After completing both Windows Forensics rooms, I've taken my first steps into Linux Forensics. I was inexperienced with Linux going into this, so I expected a bit of struggle, but what surprised me was how much of what I'd already learned in Windows applied here, too, showing every action leaves a trace, you just need to know where to look.
Linux Forensics vs Windows Forensics
Coming from Windows, the most significant difference I noticed was how open Linux is. In Windows, forensic data often hides deep inside the registry or specialised system files. In Linux, so much of it is exposed in simple text files. At first, this made things feel almost easy, but as I spent more time in this module, I found the real challenge is knowing what matters in that sea of information.
Accounts and Identity
One of my first lessons was just how much you can learn about user accounts from files like /etc/passwd and /etc/group. It reminded me of the SAM hive in Windows: different structure, same purpose. Seeing how UIDs and groups tie activity back to specific users made me realise that identity is a universal starting point in forensics, no matter the operating system.
System Configuration as Evidence
Looking at hostnames, timezones, and active processes showed me that configuration details aren't just background, they can be key forensic context. For example, discovering a service listening on 127.0.0.1:5901 wasn't just a technical answer, it was a clue about how the system was being accessed. Just like registry keys in Windows, these details help explain the bigger picture of system behaviour.
Persistence and Execution
Another valuable lesson was how Linux shows persistence and execution. Where Windows uses registry run keys or scheduled tasks, Linux often relies on configuration files like .bashrc or simple logs. Tracing package installations through auth.log felt very similar to reconstructing programme execution with AmCache and ShimCache in Windows. The artefacts differ but are working towards the same end goal, the same goal, to build a timeline of what was done, by who, and when.
Logs Tell the System's Story
The log files were where Linux really clicked for me. Finding out that the virtual machine once had a different hostname (tryhackme) made me realise how logs preserve the history of a system far beyond its current state. Compared to Windows event logs, Linux logs felt simpler to parse, further showing me that logs don't just capture activity, they capture identity, change, and intent.
What I Took Away
- Artefacts: Linux artefacts are often easier to access than Windows, but context matters more than the raw data.
- Users and Groups: User and group files serve the same purpose as hives from Windows, they anchor activity to identities.
- System Configuration: System configuration can be just as important as user actions when reconstructing events.
- Executions: Execution evidence is everywhere if you know where to look, from package installs to shell history.
- Logs: Logs preserve not just actions but the evolution of a system over time.
Final Thoughts
This room felt easier than the Windows ones, but that in itself was a lesson. Forensics isn't about how hard the artefacts are to find, it's about piecing them together into a story. Linux may present its evidence more openly than Windows, but interpretation is still the skill that matters most.