Incident Response - Linux Bash History

When performing an incident response on a Linux system or, server the bash history is vital for a number of reasons as it not only tells the story but it can also show what a user was doing at the time of an event or, incident.

In this example we explore where we can find the .bash_history file(s) and, how to show them both in terminal and with the history command.

LINUX COMMANDS:
history (shows the bash history)
history | grep -i "foobar" (searches the history from terminal case-insensitive for "foobar")
history | egrep -i "foo|bar|blah" (similar search as above, but allows for multiple insensitive searches looking for foo, bar or blah.)

cat ~/.bash_history (lists the currently logged-in users bash history)
cat /home/USER/.bash_history (lists the other users bash history)

NOTE: you can only see other users bash history if you are running as root or, a privileged account.

WARNING: In system hardening, bash history can in some cases lead to privilege escalation whereby users may be issuing passwords as clear-text such as: mysql -u root -pP@SSword! and this can in fact lead to other issues not covered here.

#incidentresponse #socanalyst #cybersecurity #dfir #forensics #terminal

• #science_technology
• #linux_incident_response
• #incident_response
• #bash_history
• #dfir
• #digital_forensics
• #soc_analyst
• #cybersecurity
• #preserving_digital_evidence