Systemd Service Files

linuxPersistence MechanismsDisk Image

Location

/etc/systemd/system/, /usr/lib/systemd/system/, ~/.config/systemd/user/

Description

Systemd unit files defining services, their ExecStart commands, restart policies, dependencies, and user contexts. Custom units can be placed in /etc/systemd/system/ to override or extend defaults.

Forensic Value

Malicious systemd services provide robust persistence that survives reboots and automatic restarts on failure. The ExecStart directive reveals the exact binary and arguments executed. Services set to Restart=always will respawn even if killed. Checking for recently created .service files in /etc/systemd/system/ with unusual ExecStart paths (e.g., /tmp, /dev/shm, or hidden directories) identifies attacker persistence.

Tools Required

systemctl list-unitsfindcatjournalctl -u

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical