/etc/shadowfor users without a shell
apt-get install lime-forensics-dkmsIn other cases you need to download LiME from github can compile it with correct kernel headers. In order to obtain the exact kernel headers of the victim machine, you can just copy the directory
/lib/modules/<kernel version>to your machine, and then compile LiME using them:
synccommand on the system and pull the plug.
rpm -Vaon Linux is designed to verify all packages that were installed using RedHat Package Manager.
rpm -qa --root=/ mntpath/var/lib/rpmcommand will list the contents of an RPM database on a subject systems.
/etc/modprobe.ddirectories, and the
/etc/modprobe.conffile. These areas should be inspected for items that are related to malware.
cat /var/log/auth.log | grep -iE "session opened for|accepted password|new session|not in sudoers"
last -Faiwxit's possible to get the list of users that have logged in. It's recommended to check if those logins make sense:
/bin/falseso users like lightdm may be able to login.
mactimefeature from Sleuth Kit directly.
/devuse to be special files, you may find non-special files here related to malware.
find / -user root -perm -04000 –print
ls -laR --sort=time /binYou can check the inodes of the files inside a folder using
ls -lai /bin |sort -n
A), Copied (
C), Deleted (
D), Modified (
M), Renamed (
R), have their type (i.e. regular file, symlink, submodule, …) changed (
T), are Unmerged (
U), are Unknown (
X), or have had their pairing Broken (
B). Any combination of the filter characters (including none) can be used. When
*(All-or-none) is added to the combination, all paths are selected if there is any file that matches other criteria in the comparison; if there is no file that matches other criteria, nothing is selected.
--diff-filter=adexcludes added and deleted paths.