Linux Forensics | Tryhackme Walkthrough
Learn about the common forensic artifacts found in the Linux Operating System file system.
System Configurations:
Ques 1: What is the hostname of the attached VM?
Ans: Linux4n6
Ques 2: What is the timezone of the attached VM?
Ans: asia/karachi
Ques 3: What program is listening on the address 127.0.0.1:5901?
Ans: Xtigervnc
Ques 4: What is the full path of this program?
Ans: /usr/bin/Xtigervnc
Persistence mechanisms:
Ques 1: In the bashrc file, the size of the history file is defined. What is the size of the history file that is set for the user Ubuntu in the attached machine?
Ans: 2000
Evidence of Execution:
Ques 1: The user tryhackme used apt-get to install a package. What was the command that was issued?
Ans: sudo apt-get install apache2
Ques 2: What was the current working directory when the command to install net-tools was issued?
Ans: /home/ubuntu
Log Files:
Ques 1: Though the machine’s current hostname is the one we identified in Task 4. The machine earlier had a different hostname. What was the previous hostname of the machine?
Ans: tryhackme