/tmp and /dev/shm Suspicious Files

LinuxFilesystem & TimelineDisk Image

Location

/tmp/, /var/tmp/, /dev/shm/

Description

World-writable temporary directories commonly used by attackers to stage tools, write exploit payloads, and store exfiltration archives. /dev/shm is a RAM-backed tmpfs that does not persist across reboots.

Forensic Value

Attackers default to /tmp and /dev/shm because these directories are world-writable and often excluded from file integrity monitoring. Finding ELF binaries, shell scripts, encoded payloads, or archive files (tar.gz, zip) in these locations is a strong compromise indicator. Files in /dev/shm are stored in RAM and will be lost on reboot, making live collection critical. Modification timestamps and file ownership link artifacts to specific accounts and timeframes.

Tools Required

findls -lafilestringsstatlsof

Collection Commands

find

find /tmp /var/tmp /dev/shm -type f -exec file {} \; > /forensics/output/tmp_file_types.txt

tar

tar czf /forensics/output/tmp_contents.tar.gz /tmp/ /var/tmp/ /dev/shm/

find

find /tmp /var/tmp /dev/shm -type f -executable -ls > /forensics/output/tmp_executables.txt

stat

find /tmp /var/tmp /dev/shm -type f -exec stat --format="%n %U %G %y %s" {} \; > /forensics/output/tmp_metadata.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1059.004T1105T1036T1074.001

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage