Craig Rowland presented last October at the Christchurch HackCon on the topic of using basic command line tools for Linux forensic investigation. His talk focused around using built-in command line tools and careful observation to detect compromised Linux hosts without any special tricks.
These slides present basic techniques any Linux administrator can use today to quickly assess a system for common signs of compromise. This includes Linux rootkits, malware, and worms.
We’d like to thank the hosts of ChCon for the opportunity to speak and great job they did organizing the event.