This post may contain affiliate links, please read our affiliate disclosure to learn more.
Incident Response and Live Forensics on Linux Cheat Sheet

Incident Response and Live Forensics on Linux Cheat Sheet

 By Charles Joseph | Cybersecurity Researcher
 Published on January 21st, 2024
This post was updated on February 29th, 2024

This incident response for Linux cheat sheet is based on vm32’s Linux-Incident-Response repository on GitHub. It’s a valuable resource designed to assist system administrators, security professionals, and IT staff in responding to security incidents within Linux systems. I wanted to help extend its reach by offering it on Threat Picture.

This cheat sheet includes a wide range of commands and procedures structured to provide quick and easy reference during critical response situations.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

1. User Accounts

cat /etc/passwdList user accounts.
passwd -S [user_name]Check password status for a user.
lastlogShow the most recent logins.
lastShow last logged-in users.
whoShow who is logged on.
wShow who is logged on and what they are doing.

2. Log Entries

cat /var/log/messagesShow system messages.
cat /var/log/auth.logShow user authentication logs.
cat /var/log/secureShow authentication log for Red Hat-based systems.
cat /var/log/boot.logShow system boot log.
cat /var/log/dmesgShow kernel ring buffer log.
cat /var/log/kern.logShow kernel log.

3. System Resources

topDisplay Linux tasks.
htopInteractive process viewer.
uptimeShow system uptime.
ps auxShow currently running processes.
pstreeShow running processes as a tree.
free -mShow memory usage in MB.

4. Processes

ps -efDisplay all currently running processes.
pstree -pDisplay processes in a tree format with PIDs.
top -n 1Display top processes.
ps -eo pid,tt,user,fname,rszShow processes in custom format.
lsof -iList open files associated with network connections.

5. Services

chkconfig --listList all services and their states.
service --status-allShow status of all services.
systemctl list-units --type=serviceList running services (systemd).

6. Files

ls -alhShow all files in human-readable format.
find / -name [filename]Find a specific file.
find / -mtime -[N]Find files modified in the last N days.
find / -atime -[N]Find files accessed in the last N days.
find / -size +[N]cFind files larger than N bytes.

7. Network Settings

ifconfig -aShow all network interfaces.
netstat -antupShow active network connections.
iptables -L -n -vShow all iptables rules.
route -nShow routing table.
ss -tulnShow listening ports and established connections.

8. Additional Commands

grep :0: /etc/passwdFind root accounts.
find / -nouser -printFind files with no user.
cat /etc/shadowView encrypted passwords and account expiration info.
cat /etc/groupView group information.
cat /etc/sudoersView sudoers file.
tail /var/log/auth.logView the last few entries in the authentication log.
history | lessView command history.
cat /proc/meminfoDisplay memory information.
cat /proc/mountsDisplay mounted filesystems.
lsof -p [pid]List open files for a process (specific PID).
service --status-allList all services and their status.
cat /etc/crontabView the cron table for scheduled tasks.
more /etc/resolv.confView DNS settings.
more /etc/hostsView host file entries.
iptables -L -nList all iptables rules without resolving IP addresses.
find /home/ -type f -size +512k -exec ls -lh {} \;Find files larger than 512KB in home directories.
find /etc/ -readable -type f 2>/dev/nullFind readable files in the etc directory.
find / -mtime -2 -lsFind files modified in the last 2 days.
netstat -napShow network connections and associated programs.
arp -aView the ARP table.
echo $PATHDisplay the PATH environment variable.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top