Volatile:

Collecting hostname, date and time:

hostname
hostnamectl
date
cat /etc/timezone
timedatectl

lf_1 lf_2

epoch time:

date +%s

system uptime:

uptime

Network information:

ip a # short form of ip addr show
ifconfig 

# promisc mode detection:
ifconfig eth0
ip link show eth0

# other network info commands:
netstat -i 
netstat -rn # routing tables
ip r # routing tables

open port info:

nmap -sT localhost
nmap -sU localhost # UDP port

sudo lsof -i tcp # checking tcp listening connections of localhost
sudo lsof -n -P | grep LISTEN

netstat -tulpn

listing current user’s open processes:

sudo lsof -u user_name

mounted file system info:

mount # info about file systems
df -h # file systems info but in human readable format

kernel module info, sound driver info:

modinfo ufs # kernel module
modinfo snd # sound module info

user event collection:

id

Reading ELF file:

readelf -h file_name # file header reading

running processes:

ps aux -ww

swap area and disk partition info:

cat /proc/partitions # disk partition
cat /proc/swaps # swap info

kernel message - kernel ring buffer info:

dmesg

Non-volatile:

Collecting system info:

cat /proc/cpuinfo
cat /proc/self/mounts

kernel info:

uname -r
cat /proc/version
hostnamectl | grep Kernel

local user account information:

cat /etc/passwd 
cat /etc/passwd | cut -d: -f1 # seperating users from the output

logged on user information:

w
last # login history information

collecting system logs:

cat /var/log/syslog
cat /var/log/kern.log # linux kernel logs
cat /var/log/fail.log
cat /var/log/mail.*
cat /var/log/mysql.*
cat /var/log/daemon.log
cat /var/log/debug

journalctl

history and hidden file information:

history
ls -al # hidden files

suspicious info:

sudo rkhunter --check --rwo
sudo chkrootkit # rootkit checker

file signature analysis:

xxd file_name | head -n 10

basic file information:

file file_name
strings -t -d file_name 

# finding writable files inside /var/log directory :
find / -writeable -type f 2> /dev/null | grep "/var/log" 

Directory permission checking:

ls -ld Desktop

File system analysis using The Sleuth Kit:

Creating an file system image using dd:

Important

Before that add a virtual hard disk of 1gb for testing purpose on your vm through vmware -> vm settings -> add -> hard disk -> SCSI -> Create new virtual disk -> 1 gb -> Done.

Then use the following guide.

sudo dd if=/dev/sdb of=/home/user_name/Desktop/virtual_disk.img bs=4M status=progress

# do every process as a root user
mkfs.ext4 Desktop/virtual_disk.img 
# mounting the file system
mkdir /mnt/my_image
mount -o loop Desktop/virtual_disk.img /mnt/my_image

# creating evidences
echo "This is a secret message" > /mnt/my_image/secret.txt
touch /mnt/my_image/evidence.dat

# unmount then
umount /mnt/my_image

lf_3 lf_4

analysis:

# install sleuth kit
sudo apt install sleuthkit
sudo fsstat -i raw Desktop/virtual_disk.img
sudo fls Desktop/virtual_disk.img
istat Desktop/virtual_disk.img 12

lf_5