Network Artifacts

/etc/network/interfaces is the configuration file for network setup (dynamic or static IP assignment as well as scripts running when the interface is “up” or “down”).

/etc/host is the configuration file for local DNS name assignment.

/etc/hosts: this shows any static IP assignments and can identify attackers trying to create routes in plain sight.

/etc/resolv.conf is the configuration file for DNS. /etc/resolvconf/run/resolv.conf if the resolvconf program is used for the configuration DNS .

/etc/dnsmasq.conf is the configuration file for DNS forwarder server and DHCP server if it is implemented in the investigated host.

/etc/wpa_supplicant/*.conf contains SSID configuration to which the Linux machine will automatically connect when the wifi signal is in the vicinity.

Check network connections. You can use netstat or lsof here, or both. It is worth saving this to a text file as it can be verbose.

Get networking information. This is where ifconfig and arp -a are useful.

To check and manage the IPv4 packet filtering and NAT in Linux systems, you can use iptables and can make use of a variety of commands like:

iptables -L -n

List all IPTables Rules iptables --list-rules

To see your network interfaces on the system, you can use ifconfig

To display all the listening ports in the network use netstat -nap

To display the system ARP cache, you can type arp -a

netstat -antup Show active network connections.

ifconfig -a - Show all network interfaces.

route -n - Show routing table.

ss -tuln - Show listening ports and established connections.

References

1. https://tho-le.medium.com/linux-forensics-some-useful-artifacts-74497dca1ab2