Linux File Use & Knowledge Artifacts
This week I talk Linux forensics and breakdown some useful artifacts that may generate leads for investigations.
Linux forensics is often IR driven, but sometimes one comes up in a File Use & Knowledge investigation. It is a given that an examiner will more likely be dealing with a PC or Mac system but when a Linux box eventually rolls in it is good to know some basic triage artifacts so the investigation does not stall completely.
Below are the Linux artifacts I talk about during the podcast. Consider these entry level artifacts that may be easily interpreted, with a little validation testing, by a “non-linux” examiner.
Computer System Profile Information
ID Suspicious Accounts
Profile User account activity
Profile User Login History