Linux Forensics

Using Linux utmpdump for Forensics and Detecting Log File Tampering

August 01, 2019

Computer Forensics, Linux Forensics

In this post we’re going to show you how to use utmpdump for investigating Linux audit logs for signs of compromise. Seemingly unknown by…

Getting an Attacker IP Address from a Malicious Linux At Job

July 26, 2019

Computer Forensics, Linux Forensics

Attackers on Linux often try to establish so they can maintain access to a host. The most common way to do this is with a cron job that…

Detecting and De-Cloaking HiddenWasp Linux Stealth Malware

June 04, 2019

Linux Forensics, Malware

A new Linux stealth malware was . The malware, named HiddenWasp, is a remote access tool that has two modes of infection depending on…

How To Recover A Deleted Binary From Active Linux Malware

June 03, 2019

Computer Forensics, Linux Forensics

Often, Linux malware will delete itself after it starts so that file scanners and integrity checks won’t see the binary present. It also can…

Using Command Line Tools to Find Process Masquerading Linux Malware

February 28, 2019

Incident Response, Linux Forensics, Videos

In this video Sandfly founder Craig Rowland goes over the basics behind using command line tools on Linux to look into a suspicious process…

Hunting for Linux Intrusion Tactics is Better than Searching for Exploit Signatures

February 14, 2019

Intrusion Detection, Linux Forensics, Videos

When the NSA and a couple years back, Sandfly founder Craig Rowland ignored the zero day attacks they had and studied their tactics in the…