Linux Live Forensics (Part 1): System Profiling and First Response Guide

Objective:

What Is Linux Live Forensics?

Linux runs most of today’s servers, so when something goes wrong, As an investigator/Analyst, we need to act fast. Live forensics means collecting evidence while the system is still running — without rebooting or powering it off. This helps preserve crucial data in memory, such as active processes, user sessions, or network connections that disappear on shutdown.

Over the next few parts, we’ll cover:

1. System Profiling – Gather basic info about the machine

2. Process Analysis – Identify abnormal running processes

3. Network Review – Check live connections and data flow

4. Persistence Detection – Finding cron jobs

   
   

(We’ll use only built-in Linux commands, no extra tools required.)

1. System Profiling – Understanding the Machine

Get a quick picture of your target Linux system

Why this Matters?

Before profiling the system, it’s important to understand what makes live forensics unique.

During a live investigation, analysts focus on collecting volatile data—running processes, open files, active network connections, logged-in users, and temporary data in memory—that disappears once the machine is powered off.

a. Checking Basic System Information

Command:

uname -a

This command displays:

• Linux: The operating system name.

• ubuntu: This value shows the system hostname.

• 6.14.0.-15-generic: The kernel version.

• #15-Ubuntu: The specific build number and Ubuntu version.

• SMP: Indicates that the kernel is an SMP (Symmetric Multi-Processing) kernel, which means it supports multiple CPUs.

• Sun APR 6 15:05:05 UTC 2025: The date and time when the kernel was compiled.

• x86_64: These values indicate the architecture of the processor/kernel and hardware platform.

• GNU/Linux: Indicates that the system is a GNU/Linux system.

b. Identifying Hostname

Command:

hostnamectl

It displays:

• Static hostname: This is the permanent hostname assigned to the system. It's set in /etc/hostname and remains consistent across reboots.

• Icon name: This is a standardized name that represents the type of computer, often used in desktop environments to show appropriate icons.

• Chassis: This indicates the chassis type of the machine. In this case, it is vm, meaning a virtual machine.

• Machine ID: This is a unique identifier for the machine, typically stored in /etc/machine-id.

• Boot ID: This is a unique identifier for the current boot session, which changes every time the system is rebooted.

• Virtualization: This indicates the virtualization technology in use. In this case, vmware is used.

• Operating System: This provides information about the OS, which is Ubuntu 25.04

c. Checking System Uptime

Run:

uptime

This shows how long the system has been running, the number of users logged in, and average system load. For example:

d. Collect Hardware Information

The lscpu command in Linux displays detailed information about the CPU architecture.

Command:

lscpu

Some of the key information that could be important for us is explained below:

• Architecture: It shows the CPU architecture (e.g., x86_64 for 64-bit processors).

• CPU op-mode(s): This field shows the CPU modes supported (e.g., 32-bit and 64-bit).

• CPU(s): The number of CPUs/cores available.

• Model name: This value shows the full name of the CPU.

• Virtualization: Whether the CPU supports virtualization

e. Checking Disk and Storage Details

Run:

df -h

It helps to see how much space is used and how much is available:

We'll look for:

• Unusual disk usage in /tmp, /var/tmp, or /dev/shm (attackers often store scripts there).

• Hidden mount points or drives not listed in /etc/fstab.

f. Block Devices

Run:

lsblk

The lsblk command provides information about block devices, such as disks and partitions. The information includes their sizes, mount points, and other relevant details.

g. Check Memory Usage

Run:

free -h

The free -h command in Linux is used to display memory usage information in a human-readable format.

h. Installed Packages and Applications

Command 1:

dpkg -l

Lists all .deb packages with version and description.

Command 2:

apt list --installed

apt command handles dependencies, automatically downloads and installs packages from repositories, and resolves conflicts. We can use the following command to list down all the packages installed through apt.

i Network Profiling

Understanding the host’s network configuration helps track communications and detect malicious connections.

• Interface Information

ip a

or

ifconfig

Displays IP addresses, MAC addresses, subnet masks, and interface states.

• Routing Table

ip r

or

route

Shows how network traffic is routed. Suspicious or unknown gateways can indicate traffic redirection.

• Active Connections

ss -tulnp

or

netstat -tulnp

Lists active sockets with protocol, state, port, and owning process.

J. User and Login Information

• Basic user enumeration during profiling helps establish a baseline.

Command:

who
w
last

show active and previous logins.

Command:

cat /etc/passwd

lists all user accounts — useful for catching unauthorized additions.

Record the Findings:

Always store output for documentation.

mkdir live_profile
uname -a > live_profile/system.txt
hostnamectl >> live_profile/system.txt
df -h > live_profile/disk.txt
ss -tulnp > live_profile/network.txt

This keeps evidence organized for later correlation and reporting.

Thanks for reading!

DFIR is all about learning together. If you’ve got tips, command tricks, or your own Linux forensics workflow, drop them in the comments.