Listen to this Post
You Should Know:
Digital forensic analysis is crucial for investigating cyber incidents, data breaches, and system compromises. Below is a detailed breakdown of commands, scripts, and steps to perform forensic analysis on Linux and Windows systems.
Linux Forensic Commands & Scripts
1. Collect System Information
uname -a # Kernel version lsb_release -a # OS details df -h # Disk usage mount | column -t # Mounted filesystems
2. Process & Network Analysis
ps aux # Running processes netstat -tuln # Open ports lsof -i # Active connections ss -s # Socket statistics
3. File & Timeline Analysis
find / -type f -mtime -7 -exec ls -la {} \; # Modified files (last 7 days)
stat /path/to/file # File metadata
fls -r /dev/sda1 # Sleuth Kit file listing
4. Memory Forensics (Volatility)
volatility -f memory.dump imageinfo volatility -f memory.dump pslist volatility -f memory.dump netscan
Windows Forensic Commands & Tools
1. System & Logs
systeminfo # OS & hardware info wevtutil qe Security /c:10 # Recent security logs
2. Disk & File Analysis
Get-WmiObject Win32_LogicalDisk | Select-Object DeviceID, Size, FreeSpace Get-ChildItem -Path C:\ -Recurse -Include *.exe -Force | Select-Object FullName, LastWriteTime
3. Autopsy (GUI Tool)
- Download: https://www.autopsy.com/
- Supports disk imaging, keyword searches, and registry analysis.
Automated Forensic Script (Bash)
#!/bin/bash
echo "=== Forensic Collector ==="
mkdir -p /forensics/{logs,processes,network}
uname -a > /forensics/system_info.txt
ps aux > /forensics/processes/running_processes.txt
netstat -tuln > /forensics/network/open_ports.txt
tar -czvf forensic_evidence_$(date +%Y%m%d).tar.gz /forensics
### **What Undercode Say**
Digital forensics requires a systematic approach—whether on Linux or Windows. Always:
– Document every command executed.
– Use checksums (md5sum, sha256sum) for evidence integrity.
– Isolate compromised systems to prevent tampering.
**Expected Output:**
- A `.tar.gz` file containing system logs, process lists, and network data.
- Memory dump analysis reports (if applicable).
- Timeline of file modifications for incident reconstruction.
References:
Reported By: Fabiano Meda – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
