Linux Forensics Commands

1. File and Metadata Analysis

  • dentifies the type of a file:

file  suspicious_file

  • Extracts human-readable strings from binary files:

strings binary_file

  • Displays detailed file metadata, including timestamps:

stat file

  • Extracts metadata from multimedia files:

exiftool image.jpg

  • Creates a hex dump of a file:

xxd file

  • Displays disk usage of a directory or file:

du -sh /var/log

  • Lists mounted filesystems:

mount

  • Unmounts a filesystem:

umount /mnt

  • Shows block devices in a tree structure:

lsblk

  • Views logs from systemd systems : 

journalctl -u sshd

  • provides detailed metadata and statistics about a packet capture (PCAP) file

capinfos <file.pcap>

jq filters 

jq
cat logs.json | jq '.events[] | select(.status == "failed")'
cat logs.json | jq '.events[] | .source_ip'

2. System Information Gathering

  • Hostname and OS details:

   hostname
   uname -a
   cat  /etc/os-release

  • Kernel version and architecture:

   uname -r
   arch

  • System uptime and load:

   uptime
   w

3. User Information

  • Logged-in users and history:

    who
    last
    history
    lastlog
    passwd -S username

  • Check sudoers file:

cat  /etc/sudoers

4. Process Investigation

  • List running processes:

   ps aux
    top
    htop
    crontab -l

  • Identify network-related processes:

    netstat -tunap
    lsof -i

  • Lists open files by processes

lsof -p PID

  • Displays memory maps of processes

pmap PID

  • Traces system calls made by a process.

strace -p PID

5. File and Directory Investigation

  • List directory contents:

ls -alh

  • List hidden files:

   ls -a

  • Search for recent file modifications:

  find / -type f -mtime -5  2>/dev/null

  • Find files with specific extensions:

 find / -type f -name "*.sh"

6. Network Investigation

  • Active network connections:

   ss -tunap
  netstat -plant

  • Network interface information:

  ip addr show
  ifconfig

  • DNS resolutions:

 cat /etc/resolv.conf

  • Capture packets with tcpdump:

 tcpdump -i eth0 -w capture.pcap

  • Analyze packets with tshark:

    tshark -r capture.pcap
    tshark -n -r packets.pcap -Tfields -e ip.srce -e tcp.srcport -e ip.dst -e tcp.dstport | sort | unig -c

7.Package and Service Analysis

  • List installed packages:

    dpkg -l   # For Debian-based systems
    rpm -qa   # For Red Hat-based systems

  • Running services:

    systemctl list-units --type=service
    service --status-all

8.Hashing and File Integrity

  • Calculate file hash:

   sha256sum filename
   md5sum filename

  • Compare file hashes:

diff <(sha256sum file1) <(sha256sum file2)

PreviousLinux Forensics dirsNextLinux Forensics Tools

Last updated