Linux Forensics | Tryhackme Walkthrough

Learn about the common forensic artifacts found in the Linux Operating System file system.

System Configurations:

Ques 1: What is the hostname of the attached VM?

Ans: Linux4n6

Ques 2: What is the timezone of the attached VM?

Ans: asia/karachi

Ques 3: What program is listening on the address 127.0.0.1:5901?

Ans: Xtigervnc

Ques 4: What is the full path of this program?

Ans: /usr/bin/Xtigervnc

Persistence mechanisms:

Ques 1: In the bashrc file, the size of the history file is defined. What is the size of the history file that is set for the user Ubuntu in the attached machine?

Ans: 2000

Evidence of Execution:

Ques 1: The user tryhackme used apt-get to install a package. What was the command that was issued?

Ans: sudo apt-get install apache2

Ques 2: What was the current working directory when the command to install net-tools was issued?

Ans: /home/ubuntu

Log Files:

Ques 1: Though the machine’s current hostname is the one we identified in Task 4. The machine earlier had a different hostname. What was the previous hostname of the machine?

Ans: tryhackme