OSQuery for DFIR isn’t just another system tool — it’s a forensic lens into your live environment. In this guide, we explore how to use OSQuery on Linux to investigate user accounts, hunt suspicious processes, trace active connections, and uncover file artifacts — all through structured SQL queries that make incident response faster and cleaner.

In this part of the Linux Live Forensics series, we move from processes to the network layer — tracing how a system communicates in real time. Using only built-in Linux commands, learn how to identify open ports, active connections, and suspicious traffic that reveal what’s really happening on a live machine.

In this second part of the Linux Live Forensics series, we explore how to identify suspicious processes, map process hierarchies, and correlate user actions during live system analysis — all using native Linux commands.

Learn how to perform Linux live forensics the right way. In this first part, we explore how to collect volatile data, profile a running Linux system, and establish a solid foundation before deep forensic analysis.

In this second part of the Memory Forensics series, we explore how to capture volatile memory on Linux. From tools like LiME and AVML for full memory acquisition to gcore for process dumps, we break down practical steps, best practices, and real-world considerations. While Windows tools are straightforward, Linux offers flexibility—and complexity—that every investigator should master.