensics.html#linux-forensics

  3. https://www.halkynconsulting.co.uk/a/2020/11/linux-dfir-workflow-for-a-busy-responder/

NextProcess Artifacts

Last updated