search

Linux Forensics Commands

hashtag
1. File and Metadata Analysis

  • dentifies the type of a file:

file  suspicious_file

  • Extracts human-readable strings from binary files:

strings binary_file

  • Displays detailed file metadata, including timestamps:

stat file

  • Extracts metadata from multimedia files:

exiftool image.jpg

  • Creates a hex dump of a file:

xxd file

  • Displays disk usage of a directory or file:

du -sh /var/log

  • Lists mounted filesystems:

mount

  • Unmounts a filesystem:

umount /mnt

  • Shows block devices in a tree structure:

  • Views logs from systemd systems :

  • provides detailed metadata and statistics about a packet capture (PCAP) file

hashtag
jq filters

hashtag
2. System Information Gathering

  • Hostname and OS details:

  • Kernel version and architecture:

  • System uptime and load:

hashtag
3. User Information

  • Logged-in users and history:

  • Check sudoers file:

hashtag
4. Process Investigation

  • List running processes:

  • Identify network-related processes:

  • Lists open files by processes

  • Displays memory maps of processes

  • Traces system calls made by a process.

hashtag
5. File and Directory Investigation

  • List directory contents:

  • List hidden files:

  • Search for recent file modifications:

  • Find files with specific extensions:

hashtag
6. Network Investigation

  • Active network connections:

  • Network interface information:

  • DNS resolutions:

  • Capture packets with tcpdump:

  • Analyze packets with tshark:

hashtag
7.Package and Service Analysis

  • List installed packages:

  • Running services:

hashtag
8.Hashing and File Integrity

  • Calculate file hash:

  • Compare file hashes:

PreviousLinux Forensics dirsNextLinux Forensics Tools

Last updated