Package Manager Logs (dpkg/apt/yum)

linuxSystem ConfigurationDisk Image

Location

/var/log/dpkg.log, /var/log/apt/history.log (Debian/Ubuntu) or /var/log/yum.log, /var/log/dnf.log (RHEL/CentOS)

Description

Package management system logs recording all software installation, removal, and upgrade operations with timestamps, package names, versions, and the action performed.

Forensic Value

Package manager logs establish a timeline of software changes that may include attacker tool installation. Unexpected package installations (nmap, netcat, tcpdump, proxychains) indicate post-compromise reconnaissance tool deployment. Package removal logs show anti-forensic cleanup attempts. Comparing installation history against authorized change management records identifies unauthorized software deployments.

Tools Required

grepcatdpkg --get-selectionsrpm -qaapt list --installed

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical