Linux Forensics Command Cheat Sheet

$ lastlog
$ last

$ cat /etc/passwd | grep sh$

$ for user in $(cat /etc/passwd | cut -f1 -d: ); do echo $user; crontab -u $user -l; done

# users with shells only
$ for user in $(cat /etc/passwd | grep sh$ | cut -f1 -d: ); do echo $user; crontab -u $user -l; done

$ find / -type f -name authorized_keys

$ ps auxfww

$ lsof -p [pid]

$ lsof -i -n
$ netstat -anp

# Look for tcp only
$ netstat -antp
$ ss -antp

$ service --status-all

$ iptables --list-rules

$ systemctl list-timers --all

/etc/hosts
/etc/resolv.conf

$ ls --full-time -lt 

# List files which were modified on 2021-06-16 (YYYY-MM-DD)
$ find / -newermt "2021-06-16" -ls 2>/dev/null

# List files which were modified on 2021-05-01 until 2021-05-09 (9 days ago)
$ find / -newermt "2021-05-01" ! -newermt "2021-05-10" -ls 2>/dev/null

# List files which were modified on 2021-05-01 until 2021-05-09 (9 days ago) + add filter
$ find / -newermt "2021-05-01" ! -newermt "2021-05-10" -ls 2>/dev/null | grep -v 'filterone\|filtertwo'

# List files modified between 01:00 and 07:00 on June 16 2021.
$ find / -newermt "2021-06-16 01:00:00" ! -newermt "2021-06-16 07:00:00" -ls 2>/dev/null

# List files that were accessed exactly 2 days ago.
$ find / -atime 2 -ls 2>/dev/null

# List files that were modified in the last 2 days.
$ find / -mtime -2 -ls 2>/dev/null

$ stat [file]
$ exiftool [file]

$ find . -type f -exec md5sum {} \; | awk '{print $1}' | sort | uniq -c | grep ' 1 ' | awk '{print $2	}'

$ getcap -r /usr/bin/
$ getcap -r /bin/
$ getcap -r / 2>/dev/null

$ find / -type f -perm -u=s 2>/dev/null

# 3rd party
$ aureport --tty

/etc/cron*/
/etc/incron.d/*
/etc/init.d/*
/etc/rc*.d/*
/etc/systemd/system/*
/etc/update.d/*
/var/spool/cron/*
/var/spool/incron/*
/var/run/motd.d/*

/etc/passwd
/etc/sudoers
/home/<user>/.ssh/authorized_keys
/home/<user>/.bashrc