How to Document Script Execution in Linux Systems
Linux commands used to pull command history.
- cat /home/<user>/.bash_history
- history
Other commands used in this demo:
- script
- md5sum
The analyst must record all the commands required to carry out the analysis while dealing on Linux systems.
Using a Linux built-in tool called “typescript” is one method of doing documentation.
This command records all keystrokes made on the terminal along with their results.
Simply enter “script” on the terminal to execute this command.
If typescript is already installed, a file named “typescript.txt” will be created on your desktop.
It is now able to capture every command script that will be run inside the terminal session.
Enter “exit” in the terminal to stop the logging session and save this file.
The typescript command is probably comparable to Linux’s “Bash History” and “History” commands, which keep track of all the scripts that have been run within the terminal.
Bash history can be found at: /home/<user>/.bash_history
In this case, we can run the script below for demonstration.
>>script: cat /home/linux-analyst/.bash_history
>>script: history
Next, we can open our “typescript.txt” file.
We may now view logs that match those in our bash_history file.
It is necessary to record and protect the integrity of the files utilized by the analyst who completed the work while producing the report.
One of the investigator’s guiding principles is to record everything, and one method to achieve this is to use the built-in Linux function “md5sum” to hash the stored “typescript.txt” file.
>>script: md5sum typescript.txt
