analyzing-linux-system-artifactslisted

# Analyzing Linux System Artifacts ## When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications ## Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootkit, rkhunter, AIDE, auditd logs - Familiarity with systemd, cron, and PAM configurations - Root access for complete artifact collection ## Workflow ### Step 1: Mount and Collect System Artifacts ```bash # Mount forensic image read-only mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/linux_evidence.dd /mnt/evidence # Create collection directories mkdir -p /cases/case-2024-001/linux/{logs,config,users,persistence,network} # Collect authentication logs cp /mnt/evidence/var/log/auth.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/secure* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/syslog* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/kern.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/audit/audit.log* /cases/case-2024-001/linux/logs/ cp /mnt/evidence/var/log/wtmp /cases/case-2024-001/linux/logs/ cp /mnt/e