# mount read-only (preserve timestamps!) mount -o ro,noexec,noatime,loop disk.img /mnt # identify partitions fdisk -l disk.img mmls disk.img # sleuthkit — partition table fsstat -o OFFSET disk.img # filesystem details # mount specific partition (offset in sectors × 512) mount -o ro,loop,offset=$((2048*512)) disk.img /mnt # LVM losetup /dev/loop0 disk.img kpartx -a /dev/loop0 vgscan && vgchange -ay mount -o ro /dev/mapper/vg-lv /mnt
# 4 timestamps per inode mtime — last content modification atime — last access ctime — last inode change (metadata, perms) crtime — creation time (ext4 only) # view all timestamps stat file.txt debugfs -R 'stat <INODE>' /dev/sda1 # journal — records metadata changes jls disk.img # list journal entries jcat disk.img JNUM # view journal block # superblock info tune2fs -l /dev/sda1 dumpe2fs /dev/sda1 | head -50
| Log | Path | Content |
|---|---|---|
| Auth | /var/log/auth.log (Debian) or /var/log/secure (RHEL) | SSH, sudo, su, login attempts, PAM |
| Syslog | /var/log/syslog or /var/log/messages | General system events, services |
| Journal | /var/log/journal/ (binary) | systemd logs — use journalctl -D |
| Cron | /var/log/cron or grep CRON in syslog | Scheduled task execution |
| Kernel | /var/log/kern.log or dmesg | Kernel messages, USB, modules loaded |
| Apache | /var/log/apache2/ or /var/log/httpd/ | access.log, error.log |
| Nginx | /var/log/nginx/ | access.log, error.log |
| MySQL | /var/log/mysql/ | query.log, error.log |
| Audit | /var/log/audit/audit.log | SELinux / auditd events, syscalls |
| DPKG | /var/log/dpkg.log | Package install / remove / upgrade |
| Fail2ban | /var/log/fail2ban.log | Ban / unban events |
| Boot | /var/log/boot.log | Boot messages |
| wtmp | /var/log/wtmp (binary) | Login history — use last -f |
| btmp | /var/log/btmp (binary) | Failed logins — use lastb -f |
| lastlog | /var/log/lastlog (binary) | Last login per user — use lastlog |
| utmp | /var/run/utmp (binary) | Current sessions — use who |
# command history ~/.bash_history # bash ~/.zsh_history # zsh ~/.python_history # python REPL ~/.mysql_history # mysql client ~/.psql_history # postgresql # SSH ~/.ssh/authorized_keys # who can log in ~/.ssh/known_hosts # servers connected to ~/.ssh/id_rsa # private keys ~/.ssh/config # host aliases, jump hosts # accounts /etc/passwd # users (uid, shell, home) /etc/shadow # password hashes /etc/group # group memberships /etc/sudoers # sudo privileges /etc/sudoers.d/ # drop-in sudo rules
# Firefox ~/.mozilla/firefox/*.default/ places.sqlite # history, bookmarks cookies.sqlite # cookies logins.json + key4.db # saved passwords formhistory.sqlite # form data # Chrome / Chromium ~/.config/google-chrome/Default/ History # urls, downloads Cookies # cookies DB Login Data # saved passwords Bookmarks # JSON # Trash ~/.local/share/Trash/ files/ # deleted files info/ # .trashinfo (original path, date) # GPG keys ~/.gnupg/ # keyrings, trust DB
# Cron /etc/crontab /etc/cron.d/ /etc/cron.{hourly,daily,weekly,monthly}/ /var/spool/cron/crontabs/USER # Debian /var/spool/cron/USER # RHEL # Systemd /etc/systemd/system/ # system services /etc/systemd/system/*.timer # timer units ~/.config/systemd/user/ # user services systemctl list-unit-files --state=enabled systemctl list-timers # Init / rc /etc/init.d/ /etc/rc.local # runs at boot # at jobs /var/spool/at/ # one-time scheduled
# Profile scripts (run at login) /etc/profile /etc/profile.d/*.sh ~/.bashrc ~/.bash_profile ~/.profile ~/.zshrc # SSH-based ~/.ssh/authorized_keys # check command= prefix ~/.ssh/rc # runs on SSH connect /etc/ssh/sshrc # system-wide SSH rc # Library injection /etc/ld.so.preload # loaded before all binaries! LD_PRELOAD in env # PAM /etc/pam.d/ # auth module configs # udev rules /etc/udev/rules.d/ # trigger on device events
# sleuthkit body file + mactime fls -r -m "/" disk.img > body.txt mactime -b body.txt -d > timeline.csv # find recently modified files find /mnt -mtime -1 -ls 2>/dev/null # last 24h find /mnt -newer /mnt/etc/hostname -ls # inode details stat file.txt debugfs -R 'stat <INODE>' /dev/loop0 istat disk.img INODE # sleuthkit
# list deleted files fls -r -d disk.img # sleuthkit — deleted entries # recover by inode icat disk.img INODE > recovered.bin # extundelete extundelete disk.img --restore-all # photorec / foremost (carving) photorec disk.img foremost -i disk.img -o output/ # journal recovery jls disk.img jcat disk.img JOURNAL_BLOCK > block.bin # strings on raw disk strings -a disk.img | grep -i "flag{"
# SUID binaries (privesc candidates) find /mnt -perm -4000 -ls 2>/dev/null # world-writable files find /mnt -perm -o+w -type f -ls 2>/dev/null # files modified in time range find /mnt -newermt "2024-03-01" ! -newermt "2024-03-02" -ls # search for passwords/secrets grep -rn "password\|secret\|flag{" /mnt/etc/ /mnt/home/ 2>/dev/null # login history last -f /mnt/var/log/wtmp lastb -f /mnt/var/log/btmp # journalctl on mounted image journalctl -D /mnt/var/log/journal/ --since "2024-03-01" # audit log search ausearch -if /mnt/var/log/audit/audit.log -m USER_LOGIN ausearch -if /mnt/var/log/audit/audit.log -m EXECVE # SSH auth attempts grep "sshd" /mnt/var/log/auth.log | grep -i "accept\|fail" # cron activity grep "CRON" /mnt/var/log/syslog
# hash all files for comparison find /mnt -type f -exec md5sum {} \; > hashes.txt # compare against known-good md5deep -r /mnt > image_hashes.txt diff known_good.txt image_hashes.txt # check package integrity (Debian) debsums -c # changed config files dpkg -V # verify installed packages # check package integrity (RHEL) rpm -Va # verify all packages