Linux Forensics Commands

1. File and Metadata Analysis

dentifies the type of a file:

file  suspicious_file

Extracts human-readable strings from binary files:

strings binary_file

Displays detailed file metadata, including timestamps:

stat file

Extracts metadata from multimedia files:

exiftool image.jpg

Creates a hex dump of a file:

xxd file

Displays disk usage of a directory or file:

du -sh /var/log

Lists mounted filesystems:

mount

Unmounts a filesystem:

umount /mnt

Shows block devices in a tree structure:

lsblk

Views logs from systemd systems :

journalctl -u sshd

provides detailed metadata and statistics about a packet capture (PCAP) file

capinfos <file.pcap>

jq filters

jq
cat logs.json | jq '.events[] | select(.status == "failed")'
cat logs.json | jq '.events[] | .source_ip'

2. System Information Gathering

Hostname and OS details:

   hostname
   uname -a
   cat  /etc/os-release

Kernel version and architecture:

   uname -r
   arch

System uptime and load:

   uptime
   w

3. User Information

Logged-in users and history:

    who
    last
    history
    lastlog
    passwd -S username

Check sudoers file:

cat  /etc/sudoers

4. Process Investigation

List running processes:

   ps aux
    top
    htop
    crontab -l

Identify network-related processes:

    netstat -tunap
    lsof -i

Lists open files by processes

lsof -p PID

Displays memory maps of processes

pmap PID

Traces system calls made by a process.

strace -p PID

5. File and Directory Investigation

List directory contents:

ls -alh

List hidden files:

   ls -a

Search for recent file modifications:

  find / -type f -mtime -5  2>/dev/null

Find files with specific extensions:

 find / -type f -name "*.sh"

6. Network Investigation

Active network connections:

   ss -tunap
  netstat -plant

Network interface information:

  ip addr show
  ifconfig

DNS resolutions:

 cat /etc/resolv.conf

Capture packets with tcpdump:

 tcpdump -i eth0 -w capture.pcap

Analyze packets with tshark:

    tshark -r capture.pcap
    tshark -n -r packets.pcap -Tfields -e ip.srce -e tcp.srcport -e ip.dst -e tcp.dstport | sort | unig -c

7.Package and Service Analysis

List installed packages:

    dpkg -l   # For Debian-based systems
    rpm -qa   # For Red Hat-based systems

Running services:

    systemctl list-units --type=service
    service --status-all

8.Hashing and File Integrity

Calculate file hash:

   sha256sum filename
   md5sum filename

Compare file hashes:

diff <(sha256sum file1) <(sha256sum file2)

PreviousLinux Forensics dirs NextLinux Forensics Tools

Last updated 5 months ago

Linux Forensics Commands

1. File and Metadata Analysis

dentifies the type of a file:

file  suspicious_file

Extracts human-readable strings from binary files:

strings binary_file

Displays detailed file metadata, including timestamps:

stat file

Extracts metadata from multimedia files:

exiftool image.jpg

Creates a hex dump of a file:

xxd file

Displays disk usage of a directory or file:

du -sh /var/log

Lists mounted filesystems:

mount

Unmounts a filesystem:

umount /mnt

Shows block devices in a tree structure:

lsblk

Views logs from systemd systems :

journalctl -u sshd

provides detailed metadata and statistics about a packet capture (PCAP) file

capinfos <file.pcap>

jq filters

jq
cat logs.json | jq '.events[] | select(.status == "failed")'
cat logs.json | jq '.events[] | .source_ip'

2. System Information Gathering

Hostname and OS details:

   hostname
   uname -a
   cat  /etc/os-release

Kernel version and architecture:

   uname -r
   arch

System uptime and load:

   uptime
   w

3. User Information

Logged-in users and history:

    who
    last
    history
    lastlog
    passwd -S username

Check sudoers file:

cat  /etc/sudoers

4. Process Investigation

List running processes:

   ps aux
    top
    htop
    crontab -l

Identify network-related processes:

    netstat -tunap
    lsof -i

Lists open files by processes

lsof -p PID

Displays memory maps of processes

pmap PID

Traces system calls made by a process.

strace -p PID

5. File and Directory Investigation

List directory contents:

ls -alh

List hidden files:

   ls -a

Search for recent file modifications:

  find / -type f -mtime -5  2>/dev/null

Find files with specific extensions:

 find / -type f -name "*.sh"

6. Network Investigation

Active network connections:

   ss -tunap
  netstat -plant

Network interface information:

  ip addr show
  ifconfig

DNS resolutions:

 cat /etc/resolv.conf

Capture packets with tcpdump:

 tcpdump -i eth0 -w capture.pcap

Analyze packets with tshark:

    tshark -r capture.pcap
    tshark -n -r packets.pcap -Tfields -e ip.srce -e tcp.srcport -e ip.dst -e tcp.dstport | sort | unig -c

7.Package and Service Analysis

List installed packages:

    dpkg -l   # For Debian-based systems
    rpm -qa   # For Red Hat-based systems

Running services:

    systemctl list-units --type=service
    service --status-all

8.Hashing and File Integrity

Calculate file hash:

   sha256sum filename
   md5sum filename

Compare file hashes:

diff <(sha256sum file1) <(sha256sum file2)

PreviousLinux Forensics dirs NextLinux Forensics Tools

Last updated 5 months ago