Introduction

Linux forensics is an essential part of digital investigations, focusing on analyzing system activity, identifying security breaches, and recovering lost data. This article explores the fundamental techniques and commands used in Linux forensic investigations, covering system information retrieval, user analysis, network activity monitoring, and log file analysis.

Computer Forensics Study Notes

System Information Gathering

The first step in any forensic investigation is gathering system details, including the operating system, kernel version, and architecture. Useful commands include:

  • uname -a – Displays system information, including kernel version.
  • cat /etc/os-release – Provides OS version details.
  • lsb_release -a – Displays distribution-specific information.

User and Group Analysis

Understanding user activity is crucial in forensic investigations. Commands for user analysis include:

  • cat /etc/passwd – Lists all system users.
  • cat /etc/shadow – Contains hashed passwords (accessible only to root users).
  • cat /etc/group – Displays user group memberships.
  • who – Lists currently logged-in users.

Privilege Escalation Checks

Investigators often check for unauthorized access and privilege escalation attempts using:

  • cat /etc/sudoers – Identifies users with administrative privileges.
  • id – Displays current user ID and group memberships.
  • sudo -l – Lists commands a user can execute with sudo privileges.

Network Activity and Connection Analysis

Monitoring network activity helps detect unauthorized connections. Key commands include:

  • netstat -anpt – Displays active network connections and associated processes.
  • ss -tulnp – Shows listening ports and the applications using them.
  • lsof -i – Lists active network connections.

Process and Service Investigation

To identify malicious activity, investigators examine running processes and services:

  • ps aux – Lists all running processes with details on resource usage.
  • top – Provides real-time CPU and memory usage statistics.
  • systemctl list-units --type=service – Displays active system services.

Log File Analysis

System logs store crucial forensic data, including login attempts, service activity, and security events:

  • /var/log/auth.log – Contains authentication attempts and sudo command usage.
  • /var/log/syslog – Logs general system events.
  • /var/log/wtmp – Stores login history, retrievable using last -f /var/log/wtmp.

Scheduled Tasks and Startup Services

Malware often persists through scheduled tasks and startup scripts:

  • crontab -l – Lists scheduled cron jobs.
  • ls /etc/init.d/ – Displays startup scripts for services.
  • systemctl list-timers – Shows scheduled system tasks.

Evidence Collection and Data Recovery

Recovering deleted files and tracking system modifications is critical in forensic analysis:

find / -mtime -1 – Lists files modified in the last 24 hours.

extundelete /dev/sdX --restore-all – Attempts to recover deleted files.

foremost -i /dev/sdX -o output – Extracts lost files based on known headers.

Room Answers | TryHackMe Linux Forensics

Which two users are the members of the group audio?

ubuntu,pulse

In the attached VM, there is a user account named tryhackme. What is the uid of this account?
1001

A session was started on this machine on Sat Apr 16 20:10. How long did this session last?

01:32

What is the hostname of the attached VM?
Linux4n6

What is the timezone of the attached VM?

Asia/Karachi

What program is listening on the address 127.0.0.1:5901?

Xtigervnc

What is the full path of this program?

/usr/bin/Xtigervnc

In the bashrc file, the size of the history file is defined. What is the size of the history file that is set for the user Ubuntu in the attached machine?
2000

The user tryhackme used apt-get to install a package. What was the command that was issued?
sudo apt-get install apache2

What was the current working directory when the command to install net-tools was issued?
/home/ubuntu

Though the machine’s current hostname is the one we identified in Task 4. The machine earlier had a different hostname. What was the previous hostname of the machine?
tryhackme

Room Answers | TryHackMe Linux Forensics

Summary

  • 🔎 Introduction to Linux Forensics – Covers system commands used for forensic investigation in Linux.
  • 🖥 System Information Gathering – Commands like uname -a, cat /etc/os-release, and lsb_release -a provide OS and kernel details.
  • 👤 User Account Analysiscat /etc/passwd lists all user accounts, while cat /etc/shadow holds password hashes (if readable).
  • 🔍 Group Membership Investigationcat /etc/group helps analyze user-group relationships.
  • 🛑 Privilege Escalation Checkscat /etc/sudoers determines which users have administrative privileges.
  • 📡 Network Connections Analysisnetstat -anpt, ss -tulnp, and lsof -i identify active network services.
  • 🔬 Process Investigationps aux and top display running processes and resource usage.
  • 🗂 Log File Analysis/var/log/auth.log contains login attempts, while /var/log/syslog logs system-wide events.
  • 🏗 Cron Jobs and Startup Servicescrontab -l lists scheduled tasks, and /etc/init.d/ manages services.
  • 🕵 Evidence Collectionlast -f /var/log/wtmp shows login history, and who lists currently logged-in users.
  • 🔑 Recovering Deleted Filesextundelete and foremost aid in file recovery from Linux systems
, , , ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles