Login Records (wtmp / btmp / lastlog)

LinuxAuthentication & AccessDisk Image

Location

/var/log/wtmp, /var/log/btmp, /var/log/lastlog

Description

Binary login record files tracking successful logins and logouts (wtmp), failed login attempts (btmp), and the most recent login per user (lastlog). Structured binary format parsed by last, lastb, and lastlog commands.

Forensic Value

Binary login records survive text log rotation and deletion because they are written in a structured binary format that cannot be easily edited. wtmp records include login source IP, terminal, session duration, and boot/shutdown events. btmp captures failed authentication attempts with source addresses for brute-force detection. Structural analysis of these files can detect tampering through inconsistent record sizes or timestamps.

Tools Required

lastlastblastlogutmpdumpwho

Collection Commands

cp /var/log/wtmp /var/log/btmp /var/log/lastlog /forensics/output/

last

last -f /var/log/wtmp -aiF > /forensics/output/wtmp_parsed.txt

lastb

lastb -f /var/log/btmp -aiF > /forensics/output/btmp_parsed.txt

utmpdump

utmpdump /var/log/wtmp > /forensics/output/wtmp_dump.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1078T1110T1070.002

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage