Module 1: Linux Evidence Collection and Triage
BASTION-NGE01 has been compromised. The SOC confirmed it forty minutes ago — a brute force attack from 203.0.113.55 succeeded after 847 failed attempts over six hours. The attacker is currently logged in. You can see their session in the output of who. They have been active for thirty-eight minutes.
You are the investigator. Your first task is not analysis — it is collection. Every second that passes, evidence is at risk. The attacker may be deleting logs right now. The cron daemon may rotate the authentication logs overnight. The attacker’s process in /proc will vanish the moment they disconnect. The contents of /dev/shm — whatever the attacker staged there — will vanish on reboot.
You need to collect the right evidence, in the right order, without destroying what you are trying to preserve. You need to do it fast enough that the volatile evidence survives, but carefully enough that the evidence is admissible and the chain of custody is documented. And you need to do it on a system that is actively compromised — meaning the commands you run may not produce trustworthy output if the attacker has installed a rootkit.
This module teaches the collection methodology: what to collect, in what order, with which tools, and how to verify the integrity of what you collected. By the end of this module, you will have a documented collection procedure that you can execute on any compromised Linux system — bare-metal, cloud VM, or container.