Practical Demo: Linux Forensics

Volatile: Collecting hostname, date and time: hostname hostnamectl date cat /etc/timezone timedatectl epoch time: date +%s system uptime: uptime Network information: ip a # short form of ip addr show ifconfig # promisc mode detection: ifconfig eth0 ip link show eth0 # other network info commands: netstat -i netstat -rn # routing tables ip r # routing tables open port info: nmap -sT localhost nmap -sU localhost # UDP port sudo lsof -i tcp # checking tcp listening connections of localhost sudo lsof -n -P | grep LISTEN netstat -tulpn listing current user’s open processes: sudo lsof -u user_name mounted file system info: mount # info about file systems df -h # file systems info but in human readable format kernel module info, sound driver info: modinfo ufs # kernel module modinfo snd # sound module info user event collection: id Reading ELF file: readelf -h file_name # file header reading running processes: ps aux -ww swap area and disk partition info: cat /proc/partitions # disk partition cat /proc/swaps # swap info kernel message - kernel ring buffer info: dmesg Non-volatile: Collecting system info: cat /proc/cpuinfo cat /proc/self/mounts kernel info: uname -r cat /proc/version hostnamectl | grep Kernel local user account information: cat /etc/passwd cat /etc/passwd | cut -d: -f1 # seperating users from the output logged on user information: w last # login history information collecting system logs: cat /var/log/syslog cat /var/log/kern.log # linux kernel logs cat /var/log/fail.log cat /var/log/mail.* cat /var/log/mysql.* cat /var/log/daemon.log cat /var/log/debug journalctl history and hidden file information: history ls -al # hidden files suspicious info: sudo rkhunter --check --rwo sudo chkrootkit # rootkit checker file signature analysis: xxd file_name | head -n 10 basic file information: file file_name strings -t -d file_name # finding writable files inside /var/log directory : find / -writeable -type f 2> /dev/null | grep "/var/log" Directory permission checking: ls -ld Desktop File system analysis using The Sleuth Kit: Creating an file system image using dd: Important Before that add a virtual hard disk of 1gb for testing purpose on your vm through vmware -> vm settings -> add -> hard disk -> SCSI -> Create new virtual disk -> 1 gb -> Done. ...

November 6, 2025 · 3 min · 435 words · Me

Practical Demo: Windows Forensics

Volatile data collection: system uptime and current time: In command prompt: (date /t) & (time /t) systeminfo | find "Boot Time" In powershell: (Get-Date) - (gcim Win32_OperatingSystem).LastBootUpTime Network parameters(NetBIOS name cache, active connections, routing table etc): nbtstat -c netstat -ano netstat -rn ipconfig /all Promiscous mode detection on NICs through powershell: Get-NetAdapter | Format-List -Property ifAlias, PromiscuousMode Sysinternal tools: logged on users info: PsLoggedon.exe -x logonsessions.exe -p net sessions net user user_name Hash analysis: Using powershell: Get-FileHash .\FTK_sample_00.E01 -Algorithm MD5 Get-FileHash .\FTK_sample_00.E01 -Algorithm SHA128 Open file information: net file list of running processes, services: tasklist /svc scheduled tasks info: schtasks /query history checking: doskey /history In powershell: ...

November 8, 2025 · 2 min · 255 words · Me