Systemd Journal (Persistent Binary Logs)

linuxSystem ConfigurationDisk Image

Location

/var/log/journal/<machine-id>/*.journal

Description

Systemd binary journal files aggregating log output from all systemd services, kernel messages, and stdout/stderr of managed processes. Supports structured fields, forward-secure sealing (FSS), and indexed querying via journalctl.

Forensic Value

The systemd journal aggregates logs from all sources into a single queryable binary format that may contain entries not present in traditional text log files. Forward-secure sealing (FSS) cryptographically protects log integrity, making tamper detection possible. Journal entries include structured metadata fields (unit name, PID, UID) that enable precise filtering. Persistent journals in /var/log/journal survive reboots and may retain longer history than rotated text logs.

Tools Required

journalctlsystemd-journal-remotejournal-briefSIEM (Splunk, Elastic)

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical