Linux Forensics Cheatsheet: Essential Commands and Techniques

Introduction

Linux forensics is a critical skill for cybersecurity professionals investigating incidents, analyzing breaches, or recovering data. This guide covers verified commands, log analysis techniques, and file system forensics to help you gather evidence efficiently on Linux systems.

Learning Objectives

• Master key Linux forensic commands for disk, memory, and log analysis.
• Learn to identify malicious activity through system artifacts.
• Understand how to preserve evidence for legal investigations.

1. Disk and Partition Analysis

Command:

lsblk -f 

Step-by-Step Guide:

1. Purpose: Lists block devices (disks/partitions) with filesystem types.
2. Usage: Run as root to identify attached storage and unmounted volumes.
3. Forensic Value: Detect hidden partitions or unauthorized storage devices.

2. File System Timeline Creation

Command:

fls -r -m / /dev/sda1 > timeline.csv 

Step-by-Step Guide:

1. Tool: `fls` (Sleuth Kit).

2. Flags: `-r` (recursive), `-m` (machine-readable output).

1. Output: Creates a timeline of file access/modification times for anomaly detection.

3. Memory Dump Acquisition

Command:

sudo dd if=/dev/mem of=/evidence/memdump.bin bs=1M 

Step-by-Step Guide:

1. Purpose: Captures RAM content for volatile evidence.

2. Caution: Run early in investigation—memory is ephemeral.

1. Alternative: Use `LiME` kernel module for reliable dumps.

4. Log Analysis with `journalctl`

Command:

journalctl --since "2023-01-01" --until "2023-01-02" | grep "FAILED" 

Step-by-Step Guide:

1. Flags: Filter systemd logs by date and failure events.
2. Forensic Value: Identify brute-force attacks or service crashes.

5. Network Connection Forensics

Command:

ss -tulnp 

Step-by-Step Guide:

1. Purpose: Lists active sockets (-t TCP, `-u` UDP, `-l` listening).
2. Flags: `-n` (no DNS resolution), `-p` (show processes).
3. Critical Check: Unauthorized open ports or rogue processes.

6. Deleted File Recovery

Command:

sudo extundelete /dev/sda1 --restore-file /home/user/secret.txt 

Step-by-Step Guide:

1. Tool: `extundelete` for ext3/4 file systems.

2. Prerequisite: Unmount the partition first.

3. Output: Recovers files from inode metadata.

7. Malware Hunting with `rkhunter`

Command:

sudo rkhunter --check --sk 

Step-by-Step Guide:

1. Tool: Rootkit Hunter scans for backdoors.

2. Flags: `–sk` (skip key presses).

3. Post-Scan: Review `/var/log/rkhunter.log`.

What Undercode Say:

• Key Takeaway 1: Linux forensics requires a methodical approach—prioritize volatile data (RAM, network) before disk analysis.
• Key Takeaway 2: Automation (e.g., scripts for log parsing) saves time during large-scale investigations.

Analysis:

With ransomware and APTs increasingly targeting Linux servers, forensic readiness is non-negotiable. Mastering these commands reduces mean time to detect (MTTD) and respond (MTTR). Future investigations will lean more on AI-assisted timeline correlation (e.g., Timesketch), but foundational CLI skills remain essential.

Prediction:

Expect tighter integration between Linux forensics tools and SIEMs (e.g., Splunk, Elastic) for real-time anomaly detection, reducing reliance on post-mortem analysis.

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin