🕵️ Forensics
Windows
Path | Description |
---|---|
C:\boot.ini | Boot options |
Linux
System
Path | Description |
---|---|
/etc/hostname | Hostname |
/etc/timezone | Timezone |
/etc/hosts | Hosts file |
/etc/os-release | OS info |
/home/USER/.bashrc | Bash configuration for a user |
/etc/issue | Message printed before login |
/etc/profile | System-wide configuration file |
/proc/version | Linux kernel version |
Authentication
Path | Description |
---|---|
/etc/sudoers | Admin users |
/etc/passwd | Users information |
/etc/group | Groups information |
/etc/shadow | Password information for system's users |
Logs
Path | Description |
---|---|
/var/log/auth.log | Authentication logs |
/var/log/syslog | System logs |
/var/log/SERVICE | Other apps logs |
/var/log/dmessage | Global system messages |
/etc/crontab | Cron jobs |
/etc/init.d | Services |
/home/USER/.viminfo | Vim history |
/home/USER/.bash_history | Bash history for a user |
/root/.bash_history | Bash history for root user |
/var/mail/root | Emails for root user |
Read commands executed with sudo privileges
cat /var/log/auth.log | grep COMMAND
Metadata
PDF
pdfinfo <pdf>
Images
Show all metadata
exiftool <image>
exiftool image.jpg
exiv2 -pt <image>
exiv2 -pt image.jpg
Edit or update an existing field
exiv2 -M'set <field> <value>' <image>