Sign In
In this section

Building a Linux Incident Response Lab and Toolkit

Reference · Module 0

What you need to practice

A practical skill is built by doing, and that needs somewhere safe to do it. This sub sets up that somewhere: a Linux virtual machine you can compromise and investigate without risk, and the analysis toolkit you run against the evidence.

None of it is expensive. Most of the tools ship with or install freely onto a standard Linux system, which is the point from Section 0.3: a complete Linux IR lab costs nothing but the hardware you already own.

The lab: a machine you can safely break

The whole course is built to be run, and running it requires a Linux host you can compromise, investigate, and rebuild without consequence. A virtual machine is the answer, because you can snapshot it clean, stage an attack, investigate, and roll back, as many times as you like. You need three things: virtualization software, a Linux VM, and the discipline to keep the lab isolated from anything that matters.

For virtualization, any hypervisor works: the free VirtualBox, or VMware, or the KVM tooling built into Linux itself. For the VM, install a current long-term-support Linux: an Ubuntu LTS release and a Red Hat-family system such as Rocky Linux or AlmaLinux cover the two families this course references, and having one of each lets you see where the authentication log lives in each place (/var/log/auth.log versus /var/log/secure, as Section 0.5 noted). Give the VM a snapshot the moment it is installed and clean, because that snapshot is your reset button.

Where analysts get it wrong
Practicing attack techniques on a VM that shares a network with systems you care about, or on a cloud instance reachable from the internet. A lab where you stage real compromises must be isolated: a host-only or internal network, no bridge to your home or work LAN, and never a publicly reachable address. The techniques you practice are the same ones attackers use, and a lab that can reach production is not a lab, it is an incident waiting to happen.

The analysis toolkit

Two kinds of tool matter in Linux IR. The first is already on the box: the standard commands from Section 0.4, ps, ss, lsof, readlink, and the log readers from Section 0.5, which you use for live triage and which need no installation. The second is the dedicated forensic toolset you install on your analysis workstation to examine collected evidence. Four tools cover the large majority of the course.

The core forensic toolkit
The Sleuth KitDisk and filesystem analysis: mmls for partitions, fls to list files including deleted ones, icat to extract file contents. The foundation of Module 2.
Plaso / log2timelineSuper-timeline generation. log2timeline.py extracts timestamps from many artifact types into a .plaso file; psort.py filters and exports it. Central to Module 3.
VolatilityMemory forensics: parses a RAM image to recover processes, network connections, and injected code. The tool of Module 12.
VelociraptorLive response and evidence collection at scale, querying hosts for artifacts through its own query language. Used in the response and readiness modules.

You do not have to assemble these by hand. The SANS Investigative Forensics Toolkit, SIFT, is a free Ubuntu-based virtual machine that ships with the Sleuth Kit, Plaso, Volatility, and several hundred other forensic tools already installed and configured. For most learners the fastest path is to run SIFT as the analysis workstation alongside the victim VM you compromise: SIFT holds the tools, the victim VM provides the evidence. If you prefer to build your own analysis host, each tool installs from its project's standard packages, and the course notes the install approach where a module first uses one.

A two-VM lab

Put together, the recommended lab is two virtual machines on an isolated network. One is the victim: a clean Linux install you snapshot, then compromise using the techniques each module teaches, so you generate real evidence rather than reading about it. The other is the analysis workstation, SIFT or your own build, where you examine the evidence you collect from the victim. This mirrors real practice, where you never analyze on the compromised host itself, and it reinforces the collect-first discipline: you pull evidence from the victim to the workstation, then work on the copy.

You do not need this fully built to continue, the early modules will guide you as specific tools come into play, but building the victim VM and taking that first clean snapshot now means you can run every command as you read it, which is the single highest-value habit in the course. With the lab ready and the toolkit understood, the last section of this module puts the orientation to work: an interactive triage of a compromised host, where you make the first investigative decisions yourself.

Next section
0.11 — Interactive: triage a compromised host
Everything so far has been preparation. Now you run the triage sequence yourself against a compromised host, deciding at each step what to look at and what the evidence means, with feedback on every choice.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →