Evidence Collection on Linux Without External Toolkits

29 October 2025 - Posted in Incident Response by Jok3r - Permalink

Background: During incident response, time constraints can make it difficult to fully understand the scope of an incident. This challenge becomes even greater when our existing toolset does not support comprehensive collection of Linux artifacts and you need to spot the malwares or malicious chunk of code running in machine.

Recommendation: Because with linux system is pretty simple to deal with we can use noted command to uncover hidden things in OS level

Network connections : netstat -tunp
Process list : ps aux
Execution Path: ls -l /proc/YourPID/exe
Open files  :  lsof -p YourPID
Cron job list : crontab -l
Hidden Files: find / -type f -name '.*'
Recent Modification: find / -type f -mtime -3
Shell History: cat ~/.bash_history

This commands will help in urgent situation to check the host till the toolsets will be deployed .

Tags: linux forensic_os

→

« Cross-Linux Distro Forensic Data Collection Techniques for IR Part5: Kernel protection preventive mechanisms in Linux systems and methods for monitoring them (Lockdown Mode) »

Evidence Collection on Linux Without External Toolkits

Post by Jok3r

Related posts