Linux Artifacts

  • Password Hashes

    • Passwd file: /etc/passwd file is used to keep track of every registered user that has access to a system

    • Shadow file: /etc/shadow file contains encrypted passwords as well as other information such as account or password expiration values

      • To show shadow file content: sudo cat /etc/shadow

  • Installed Software

    • Find installed software on Debian based systems by checking the status file: /var/lib/dpkg/status

    • Save all lines that contain package in /var/lib/dpkg/status to packages.txt: cat status | grep Package > packages.txt

  • System Logs

    • /var/log/auth.log: system authorizations, including user logins

    • /var/log/dpkg.log: packages installed or removed using the dpkg command

    • /var/log/btmp: failed login attempts

    • /var/log/cron: cron jobs

    • /var/log/secure: authentication and authorization privileges (eg related to SSH)

    • /var/log/faillog: failedf user logins

    • To search linux logs for a specific program/malware: /var/log$ grep -iRl {keyword}

  • Web Server Logs for Apache and Nginx

    • var/log/apache2/access.log: shows web server info in Apache, including:

      • Client IP

      • Resource accessed

      • HTTP method

      • User-Agent of client IP

      • Request timestamps

  • User Files

    • Bash History

      • cd ~

      • ls -a

      • cat .bash_history

      • history can also be used, but history -c can be used to delete terminal history

    • Clear Files

      • Desktop, Downloads, Music, Pictures, Public, Templates, Videos

      • Trash Bin

    • Super user startup scripts: /etc/rc.local

    • To show listening network connections: netstat -tulnp

PreviousKAPENextMemory File Analysis

Last updated