Anthropic-Cybersecurity-Skills/skills/analyzing-linux-system-artifacts/references/api-reference.md

API Reference: Linux Forensic Artifact Analysis Tools

Key Artifact Locations

Artifact	Path	Description
Auth logs	/var/log/auth.log (Debian) /var/log/secure (RHEL)	Authentication events
Login history	/var/log/wtmp	Successful logins (binary, use last)
Failed logins	/var/log/btmp	Failed logins (binary, use lastb)
Bash history	~/.bash_history	Command history per user
SSH keys	~/.ssh/authorized_keys	Authorized public keys
Crontab	/etc/crontab, /var/spool/cron/crontabs/	Scheduled tasks
Systemd services	/etc/systemd/system/	Service definitions
LD_PRELOAD	/etc/ld.so.preload	Shared library preloading
SUID binaries	find / -perm -4000	Setuid executables

last / lastb - Login History

Syntax

last -f /var/log/wtmp              # Successful logins
lastb -f /var/log/btmp             # Failed logins
last -i -f /var/log/wtmp           # Show IP addresses
last -s 2024-01-15 -t 2024-01-20  # Date range filter

Output Format

user     pts/0   192.168.1.50  Mon Jan 15 09:00  still logged in

chkrootkit - Rootkit Scanner

Syntax

chkrootkit                    # Full scan
chkrootkit -r /mnt/evidence   # Scan mounted evidence
chkrootkit -q                 # Quiet (infected only)

rkhunter - Rootkit Hunter

Syntax

rkhunter --check                    # Full system check
rkhunter --check --rootdir /mnt/ev  # Check evidence root
rkhunter --list tests               # List available tests
rkhunter --propupd                  # Update file properties DB

Check Categories

Check	Description
rootkits	Known rootkit signatures
trojans	Trojanized system binaries
properties	File permission anomalies
filesystem	Hidden files and directories

auditd Log Parsing

ausearch Syntax

ausearch -m execve -ts recent         # Recent command execution
ausearch -m USER_AUTH -ts today        # Authentication events
ausearch -k suspicious_activity       # Custom audit rule key
ausearch -ua 0 -ts today              # Root user actions

aureport Syntax

aureport --auth                       # Authentication summary
aureport --login                      # Login summary
aureport --file                       # File access summary
aureport --summary                    # Overall summary

osquery - SQL-based System Queries

Syntax

osqueryi "SELECT * FROM users WHERE uid = 0"
osqueryi "SELECT * FROM crontab"
osqueryi "SELECT * FROM authorized_keys"
osqueryi "SELECT * FROM suid_bin"
osqueryi "SELECT * FROM process_open_sockets"

Key Tables

Table	Content
users	User account information
crontab	Cron job entries
authorized_keys	SSH authorized keys
suid_bin	SUID binaries
process_open_sockets	Network connections by process
shell_history	Command history entries

Plaso / log2timeline - Super Timeline

Syntax

log2timeline.py /cases/timeline.plaso /mnt/evidence
psort.py -o l2tcsv /cases/timeline.plaso > timeline.csv
psort.py -o l2tcsv /cases/timeline.plaso "date > '2024-01-15'"

AIDE - File Integrity

Syntax

aide --init                    # Initialize database
aide --check                   # Check for changes
aide --compare                 # Compare databases