Sign In
Linux IR

Forensic Methodology for Security Engineers and IR Practitioners in Linux, Cloud, and Container Environments

Aligned to NIST SP 800-61 Rev 2ISO/IEC 27037MITRE ATT&CKMandiant tradecraft

Incident Response: Linux Systems

Investigate compromised Linux systems from first login to full containment.

Investigate Linux incidents using the artifacts that matter — auth logs, process trees, persistence mechanisms, container escapes, and network connections. Trace SSH compromises, detect rootkits, analyze cron-based persistence, investigate container breakouts, and reconstruct attacker timelines from system logs. Whether your Linux systems are on-prem servers, cloud VMs, or container hosts, the investigation methodology finds the evidence.

Start Free — No Account Needed See Full Curriculum + Pricing

Text-based · Persistent labs on your own hardware · 2 free modules available now · 36 CPE credits · Content last updated: May 2026

What you'll deploy
Full Linux forensic investigation toolkit for RHEL and Ubuntu
Log2Timeline + Volatility 3 analysis pipeline on your own hardware
Filesystem forensics: ext4 journal, inode analysis, deleted file recovery
Systemd journal, auditd, and syslog investigation methodology
Container forensics: Docker and Kubernetes incident response
Linux-specific collection scripts with evidence integrity verification
LINUX IR — INVESTIGATION TIMELINE T+0:00 Alert: SSH brute force — successful auth from foreign IP Source: auth.log → failed/success pattern → auditd correlation T+0:03 SSH authorized_keys modified — attacker deploys persistence Source: filesystem timestamps → inode analysis → ctime vs mtime T+0:08 Privilege escalation — SUID binary exploited to gain root Source: auditd execve logs → SUID file access → process tree T+0:22 Container escape — Docker socket mounted, host access gained Source: container logs → docker inspect → overlay2 filesystem T+1:45 Cloud pivot — instance metadata SSRF, IAM credential theft Source: cloud audit logs → API call timeline → cross-env correlation Full program 10 scenarios Free tools 40-50 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Investigate SSH compromises, rootkits, and cron-based persistence
Analyze Linux auth logs, process trees, and filesystem timestamps
Investigate container breakouts and cloud VM compromises
Reconstruct attacker timelines from system and audit logs
Deploy Linux-specific detection rules from investigation findings

Course Agenda

Phase 1 — Foundation

LX0
The Linux IR Landscape
 LX1
Linux Evidence Collection and Triage
 LX2
LX2: Linux Filesystem Forensics
 LX3
LX3: Linux Log Analysis

Phase 2 — Investigation Scenarios

LX4
LX4: Investigating SSH Brute Force and Credential Compromise
 LX5
LX5: Investigating Web Application Compromise
 LX6
LX6: Investigating Privilege Escalation
 LX7
LX7: Investigating Persistence Mechanisms
 LX8
LX8: Investigating Cryptomining and Resource Abuse
 LX9
LX9: Investigating Container Compromise
 LX10
LX10: Investigating Cloud VM Compromise
 LX11
LX11: Investigating Lateral Movement
 LX12
LX12: Linux Memory Forensics
 LX13
LX13: Linux Malware Analysis for IR

Phase 3 — Operations

LX14
LX14: Linux IR Reporting and Evidence Handling
 LX15
LX15: Linux Detection Engineering and Hardening
 LX16
LX16: Building Linux IR Readiness

Resources

Practical Linux IR — Operational Reference

Course at a glance

You start treating Linux incidents as something you escalate — because the investigation tools are unfamiliar, the filesystem layout is different, and the log sources aren't where you expect them. You finish investigating Linux compromises end-to-end: from initial access through persistence, privilege escalation, and lateral movement, using the same structured methodology you'd apply to a Windows investigation.

What you'll build: Linux investigation skills using free, open-source tools on systems you control. The ability to trace an attacker through auth logs, process trees, cron persistence, container escapes, and web shell activity — producing the forensic timeline that proves what happened and when.

17 modules · 40 CPE credits · Self-paced at ~5 hrs/week

Typical pace: ~5-10 weeks at 5 hrs/week

Hands-on labs: 11 interactive + 30 structured (browse all →)

MITRE ATT&CK coverage: 83 techniques mapped

Built by Ridgeline Cyber

Ridgeline Cyber Defence builds security operations training grounded in practical and operational experience. The team behind this course runs CSOC operations across on-prem, Splunk, and Microsoft 365 security stacks, Cisco and Palo Alto networks, and managed SOC partnerships.

Experience spans detection engineering, incident response, and DFIR investigation across on-prem, M365, and Linux environments — including leading cyber incident response engagements, deploying security controls and managing Governance, Risk and Compliance operations.

The investigation scenarios in this course are grounded in that operational work. The techniques, decision points, and mistakes are drawn from real investigations, sanitized and adapted for training.

The outcome

You start avoiding Linux investigations. You finish owning them.

Linux forensic methodology — filesystem artifacts, process analysis, log investigation, container forensics.

Evidence acquisition on Linux — live collection, memory capture, log preservation without altering evidence.

Cross-platform investigation — trace attackers that move between Windows and Linux systems.

Lab Pack — Hands-On Investigation Practice

This course includes a production-grade lab pack that generates realistic-volume attack evidence on your Ubuntu VM. The CHAIN-FACTORY attack simulation creates ~45 artifacts buried in thousands of lines of legitimate system noise — auth.log with 3,500+ lines of CRON, systemd, and SSH noise alongside 847 brute force attempts, a process listing with 150+ entries hiding 4 suspicious processes, network connections with C2 buried among legitimate traffic, and a filesystem timeline with 500+ entries. Finding the indicators requires the same skills needed in production investigations.

What's included: Attack artifact generator (bash script, ~45 files, 8 persistence mechanisms), 4 HTML walkthrough guides, 30 structured labs (27 core + 3 bonus), 4 verification scripts, a production-ready DFIR collection script (148 lines, 12 collection phases), and cleanup script.

Lab environment (free): VMware Workstation Pro + Ubuntu 24.04 LTS Desktop VM. One-time setup, used across all modules. See the Lab Setup Guide for the complete build.

Attack scenario: CHAIN-FACTORY — SSH brute force (847 attempts over 6 hours) → deploy account compromise → web shell deployment (PHP with Base64 command execution) → privilege escalation to root → 8 persistence mechanisms (cron, systemd service, systemd timer, authorized_keys, .bashrc, LD_PRELOAD, rc.local, PAM backdoor) → cryptominer (masquerading as kworker) → credential harvesting (/etc/shadow, SSH keys, DB passwords, AWS credentials) → data staging (/dev/shm/.work/) → lateral movement (SSH to manufacturing and database servers) → container escape (docker.sock mount).

Evidence analysis: Open CSV files in Timeline Explorer by Eric Zimmerman — purpose-built for DFIR evidence analysis with column filtering, sorting, and color-coding. All evidence files work natively.

Practical Linux IR Lab Pack v1
30 labs · ~45 artifacts · 8 persistence · 3,500+ line auth.log · 150+ process listing
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may use scripts, commands, detection rules, and templates from this course in your professional work. You may not redistribute course content, share account credentials, or republish course materials.

Investigation techniques: All techniques in this course are intended for authorized investigation and defense. Apply them only to systems you are authorized to investigate — your own lab, systems under your organization's control, or systems where you have written authorization. Unauthorized access to computer systems is a criminal offense in most jurisdictions.

Fictional environment: All investigation scenarios use the fictional Northgate Engineering environment. Any resemblance to real organizations, incidents, or individuals is coincidental. IP addresses use RFC 5737 documentation ranges.

No legal advice: The regulatory notification guidance in LX14 and LX16 is educational, not legal advice. Consult qualified legal counsel for notification obligations in your jurisdiction.

Version and changelog

Current version: 2.0  |  Last updated: April 2026

April 2026 — v2.0: Lab pack rebuilt from scratch. CHAIN-FACTORY attack simulation with realistic-volume evidence (~3,500 line auth.log, 150+ process listing, 500+ filesystem timeline entries). 30 labs with HTML walkthroughs. 8 persistence mechanisms. Production DFIR collection script included. Inclusive audience statement added. Prerequisites updated for advanced positioning.

2026 — v1.0: Complete course launch. All 17 modules (LX0–LX16) active. Full content standard audit completed — all 176 content subs pass 8-element standard.

This course is actively maintained. Detection rules, tool references, and investigation techniques are updated as the Linux security landscape evolves.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
2scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.