Sign In
Linux IR

Forensic Methodology for Security Engineers and IR Practitioners in Linux, Cloud, and Container Environments

Aligned to NIST SP 800-61 Rev 2ISO/IEC 27037MITRE ATT&CKMandiant tradecraft

Incident Response: Linux Systems

Investigate compromised Linux systems from first login to full containment.

Investigate Linux incidents using the artifacts that matter — auth logs, process trees, persistence mechanisms, container escapes, and network connections. Trace SSH compromises, detect rootkits, analyze cron-based persistence, investigate container breakouts, and reconstruct attacker timelines from system logs. Whether your Linux systems are on-prem servers, cloud VMs, or container hosts, the investigation methodology finds the evidence.

Start Free — No Account Needed See Pricing
What you'll deploy
Full Linux forensic investigation toolkit for RHEL and Ubuntu
8-mechanism persistence enumeration methodology with verification
Container and cloud VM forensic investigation procedures
Production DFIR collection script with evidence integrity verification
LINUX IR — INVESTIGATION TIMELINE T+0:00 Alert: SSH brute force — successful auth from foreign IP Source: auth.log → failed/success pattern → auditd correlation T+0:03 SSH authorized_keys modified — attacker deploys persistence Source: filesystem timestamps → inode analysis → ctime vs mtime T+0:08 Privilege escalation — SUID binary exploited to gain root Source: auditd execve logs → SUID file access → process tree T+0:22 Container escape — Docker socket mounted, host access gained Source: container logs → docker inspect → overlay2 filesystem T+1:45 Cloud pivot — instance metadata SSRF, IAM credential theft Source: cloud audit logs → API call timeline → cross-env correlation Full program 10 scenarios Free tools 40-50 hours
View Pricing Download Lab Pack Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Investigate SSH compromises, rootkits, and cron-based persistence
Analyze Linux auth logs, process trees, and filesystem timestamps
Investigate container breakouts and cloud VM compromises
Reconstruct attacker timelines from system and audit logs
Deploy Linux-specific detection rules from investigation findings
Premium tier | 17 modules | 36–40 hours at your own pace | 40 CPE credits | 2 free modules — no account needed | 10 investigation scenarios | Updated May 2026
Course Agenda View all 18 modules

Phase 1 — Foundation

LX0
The Linux IR Landscape
 LX1
Linux Evidence Collection and Triage
 LX2
LX2: Linux Filesystem Forensics
 LX3
LX3: Linux Log Analysis

Phase 2 — Investigation Scenarios

LX4
LX4: Investigating SSH Brute Force and Credential Compromise
 LX5
LX5: Investigating Web Application Compromise
 LX6
LX6: Investigating Privilege Escalation
 LX7
LX7: Investigating Persistence Mechanisms
 LX8
LX8: Investigating Cryptomining and Resource Abuse
 LX9
LX9: Investigating Container Compromise
 LX10
LX10: Investigating Cloud VM Compromise
 LX11
LX11: Investigating Lateral Movement
 LX12
LX12: Linux Memory Forensics
 LX13
LX13: Linux Malware Analysis for IR

Phase 3 — Operations

LX14
LX14: Linux IR Reporting and Evidence Handling
 LX15
LX15: Linux Detection Engineering and Hardening
 LX16
LX16: Building Linux IR Readiness

Resources

Practical Linux IR — Operational Reference

Who this course is for

“A Linux server was compromised and I don't know where to start.” You investigate Windows incidents confidently but Linux is unfamiliar territory. Different log locations, different filesystem layout, different persistence mechanisms. This course teaches the structured methodology so Linux investigations feel as natural as Windows.

“I manage Linux servers but I've never investigated one.” Sysadmins and DevOps engineers who need to respond when their systems are compromised. You already know Linux — this course adds the forensic methodology: what to collect, how to preserve evidence, and where attackers hide.

“Our containers keep getting compromised and we can't figure out how.” Container forensics: Docker socket mounts, namespace escapes, overlay2 filesystem analysis, Kubernetes pod investigation. The evidence sources are different from traditional Linux — this course covers both.

“An attacker is using 8 persistence mechanisms and I only found 2.” cron, systemd services, systemd timers, authorized_keys, .bashrc, LD_PRELOAD, rc.local, PAM backdoors. The CHAIN-FACTORY lab scenario plants all 8 — you find them using the methodology or the verification script tells you what you missed.

“The cloud VM was compromised via SSRF and I need to trace the pivot.” Cloud VM investigation: instance metadata exploitation, IAM credential theft from metadata service, cross-environment lateral movement. The investigation starts at the Linux VM and follows the attacker into the cloud provider.

“I need to investigate an SSH brute force but auth.log has 3,500 lines.” The lab pack generates realistic-volume evidence: 847 brute force attempts buried in thousands of lines of legitimate CRON, systemd, and SSH noise. Finding the indicators requires the same filtering and analysis skills you need in production.

Whatever your background — if the subject interests you and you're willing to put in the work, this course is for you.

Before and after this course

Before

A Linux server gets compromised and you escalate to a senior analyst or an external DFIR firm because you don't have the skills to investigate it yourself.

You check /var/log/auth.log and crontab -l. The attacker used systemd timers, LD_PRELOAD, and PAM backdoors. You found 2 of 8 persistence mechanisms and declared the system clean.

The container was compromised. You can see the Docker logs but you can't trace the escape — how the attacker went from container to host, and from host to the rest of the network.

You rebuild the server instead of investigating it. The attacker's persistence in two other systems goes undiscovered because you never traced the lateral movement.

After

You investigate the Linux compromise yourself: evidence collection, log analysis, persistence enumeration, timeline reconstruction. The forensic report is in your CISO's inbox before the external firm answers the phone.

You check all 8 persistence locations systematically: cron, systemd services, systemd timers, authorized_keys, shell profiles, LD_PRELOAD, init scripts, PAM modules. The methodology finds what ad-hoc checking misses.

You trace the container escape: docker.sock mount, namespace breakout, host filesystem access. The overlay2 analysis shows what the attacker modified on the host after escaping the container.

You investigate first, then rebuild. The lateral movement trail leads to 2 additional compromised systems. You contain all three before reimaging. The attacker doesn't survive your investigation.

How the course works

Linux investigation from evidence collection through advanced scenarios:

Phase 1
Foundations

Linux evidence landscape, filesystem layout, log sources, evidence collection methodology, and the DFIR collection script.

Phase 2
Artifact Analysis

Filesystem forensics, process trees, network connections, log analysis, persistence enumeration, memory forensics with Volatility 3.

Phase 3
Advanced Scenarios

Container forensics, Docker and Kubernetes investigation, cloud VM compromise, rootkit detection, web shell analysis.

Phase 4
Investigation

10 Northgate Engineering scenarios, timeline reconstruction, forensic reporting, cross-platform investigation with Windows IR course.

What the content looks like

This is a real analysis from the persistence enumeration module. The attacker installed 8 persistence mechanisms — here's how you find the systemd timer that runs every 5 minutes disguised as a system service.

CLI Output — From Module 6: Persistence Enumeration
# List all non-vendor systemd timers
$ systemctl list-timers --all | grep -v canonical | grep -v systemd
NEXT                         UNIT               ACTIVATES
Sat 2026-03-22 14:10:00 UTC  system-update.timer  system-update.service
# Inspect the suspicious timer
$ cat /etc/systemd/system/system-update.timer
[Timer]
OnBootSec=60
OnUnitActiveSec=300    <-- every 5 minutes
# Inspect what it runs
$ cat /etc/systemd/system/system-update.service
[Service]
ExecStart=/usr/local/bin/.update-check   <-- hidden dotfile
Type=oneshot

The timer is named system-update to blend in. The service runs a hidden dotfile. The module teaches the systematic check: list non-vendor timers, inspect each unit file, verify the binary it runs, and check who created it (stat the file, check timestamps against the attack timeline). This is persistence mechanism 3 of 8.

Lab Pack — CHAIN-FACTORY Investigation

Attack scenario: SSH brute force (847 attempts) → web shell → privilege escalation → 8 persistence mechanisms → cryptominer → credential harvesting → lateral movement → container escape. All planted on your Ubuntu VM.

Included: Attack artifact generator, 30 structured labs, 4 HTML walkthroughs, 4 verification scripts, production DFIR collection script (148 lines, 12 phases).

Linux IR Lab Pack v1
30 labs · ~45 artifacts · 8 persistence mechanisms · realistic-volume evidence
Download Lab Pack (.zip)

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may not redistribute course content or share account credentials.

Investigation techniques: Apply only to systems you are authorized to investigate. Unauthorized access is criminal in most jurisdictions.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 2.0  |  Last updated: April 2026

v2.0 (April 2026): Lab pack rebuilt. CHAIN-FACTORY with realistic-volume evidence. 30 labs, 8 persistence mechanisms, production DFIR collection script.

v1.0 (2026): Course launch. 17 modules (LX0–LX16). 176 content subs.

This course is actively maintained as Linux and container threat patterns evolve.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
2scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.