First, this walkthrough is going to be quick and will be using the digital forensics tool suite Tsurugi OS, but generally can be applied to many other Linux distros. What is Tsurugi? Per
CSI Linux is another DFIR and cyber investigation Linux distribution in line with CAINE, Tsurugi, and SIFT Workstation. It has been developed over the last few years by the team at Information Warfare Center, who also run the Cyber Secrets YouTube channel.
You have been called to analyze a compromised Linux server. Figure out how the threat actor gained access, what modifications were applied to the system, and what persistent techniques were utilized. (e.g. backdoors, users, sessions, etc).
I am not sure if anyone else has had this problem but lately when the kernel for Arch Linux is updated the DKMS fails to notice the new kernel and tried to install the modules for the old (now removed) kernel.
Configuration Arch Linux + i3wm as a forensics workstation and lab computer. Part 3 of the series.