Package Manager Logs (dpkg/apt/yum)

LinuxSystem ConfigurationDisk Image

Location

/var/log/dpkg.log, /var/log/apt/history.log (Debian/Ubuntu) or /var/log/yum.log, /var/log/dnf.log (RHEL/CentOS)

Description

Package management system logs recording all software installation, removal, and upgrade operations with timestamps, package names, versions, and the action performed.

Forensic Value

Package manager logs establish a timeline of software changes that may include attacker tool installation. Unexpected package installations (nmap, netcat, tcpdump, proxychains) indicate post-compromise reconnaissance tool deployment. Package removal logs show anti-forensic cleanup attempts. Comparing installation history against authorized change management records identifies unauthorized software deployments.

Tools Required

grepcatdpkg --get-selectionsrpm -qaapt list --installed

Collection Commands

tar

tar czf /forensics/output/pkg_logs.tar.gz /var/log/dpkg.log* /var/log/apt/ /var/log/yum.log* /var/log/dnf.log*

grep

grep " install " /var/log/dpkg.log > /forensics/output/dpkg_installs.log

cat

cat /var/log/apt/history.log > /forensics/output/apt_history.log

dpkg

dpkg --get-selections > /forensics/output/installed_packages.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1072T1059.004T1105

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Used in Procedures

Rebuild Compromised Systems from Known-Good Images

recover

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage