/tmp and /dev/shm Suspicious Files

linuxFilesystem & TimelineDisk Image

Location

/tmp/, /var/tmp/, /dev/shm/

Description

World-writable temporary directories commonly used by attackers to stage tools, write exploit payloads, and store exfiltration archives. /dev/shm is a RAM-backed tmpfs that does not persist across reboots.

Forensic Value

Attackers default to /tmp and /dev/shm because these directories are world-writable and often excluded from file integrity monitoring. Finding ELF binaries, shell scripts, encoded payloads, or archive files (tar.gz, zip) in these locations is a strong compromise indicator. Files in /dev/shm are stored in RAM and will be lost on reboot, making live collection critical. Modification timestamps and file ownership link artifacts to specific accounts and timeframes.

Tools Required

findls -lafilestringsstatlsof

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical