Linux Forensics: Artifacts, Logs, and Investigation Techniques

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Linux systems power most of the internet’s infrastructure, which makes them high-value targets. When a Linux box gets compromised, you need to know where to look, what artifacts matter, and how to build a timeline without destroying evidence.

Log Analysis

Linux logs are your primary evidence source. Start with the authentication logs: /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS). These record SSH logins, sudo usage, failed authentication attempts, and account modifications. Look for logins from unexpected IPs, successful authentication after a string of failures, and sudo commands from accounts that should not have elevated privileges.

/var/log/syslog and journal logs (journalctl) capture system-level events. Service starts and stops, cron job execution, kernel messages, and application errors all live here. Attackers who install persistence through systemd services or cron jobs leave traces in these logs.

Check /var/log/wtmp (parsed with last) for login history and /var/log/btmp (parsed with lastb) for failed login attempts. The lastlog command shows the most recent login for each user — accounts that suddenly show activity after months of dormancy are worth investigating.

File System Artifacts

Linux file systems store three timestamps per file: access time (atime), modification time (mtime), and change time (ctime). The stat command shows all three. Note that many modern systems mount with noatime or relatime for performance, which limits atime reliability.

Look at /tmp, /dev/shm, and user home directories for attacker tools. Check /etc/passwd and /etc/shadow for unauthorized accounts. Review /etc/crontab, /etc/cron.d/, and user crontabs (crontab -l -u ) for persistence mechanisms.

Hidden files and directories (names starting with .) in /tmp or web-writable directories are common stash locations. The find command with -newer flags lets you identify files created or modified within a specific time window.

Memory Acquisition

On a live system, capture memory before powering down. Tools like LiME (Linux Memory Extractor) create memory dumps as kernel modules. You load LiME as a module, specify the output format (lime or raw), and write to an external drive or network share.

For systems running in cloud environments, check whether your provider offers memory acquisition through their API — AWS allows EBS snapshots, but full memory capture requires the LiME approach on the instance itself.

Once acquired, analyze the memory dump with Volatility using the appropriate Linux profile. You can extract running processes, open network connections, loaded kernel modules, and bash command history directly from memory.

Timeline Analysis

Building a timeline ties everything together. Use tools like plaso (log2timeline) to parse multiple artifact sources — file system metadata, logs, browser history, shell history — into a single, chronological timeline.

Focus your timeline around the suspected compromise window. Work backward from the first known malicious activity to identify initial access, then work forward to map lateral movement and persistence.

Shell history files (.bash_history, .zsh_history) show commands the attacker ran, but experienced attackers clear these or run commands with a leading space to avoid history logging. Cross-reference with auditd logs if the audit daemon was configured before the incident.

Next Steps

• Evaluate your forensics skills with the skills assessment
• Browse related topics in the skills library
• Plan your certification path with the certificate roadmap — GCFE and GCFA cover Linux forensics extensively

Related Guides in This Series

• CSIRT and PSIRT Operations: Building Effective Response Teams — HADESS | 2026
• Incident Response Methodology: From Detection to Recovery — HADESS | 2026
• Memory Forensics: Analyzing Volatile Evidence with Volatility

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.