The Helpline needs to perform live forensics on a Linux/Unix machine using built-in tools.
Edit me

Host-Based Live Forensics on Linux/Unix

How to perform live forensics on a Linux/Unix machine using the available built-in tools


In some instances, a Linux/Unix machine may need to be isolated from the shared network or internet access point it is usually connected to due to its compromised state. This article applies to a similar scenario, where we have limited resources to conduct forensic analysis and have to rely on the built-in tools available in the device.


Below is the general methodology we can follow when conducting live forensics on a Linux/Unix machine.

1. Unusual Network Entries

There are protocols in a Linux/Unix machine that can be exploited/abused by attackers both on the client and server side. The following commands will list the sessions and connection that we can use for our initial investigation:

# netstat -nap

Displays listening UDP and TCP ports and remote IPs. Adding -na will show all the connections without resolving the domain and adding -p will show the program name and the PID.

Note: PIDs are useful for investigating the program processes.

# lsof -i

Stands for list open files - this command will give you a comprehensive list of all open files, be it a regular file, a library, a network file, or a data stream. Executing these commands as root should show other entries launched by the root or privileged users.

Another command useful for host-based investigation is dmesg piped to a grep command in order to find if the machine is set on promiscuous mode:

# dmesg | grep -i promisc

If this mode is on (returns result), this means that the machine is sniffing the network. This should be a good indicator that the machine is compromised and is sniffing the rest of network to find valuable information or to compromise more devices.

2. Unusual Processes

Launch the following command to list all running processes:

# ps -aux

Please note however that this command should be compared to a baseline of normal running processes (sysadmins may have a prior list of processes created during auditing processes). A list of processes is hard to be found for workstations, especially if the device is also used for non-work related tasks.

Piping the output of ps -aux to a grep command referred to a PID will allow us to focus only on one process:

# ps aux | grep [PID]

The command format and arguments are very similar to those of the netcat command that opens a listening connection.

Using lsof with the -p flag plus a PID will display results for all the files opened by a specific process:

# lsof -p [PID]

3. Unusual Debian Packages (only for Debian-based systems)

Launch the following command:

# debsums -all

An attacker with root privileges could change Debian package to makes their script look legitimate. The debsums command can identify such activities by checking the integrity of all installed Debian packages against a local list of hashes under the default file /var/lib/dpkg/info/*.md5sums.

4. Unusual Files

Launch the following commands:

find / -uid 0 -perm -4000 -print

find / -size +10000k -print 

find / -name " " -print 

find / -name ".. " -print

The presence of unusual files could be an indicator of data exfiltration. Through the above commands, we aim to find respectively: (1) SUID files, (2) large files, and (3) files named with a space and two points.

5. Unusual Scheduled Tasks

In Linux systems, scheduled tasks are created using crons. This is a way for threat actors to ensure that the malicious program will be executed again even if the process is found and killed.

Use the following commands for investigating unusual system-wide cron jobs:

crontab -u root -l

cat /etc/crontab

ls /etc/cron

6. Unusual Accounts

Sort all users in /etc/passwd by their User ID or UID value and check especially the users with a UID lower than 500, as these users usually have more sensitive permissions.

sort -nk3 -t: /etc/passwd | less

Orphaned files are indicators of deleted users that could have been created by an attacker who then deleted these users to hide their traces. To identify such files, launch this command:

find / -nouser -print


Please check this presentation to see typical outputs of most of the commands listed in this article.