Open in app

Sign in

Write

Sign in

Linux Forensics Investigation | TryHackMe Linux Forensics

Motasem Hamdan
3 min readFeb 6, 2025

--

Introduction

Linux forensics is an essential part of digital investigations, focusing on analyzing system activity, identifying security breaches, and recovering lost data. This article explores the fundamental techniques and commands used in Linux forensic investigations, covering system information retrieval, user analysis, network activity monitoring, and log file analysis.

System Information Gathering

The first step in any forensic investigation is gathering system details, including the operating system, kernel version, and architecture. Useful commands include:

  • uname -a – Displays system information, including kernel version.
  • cat /etc/os-release – Provides OS version details.
  • lsb_release -a – Displays distribution-specific information.

User and Group Analysis

Understanding user activity is crucial in forensic investigations. Commands for user analysis include:

  • cat /etc/passwd – Lists all system users.
  • cat /etc/shadow – Contains hashed passwords (accessible only to root users).
  • cat /etc/group – Displays user group memberships.
  • who – Lists currently logged-in users.

Privilege Escalation Checks

Investigators often check for unauthorized access and privilege escalation attempts using:

  • cat /etc/sudoers – Identifies users with administrative privileges.
  • id – Displays current user ID and group memberships.
  • sudo -l – Lists commands a user can execute with sudo privileges.

Network Activity and Connection Analysis

Monitoring network activity helps detect unauthorized connections. Key commands include:

  • netstat -anpt – Displays active network connections and associated processes.
  • ss -tulnp – Shows listening ports and the applications using them.
  • lsof -i – Lists active network connections.

Process and Service Investigation

To identify malicious activity, investigators examine running processes and services:

  • ps aux – Lists all running processes with details on resource usage.
  • top – Provides real-time CPU and memory usage statistics.
  • systemctl list-units --type=service – Displays active system services.

Log File Analysis

System logs store crucial forensic data, including login attempts, service activity, and security events:

  • /var/log/auth.log – Contains authentication attempts and sudo command usage.
  • /var/log/syslog – Logs general system events.
  • /var/log/wtmp – Stores login history, retrievable using last -f /var/log/wtmp.

Scheduled Tasks and Startup Services

Malware often persists through scheduled tasks and startup scripts:

  • crontab -l – Lists scheduled cron jobs.
  • ls /etc/init.d/ – Displays startup scripts for services.
  • systemctl list-timers – Shows scheduled system tasks.

Evidence Collection and Data Recovery

Recovering deleted files and tracking system modifications is critical in forensic analysis:

find / -mtime -1 – Lists files modified in the last 24 hours.

extundelete /dev/sdX --restore-all – Attempts to recover deleted files.

foremost -i /dev/sdX -o output – Extracts lost files based on known headers.

Room Answers | TryHackMe Linux Forensics

Room answers can be found here.

Video Walkthrough

Summary

  • 🔎 Introduction to Linux Forensics — Covers system commands used for forensic investigation in Linux.
  • 🖥 System Information Gathering — Commands like uname -a, cat /etc/os-release, and lsb_release -a provide OS and kernel details.
  • 👤 User Account Analysis — cat /etc/passwd lists all user accounts, while cat /etc/shadow holds password hashes (if readable).
  • 🔍 Group Membership Investigation — cat /etc/group helps analyze user-group relationships.
  • 🛑 Privilege Escalation Checks — cat /etc/sudoers determines which users have administrative privileges.
  • 📡 Network Connections Analysis — netstat -anpt, ss -tulnp, and lsof -i identify active network services.
  • 🔬 Process Investigation — ps aux and top display running processes and resource usage.
  • 🗂 Log File Analysis — /var/log/auth.log contains login attempts, while /var/log/syslog logs system-wide events.
  • 🏗 Cron Jobs and Startup Services — crontab -l lists scheduled tasks, and /etc/init.d/ manages services.
  • 🕵 Evidence Collection — last -f /var/log/wtmp shows login history, and who lists currently logged-in users.
  • 🔑 Recovering Deleted Files — extundelete and foremost aid in file recovery from Linux systems
Linux
Forensics
Tryhackme
Cybersecurity

--

--

Motasem Hamdan
Motasem Hamdan

Written by Motasem Hamdan

541 Followers
10 Following

Motasem Hamdan is a content creator and swimmer who creates cyber security training videos and articles. https://www.youtube.com/@MotasemHamdan

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams