Login Records (wtmp / btmp / lastlog)

linuxAuthentication & AccessDisk Image

Location

/var/log/wtmp, /var/log/btmp, /var/log/lastlog

Description

Binary login record files tracking successful logins and logouts (wtmp), failed login attempts (btmp), and the most recent login per user (lastlog). Structured binary format parsed by last, lastb, and lastlog commands.

Forensic Value

Binary login records survive text log rotation and deletion because they are written in a structured binary format that cannot be easily edited. wtmp records include login source IP, terminal, session duration, and boot/shutdown events. btmp captures failed authentication attempts with source addresses for brute-force detection. Structural analysis of these files can detect tampering through inconsistent record sizes or timestamps.

Tools Required

lastlastblastlogutmpdumpwho

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical