Linux Analysis Reference

The purpose of this guide is to serve as a reference for baseline analysis tasks when investigating a Linux system.

A couple of notes worth mentioning:

• Currently, this reference is designed for Red Hat Enterprise Linux (RHEL) and CentOS, but does contain crossover to other Linux versions.
• Although the listed tasks are useful in forensic investigations, this guide is not exhaustive. It is meant to aid initial forensic inference based on an identified collection need, not provide all evidence needed for final determination.
• Each method given is designed to use native utilities, or those included by default. This guide purposefully avoids non-native utilities, as they are not always available.
• Exercises are provided in each section to help demonstrate and yield expereience in the process of identifying changes to a Linux system.

---

Table of contents

• Applications
• Files, Devices, and Disks
• Host Firewall
• Kernel Modules
• Logs
• Memory
• Network Data
• Processes
• Scheduled Jobs (Cron)
• Services and Daemons
• Temporary Files
• User Information