Linux-Forensics

Aims

This doc gives a condensed overview of methods for assessing if a Linux system is compromised and how to analyse it. - I use it personnaly to improve and keep my Linux defense knowledge up-to-date.

Linux Forensics

1. Live Analysis

Credits and Resources

This doc is a compilation of techniques/information learned from following sources (thank you for sharing this great content):

1. https://edu.defensive-security.com/linux-attack-live-forensics-at-scale (I highly recommend this training to anyone interested in Linux attack/defense)
2. https://hadess.io/the-art-of-linux-persistence
3. https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/#overview-of-blog-series
4. https://gtfobins.github.io
5. https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics
6. https://www.youtube.com/@SandflySecurity
7. https://www.youtube.com/playlist?list=PLC3HQmfNLLKSzgW4z-QsIFz0j2BVMQbm_
8. https://righteousit.com
9. https://attack.mitre.org/matrices/enterprise/linux/
10. https://www.youtube.com/results?search_query=hal+pomeranz+
11. https://github.com/Aegrah/PANIX
12. https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms
13. https://github.com/elastic/detection-rules/tree/main/hunting/linux/docs
14. https://doubleagent.net
15. https://www.wiz.io/blog
16. https://breachlabs.io/initramfs-persistence-technique
17. https://www.blackhat.com/docs/us-16/materials/us-16-Leibowitz-Horse-Pill-A-New-Type-Of-Linux-Rootkit.pdf

Books

• Practical Linux Forensics, Bruce Nikkel
• Linux Forensics, Philip Polstra
• The Linux Programming Interface, Michael Kerrisk
• Black Hat Bash, Nick Aleks, Dolev Farhi