Init Scripts & RC Local

linuxPersistence MechanismsDisk Image

Location

/etc/rc.local, /etc/init.d/*, /etc/rc*.d/*, /etc/local.d/ (Alpine)

Description

Legacy System V init scripts and the rc.local file that execute commands at system boot. While systemd has largely replaced SysVinit, rc.local compatibility is maintained on many distributions and init.d scripts remain functional.

Forensic Value

rc.local executes as root at boot and is a straightforward persistence mechanism that attackers use because it requires only appending a line to an existing file. Init.d scripts in /etc/init.d/ with symlinks in /etc/rc*.d/ define service start/stop behavior at different runlevels. Newly created or recently modified init scripts indicate persistence installation. File modification timestamps and comparison with package-managed originals identify unauthorized changes.

Tools Required

catfindls -lastatdiffdebsums

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical