Linux forensics begins with a clear understanding of how Linux organizes files, directories, and system data. The Linux file system layout follows a standardized structure defined by the Filesystem Hierarchy Standard (FHS). This structure helps investigators know exactly where to look for logs, configurations, user files, binaries, and system artifacts.
Unlike Windows, Linux does not rely on drive letters. Everything begins from a single root directory /, and all other directories branch out from it.
This chapter explains the Linux file system layout and the forensic value of each major directory.
The Linux File System Structure (FHS Overview)
The Linux file system is hierarchical, starting from the root directory /.
All system files, user data, devices, and configuration files exist in subdirectories under /.
Key top-level directories include:
-
/bin -
/sbin -
/etc -
/var -
/home -
/root -
/lib -
/proc -
/sys -
/dev -
/tmp -
/usr -
/boot
Each directory serves a specific purpose in system operations and forensic investigation.
/ (Root Directory)
The top of the directory tree.
All other directories branch from here.
Forensic value:
Provides structure for locating every other artifact.
/bin (Essential User Binaries)
Contains essential command-line utilities required for basic operations.
Examples:
-
ls -
cp -
mv -
cat -
bash
Forensics relevance:
-
Check for tampered binaries (rootkits often replace them).
-
Compare hashes with known good versions.
/sbin (System Binaries)
Contains binaries used for system administration.
Examples:
-
mount -
fsck -
iptables -
systemctl -
init
Forensics relevance:
-
Detect unauthorized modifications to system binaries.
-
Identify unusual admin-level commands executed.
/etc (Configuration Files)
One of the most important directories for Linux forensics.
Stores system-wide configuration files.
Examples:
-
/etc/passwd– user accounts -
/etc/shadow– password hashes -
/etc/group– group information -
/etc/ssh/sshd_config– SSH settings -
/etc/sudoers– sudo permissions -
/etc/fstab– filesystem mount info
Forensics relevance:
-
Identify new users created by attackers
-
Check SSH configuration for backdoors
-
Examine cron jobs for persistence
-
Review password or group manipulation
-
Detect altered services
/home (User Home Directories)
Each normal user has a folder under /home.
Example: /home/alice/
Contains:
-
Documents
-
Downloads
-
Bash history (
.bash_history) -
SSH keys (
.ssh/) -
User-specific configurations
-
Hidden files (
.*)
Forensics relevance:
-
Primary location of user activity
-
Contains browser data, personal files, and logs
-
.bash_historyoften reveals executed commands
/root (Root User Home Directory)
Home directory for the system administrator (root user).
Location: /root
Forensics relevance:
-
Contains admin-level activity
-
Bash history can reveal privileged operations
-
Check for malicious scripts uploaded by attackers
/var (Variable Files)
Contains files that change frequently.
Key subdirectories:
-
/var/log– system and application logs -
/var/mail– user mailboxes -
/var/spool– scheduled jobs -
/var/www– web server files -
/var/lib– service data (databases, containers)
Forensics relevance:
-
Logs are essential for timeline reconstruction
-
Web server compromise signs often found in
/var/www -
Cron jobs and spool queues may contain malicious tasks
/var/log (Critical Logging Directory)
One of the most forensic-rich folders.
Common logs:
-
auth.log– authentication attempts -
syslog– general system events -
dmesg– kernel logs -
secure– security-related logs -
boot.log– boot events -
apache2/ornginx/– web server logs
Forensics relevance:
-
Track logins and failed attempts
-
Identify brute-force attacks
-
Detect privilege escalation
-
Observe malware behavior
-
Reconstruct events for timeline analysis
/usr (User Applications & Libraries)
Contains installed applications and system-wide resources.
Key subdirectories:
-
/usr/bin– non-essential binaries -
/usr/sbin– admin binaries -
/usr/lib– libraries -
/usr/share– shared data
Forensics relevance:
-
Identify newly installed or tampered binaries
-
Check for malicious programs dropped by attackers
/lib and /lib64 (Shared Libraries)
Store essential libraries used by binaries.
Forensics relevance:
-
Check for replaced libraries (common rootkit technique)
/dev (Device Files)
Contains pseudo-files representing devices.
Examples:
-
/dev/sda1– disk partition -
/dev/null– data sink -
/dev/tty– terminals
Forensics relevance:
-
Important when imaging disk partitions
-
Device manipulation may indicate rootkits
/proc (Process Information)
A virtual filesystem that stores real-time process and system information.
Contains:
-
Running process data (
/proc/<PID>/) -
Kernel modules (
/proc/modules) -
CPU info
-
Memory info
Forensics relevance:
-
Inspect running processes
-
Check loaded modules for rootkits
-
Analyze memory maps
/sys (System Information)
Another virtual filesystem containing kernel and hardware data.
Forensics relevance:
-
Review kernel status
-
Detect hardware manipulation
-
Check for malicious kernel modules
/boot (Boot Loader Files)
Contains:
-
Kernel image (
vmlinuz) -
Initrd/initramfs
-
GRUB bootloader configuration
Forensics relevance:
-
Check for boot-level persistence
-
Detect tampered kernel or GRUB configs
/tmp (Temporary Files)
Temporary storage accessible to all users.
Forensics relevance:
-
Malware often hides or executes here
-
Web shells sometimes stored in
/tmp -
Temporary download files may reveal attacker activity
Summary
The Linux file system layout is structured according to FHS, with each directory serving a specific purpose. Understanding the roles of /etc, /var/log, /home, /root, /proc, /boot, and /tmp is essential for forensic investigations. These directories contain logs, user activity, system configuration, malware traces, and artifacts that help investigators reconstruct actions taken on a Linux system.
This foundational knowledge prepares investigators for deeper Linux forensic techniques in later chapters.