SSH known_hosts & Client Config

linuxUser ActivityDisk Image

Location

/home/<username>/.ssh/known_hosts, /home/<username>/.ssh/config, /etc/ssh/ssh_config

Description

SSH client-side artifacts including known_hosts (recording host keys of every SSH server the user connected to), client config files (defining connection aliases, proxy commands, and identity files), and potentially SSH agent socket paths.

Forensic Value

The known_hosts file maps every SSH server a user has connected to, revealing lateral movement targets and external infrastructure. Hashed entries can be tested against known hosts using ssh-keygen -F. The SSH config file may reveal attacker-configured proxy jumps, tunnels, or custom identity key paths used for pivoting. Combined with auth.log entries on destination systems, known_hosts reconstructs the complete SSH lateral movement graph.

Tools Required

catssh-keygen -lFgrepfind

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical