Linux File System Hunting
Introduction
Linux is one of the most widely used operating systems in servers, cybersecurity environments, cloud infrastructure, embedded systems, and development platforms. One of the most important skills for system administrators, ethical hackers, cybersecurity professionals, and developers is understanding how to navigate and investigate the Linux file system effectively. This process is often referred to as Linux File System Hunting.
File system hunting involves searching, analyzing, identifying, and monitoring files and directories within a Linux operating system. It plays a major role in cybersecurity investigations, digital forensics, malware analysis, system administration, and troubleshooting. By mastering Linux file system hunting, professionals can identify suspicious files, locate sensitive data, analyze permissions, detect unauthorized changes, and improve overall system security.
This blog provides a detailed explanation of Linux file system hunting, including Linux directory structure, important commands, searching techniques, permission analysis, forensic investigation methods, and security best practices.
Understanding the Linux File System
The Linux file system follows a hierarchical structure that starts from the root directory represented by a forward slash /. Unlike Windows, Linux treats everything as a file, including hardware devices, processes, and configurations.
Basic Linux File System Structure
Below are some of the most important directories in Linux:
| Directory | Purpose |
|---|---|
/ |
Root directory containing all files and folders |
/home |
Stores user home directories |
/etc |
Configuration files |
/var |
Variable data like logs and cache |
/bin |
Essential binary commands |
/usr |
User-installed software and libraries |
/tmp |
Temporary files |
/dev |
Device files |
/proc |
Process and kernel information |
/opt |
Optional software packages |
/root |
Home directory of the root user |
Understanding these directories is essential because attackers often hide malicious files in locations such as /tmp, /var/tmp, or hidden directories inside /home.
What is File System Hunting?
File system hunting refers to the process of searching through directories and files to gather information, identify anomalies, detect threats, or recover evidence.
It includes tasks such as:
Searching for suspicious files
Finding hidden directories
Detecting unauthorized scripts
Investigating file permissions
Locating malware
Monitoring file modifications
Recovering deleted files
Identifying privilege escalation vectors
Cybersecurity analysts and forensic investigators heavily rely on file system hunting to investigate security incidents.
Essential Linux Commands for File System Hunting
Linux provides powerful commands that help users investigate the system efficiently.
1. pwd Command
The pwd command displays the current working directory.
pwd
Example Output:
/home/kanishka
This helps users identify their current location within the file system.
2. ls Command
The ls command lists files and directories.
ls
Useful variations:
ls -la
Options explanation:
-l→ Long listing format-a→ Show hidden files
Example:
drwxr-xr-x 2 user user 4096 May 10 Documents
-rw-r--r-- 1 user user 1200 script.sh
Hidden files begin with a dot (.), which attackers sometimes use to conceal malicious scripts.
3. cd Command
Used to navigate directories.
cd /var/log
Move back one directory:
cd ..
Return to home directory:
cd ~
Efficient navigation is critical during investigations.
4. find Command
The find command is one of the most powerful tools for file system hunting.
Search by File Name
find / -name "password.txt"
Search Hidden Files
find / -name ".*"
Search by File Type
find / -type f
Search Recently Modified Files
find / -mtime -1
This identifies files modified within the last 24 hours.
Search Large Files
find / -size +100M
Attackers may store payloads or exfiltrated data in large hidden files.
5. grep Command
The grep command searches text patterns inside files.
Search for Passwords
grep -r "password" /etc
Search Suspicious Keywords
grep -r "nc" /home
This can help identify reverse shell scripts or malicious commands.
6. locate Command
The locate command quickly finds files using a database.
locate ssh_config
Update the database:
updatedb
This method is faster than find for large systems.
7. stat Command
Displays detailed file metadata.
stat file.txt
Output includes:
Access time
Modification time
Change time
Permissions
Ownership
This is useful in forensic investigations.
Hunting Hidden Files and Directories
Linux allows hidden files using a dot (.) prefix.
Example:
.hidden_script.sh
To display hidden files:
ls -la
Attackers frequently hide malicious payloads in hidden directories like:
~/.config
~/.cache
/tmp/.hidden
Searching hidden files:
find / -name ".*"
File Permission Hunting
Linux permissions determine who can read, write, or execute files.
Understanding Permissions
Example:
-rwxr-xr--
Breakdown:
| Symbol | Meaning |
|---|---|
r |
Read |
w |
Write |
x |
Execute |
Permission categories:
Owner
Group
Others
Hunting Dangerous Permissions
World-Writable Files
find / -perm -o+w
These files can be modified by anyone and may pose security risks.
SUID Files
SUID allows programs to run with elevated privileges.
Search SUID files:
find / -perm -4000
Examples include:
/usr/bin/passwd
Attackers may exploit vulnerable SUID binaries for privilege escalation.
SGID Files
Search SGID files:
find / -perm -2000
These files inherit group permissions.
Hunting Log Files
Logs are essential for identifying suspicious activity.
Important Log Locations
| Directory | Purpose |
|---|---|
/var/log/auth.log |
Authentication logs |
/var/log/syslog |
System logs |
/var/log/kern.log |
Kernel logs |
/var/log/apache2/ |
Web server logs |
Investigating Failed Login Attempts
grep "Failed password" /var/log/auth.log
This helps detect brute-force attacks.
Checking User Login History
last
Display active users:
who
Searching for Malware and Suspicious Scripts
Attackers often use scripts for persistence and remote access.
Hunt Shell Scripts
find / -name "*.sh"
Hunt Python Scripts
find / -name "*.py"
Hunt Suspicious Executables
find / -executable -type f
Investigators should inspect unusual executable files.
File Integrity Investigation
File integrity checking helps detect unauthorized modifications.
Using md5sum
Generate file hash:
md5sum file.txt
Using sha256sum
sha256sum file.txt
Security teams compare hashes against known malware databases.
Hunting Running Processes
Malicious files may run as active processes.
List Running Processes
ps aux
Monitor Processes in Real Time
top
or
htop
Investigators should monitor:
Unknown processes
High CPU usage
Reverse shells
Suspicious network connections
Hunting Network-Related Files
Attackers may establish persistence through network services.
Check Open Ports
netstat -tulnp
or
ss -tulnp
Search SSH Keys
find / -name "authorized_keys"
Unauthorized SSH keys may indicate compromised access.
Linux File System Forensics
Digital forensics involves collecting and analyzing evidence.
Timeline Analysis
Investigators analyze timestamps:
Access Time (atime)
Modification Time (mtime)
Change Time (ctime)
Command:
stat suspicious_file
Recovering Deleted Files
Tools:
extundeletetestdiskphotorec
Example:
sudo extundelete /dev/sda1 --restore-all
Hunting Persistence Mechanisms
Attackers often create persistence methods.
Check Cron Jobs
crontab -l
System-wide cron jobs:
ls /etc/cron*
Suspicious scheduled tasks should be investigated.
Check Startup Services
systemctl list-units --type=service
Attackers may create malicious services for persistence.
Detecting Suspicious User Accounts
Investigate user accounts:
cat /etc/passwd
Look for:
Unauthorized users
Users with root privileges
Service accounts with login shells
Check sudo access:
cat /etc/sudoers
Automation in File System Hunting
Large infrastructures require automated hunting.
Bash Scripting Example
#!/bin/bash
find /tmp -type f -mtime -1
This script identifies recently modified files in /tmp.
Using Auditd
Linux Audit Framework monitors file activity.
Install:
sudo apt install auditd
Monitor a file:
auditctl -w /etc/passwd -p wa
This tracks write and attribute changes.
Common Indicators of Compromise (IOCs)
File system hunters look for indicators such as:
Hidden directories
Unusual permissions
Suspicious cron jobs
Unknown binaries
Recently modified system files
Reverse shell scripts
Unauthorized SSH keys
Unexpected startup services
Recognizing these indicators helps detect attacks early.
Best Practices for Linux File System Hunting
1. Principle of Least Privilege
Grant minimum required permissions.
2. Regular Log Monitoring
Continuously monitor logs for anomalies.
3. File Integrity Monitoring
Use tools like:
AIDE
Tripwire
4. Restrict World-Writable Files
Avoid insecure permissions.
5. Use Antivirus and EDR Tools
Examples:
ClamAV
Wazuh
CrowdStrike
6. Maintain Backups
Frequent backups reduce ransomware impact.
Real-World Cybersecurity Applications
Linux file system hunting is widely used in:
| Field | Application |
|---|---|
| Cybersecurity | Threat hunting |
| Digital Forensics | Evidence collection |
| System Administration | Troubleshooting |
| Malware Analysis | Payload investigation |
| Cloud Security | Container monitoring |
| SOC Operations | Incident response |
Organizations depend on these techniques to secure critical infrastructure.
Conclusion
Linux File System Hunting is a critical skill for cybersecurity professionals, system administrators, ethical hackers, and forensic investigators. Since Linux powers servers, cloud platforms, enterprise systems, and security infrastructure worldwide, understanding how to investigate its file system is essential for detecting threats and maintaining security.
By mastering commands such as find, grep, stat, ps, and netstat, professionals can efficiently locate suspicious files, monitor system activity, analyze permissions, and investigate potential compromises. File system hunting also strengthens incident response and digital forensic capabilities by enabling investigators to identify malicious persistence mechanisms, unauthorized modifications, and hidden malware.
As cyber threats continue to evolve, proactive file system hunting becomes increasingly important. Combining manual investigation techniques with automation, auditing tools, and integrity monitoring solutions helps organizations build a stronger defense against attacks.
Learning Linux file system hunting not only improves technical expertise but also provides a strong foundation for advanced cybersecurity domains such as penetration testing, malware analysis, cloud security, and threat intelligence.