Linux Directories & Shell Commands for Digital Forensics

Instructor: Corne Lombard

Corne has taught database principles at a tertiary institution in South Africa. I have a Bachelor degree in Informatics

In this lesson, we will look at common Linux directories where hackers usually find soft spots. We will also look at a few helpful commands to determine where intrusion may have taken place. Finally, we will learn about options for recovering deleted files in Linux.

Hacking the Linux File System

The Linux file system can be fairly easy to hack if you know what you're doing. Hackers normally target a few specific locations to install scripts and unwanted files to gain access. It is important to know where these are so remediation steps can be taken.

Commonly Targeted Directories

When performing digital forensics on a system that has been hacked, there are some file locations that should be examined first. When performing an analysis, look for any files that should not be in these directories, especially ones that can be executed. Be careful, however! Do not just delete directories, as Linux may highly depend on them.

Temporary File Directories

The temp directories in Linux is where all non-permanent or temporary files are stored. They can be found in the following locations:

  • /tmp
  • /var/tmp

These are typically used for temporarily storing files during processing. Most system administrators delete the files in this directory on a regular basis. You may want to look for executable files located in this directory to delete immediately.

Shared Memory Directory

Linux has a productive way of passing data or memory between running programs. The /dev/shm directory is used for this. Hackers love this directory because it is writable. If hacker needs a place to write to in the file system, they target this directory. Look for executable files in this directory as evidence of hacking while performing forensic activities.

Operating System Directories

In Linux, the /var/run or /run directories are used as a temporary file system operating directory, housing files that the Linux kernel writes data to during sessions. This directory is cleaned out when the system is restarted or rebooted. The /run directory replaces the /var/run directory in newer versions of Linux, but watch out for evidence of hacking in both of these directories.

Printer Spooling Directory

Hackers love the /var/spool directory because it is used for a couple of different reasons:

  • To spool files and print to a printer
  • To send e-mail to users
  • To communicate with other systems and servers

You will find several sub-directories under /var/spool for things like mail, printer spooling etc. Look for executable files in these directories for evidence of possible hacking.

User Home Directories

These directories normally house important user and business data. If security is not set up correctly, users can read one another's data. Hackers can also gain access this same way. Check for files that have no owner or files placed into a home directory by a user that does not own that directory.

Forensic Shell Commands

There are many commands that can be used when executing forensic processes in Linux. These can be used to determine what changes may have been made or what files have been added to the system by a hacker. Some of these are listed below:

  • The ls command can be used to list information about Linux files and directories created on the system.
  • The find command can be used to find hidden directories, determine ownerless files and directories, locate recently modified files, discover changes to installed software and catch updated permissions.
  • The lsattr command can be used to find immutable objects that can't be deleted or determine what attributes on files or directories may have been changed (i.e. making a read-only directory writable).
  • The file command can be used to find file types that may be suspect.

Undeleting Files

Hackers can also delete important files as part of their efforts. Because of this, it is important to know how to undelete files. Linux assigns a unique inode value to each file which is needed to undelete it. To recover a deleted file, execute the following steps:

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account