Investigation

Disks

Convert disk to RAW image

Bash

# From VMWare
qemu-img convert -f vmdk -O raw disk.vmdk disk.img
# From Virtualbox
qemu-img convert -f ova -O raw disk.vmdk disk.img

Unpack LVM

Bash

kpartx -a -v $DUMP.lvm2

Docker containers

Bash

docker exec -it $CONTAINERNAME /bin/bash

Tracks

Other

Get hostname

Bash

/etc/hostname

Get timezone

Bash

/etc/timezone

Network

List interfaces

Bash

cat /etc/network/interfaces

List actives connections

Bash

netstat -natp

List hardcoded dns

Bash

cat /etc/hosts

Get DNS settings

Bash

cat /etc/resolv.conf

User/Groups/Rights

List users from passwd

Bash

cat /etc/passwd | column -t -s :

List sudoers

Bash

sudo cat /etc/sudoers

List groups

Bash

cat /etc/group
# Find users from a group
cat /etc/group | grep '$GROUPNAME'

Persistant

Startup

Bash

ls /etc/init.d
ls /etc/profile.d
cat ~/.bashrc

Cron

List cron tasks

Bash

crontab -l
# Root
less /etc/crontab
# From a user
sudo crontab -u $USERNAME -l
# Hourly
ls -la /etc/cron.hourly/
# Daily
ls -la /etc/cron.daily/
# Weekly
ls -la /etc/cron.weekly/
# Montly
ls -la /etc/cron.montly/

Logs

Manipulate logs

Bash

less -r $LOGFILE
tail -n $LINES $LOGFILE

Auth

Last login

Bash

sudo last -f /var/log/wtmp

Auth

Bash

cat /var/log/auth.log | less -r

Bash history

Bash

cat /home/$USER/.bash_history | less -r

SSH Key

Bash

cat /home/$USER/.ssh/authorized_keys | less -r

Proccessus

Bash

# Netcat detection
ps -aux | grep 'nc '

Sources

Phoenixnap home contact support blog Glossary How to List, Display, & View all Current Cron Jobs in Linux