Module 0: The Linux IR Landscape
The alert fires at 03:17 on a Thursday. Your monitoring system reports a CPU spike on WEBSRV-NGE01 — a production web server running Ubuntu 22.04 behind an Nginx reverse proxy. CPU utilization has jumped from its normal 12% to 98%. The spike has been sustained for 40 minutes.
You SSH into the server. You run top and see a process called [kworker/2:1+] consuming 94% of CPU across all cores. The process name looks like a kernel thread — the square brackets are the naming convention for kernel workers. But kernel threads do not consume 94% of CPU for 40 continuous minutes.
You run ps auxf and the process appears in the tree under a PHP-FPM worker — not under the kernel. A kernel thread spawned by a PHP process is not a kernel thread. It is a cryptominer that has been named to look like one. Someone compromised the web application, deployed a miner, and disguised it.
Now the investigation begins. How did the attacker get in? What vulnerability did they exploit? How long have they been present? What else did they do before deploying the miner? Did they establish persistence mechanisms that will survive a reboot? Did they move laterally to other servers? Did they access the database? Did they exfiltrate data?
The answers to every one of these questions exist somewhere on this server — in the filesystem, in the logs, in memory, in the network connections. But they exist in different places than you are used to looking. There is no Windows Event Log. There is no registry. There is no Prefetch. There is no NTFS MFT. The evidence model is fundamentally different from Windows, and if you apply Windows investigation instincts to a Linux server, you will miss artifacts, misinterpret timestamps, and draw incorrect conclusions.
This module maps the Linux evidence landscape — where artifacts live, why they are different from Windows, what makes Linux investigation uniquely challenging, and what makes it uniquely rewarding. By the end of this module, you will understand the evidence model well enough to know where to look for any artifact, on any Linux system, in any deployment environment.