Read as
Why this module exists. Linux forensics covers a different surface than Windows: bash history, auditd, journalctl, container layers, eBPF probes, and the /proc filesystem of a running system. This module is the practitioner reference: what to capture, what each artefact tells you, and how container and Kubernetes workloads change the picture.
Why this module exists. Linux IR responders often default to “tar up /var/log and call it done.” Modern Linux estates — especially in Indian cloud-native shops — have far richer artefacts available if you know to capture them. This module is the structured walkthrough.
The first-response capture — what to grab in 5 minutes
If you have shell access to a suspected-compromised Linux host and only minutes before something forces a reboot, capture this in order:
# Volatile state — captures running picture
ps auxf > /evidence/ps.txt
ss -tnpoa > /evidence/connections.txt
lsof +D / 2>/dev/null > /evidence/openfiles.txt
last -F > /evidence/last.txt
who -a > /evidence/who.txt
mount > /evidence/mount.txt
cat /proc/modules > /evidence/modules.txt
crontab -l > /evidence/cron-root.txt
for u in $(cut -d: -f1 /etc/passwd); do crontab -u $u -l 2>/dev/null; done > /evidence/cron-all.txt
# Bash history — every account
cp /home/*/.bash_history /evidence/ 2>/dev/null
cp /root/.bash_history /evidence/ 2>/dev/null
# Recent files (modified in last 24h)
find / -mtime -1 -type f 2>/dev/null > /evidence/modified-24h.txt
# Network state — if persistent attacker is suspected
iptables-save > /evidence/iptables.txt
nft list ruleset > /evidence/nftables.txt
# Then take a memory image (Module 3)
# Then take a disk image / snapshot (Module 2)Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants