Memory, disk, and the dozens of operating-system artifacts that record what ran, when, and at whose hand.
Host forensics is about extracting the story from a single machine. Memory captures running state; disk images capture persistence; the operating system leaves dozens of artifacts — logs, caches, registry hives, file system metadata — that together reconstruct who ran what when. Most of the work in a real intrusion analysis is artifact triage — knowing which file holds which evidence and how to read it.
Memory acquisition
RAM contains running processes, decrypted documents, encryption keys, network connections, and (often) the malware that hasn't written itself to disk yet. Acquire RAM before powering off — per the order of volatility — and analyze with tools like Volatility 3 or Rekall.
# Linux: LiME (Linux Memory Extractor) — load kernel module, dump to disk$sudo insmodlime.ko"path=/mnt/evidence/mem.lime format=lime"# Windows: Magnet RAM Capture, FTK Imager, WinPmem, or DumpIt# Each writes a raw memory image to external media.# Analyze with Volatility 3 — list processes from the memory image$vol-fmem.limelinux.pslist.PsList# Show network connections at capture time$vol-fmem.limelinux.netstat.Netstat# Find injected/hidden code$vol-fmem.limelinux.malfind.Malfind
Disk imaging
Take a full bit-for-bit image of the storage device, write-blocked, with hashes recorded. The image is what you analyze — never the original drive. See the Evidence Handling page for the procedural details.
$dcflddif=/dev/sdbof=image.ddhash=sha256hashlog=image.logconv=noerror,sync# Mount image read-only for inspection$sudo mount-oro,loop,offset=$((512*2048))image.dd/mnt/case# Or load into a full forensics platform: Autopsy, X-Ways, Magnet AXIOM
Windows and Linux artifacts
Each operating system maintains its own set of metadata that records execution and access. These are the ones every host forensics analyst learns to read first:
Windows artifacts
MFT · $MFT
Master File Table. One entry per file on an NTFS volume. Records file name, creation/modification/access/birth timestamps, parent directory. Even deleted files leave entries until overwritten.
Prefetch · C:\Windows\Prefetch\
Windows creates a .pf file when an executable runs, recording first/last run times and run count. Disabled on Server SKUs but present on Workstation.
Shimcache · SYSTEM hive
Application Compatibility cache. Records executables and their last-modified times whether they ran or not — just being browsed in Explorer is enough.
Amcache · Amcache.hve
Record of every executable that ran. Includes SHA-1 hash of the binary, file size, version info. The single most useful Windows execution artifact.
Security.evtx (logons, auth failures), System.evtx (services, drivers), Application.evtx, plus Sysmon.evtx if Sysmon installed. The closest thing to an authoritative timeline.
USN journal · $UsnJrnl
File system change log. Records create/modify/delete events for every file. Persists for hours-to-days depending on volume size and activity.
LNK files · Recent\
Shortcut files in the Recent items folder. Each one records the target file path, target volume serial, and access time — even when the target has since been deleted.
Linux artifacts
/var/log/auth.log (or secure)
SSH logins, sudo invocations, PAM auth events. The first place to look for "who logged in when and from where."
/var/log/syslog and journalctl
General system messages. journalctl --since "2026-06-05 09:00" filters by time range. Includes systemd-managed service activity.
~/.bash_history
Per-user command history. Often disabled or modified by attackers. Check HISTFILE and HISTSIZE for tampering.
/var/log/audit/audit.log
auditd events. Detailed system-call and file-access auditing when enabled. Verbose but invaluable.
cron and systemd timers
/etc/cron.*, per-user crontabs, and systemctl list-timers. Common persistence mechanism for attackers.
~/.ssh/authorized_keys
SSH keys authorized to log in as that user. New entries are a classic persistence pattern.
/etc/passwd, /etc/shadow, /etc/sudoers
Account list, hashed passwords, sudo privileges. New accounts or unexpected sudo entries are leading indicators of compromise.
File system timestamps
atime/mtime/ctime via stat. Filesystem creation timestamps on modern filesystems (ext4's crtime) are forensically valuable.
Building a timeline
A forensic timeline merges every dated event from every source into a single chronological list. Tools like plaso (the analysis engine) and log2timeline (the extractor) read dozens of artifact formats and emit a unified CSV or database that you can sort, filter, and search.
# Extract every dated event from a disk image into a timeline database$log2timeline.pycase.plasoimage.dd# Filter to a time window and produce a CSV$psort.py-ol2tcsv-wtimeline.csvcase.plaso"date > '2026-06-05 09:00' AND date < '2026-06-05 18:00'"# Open timeline.csv in Excel / Timesketch and start asking questions
The forensic analyst's actual job, hour-to-hour, is asking questions of this timeline. What ran 30 seconds before the suspicious network connection? Which user was logged in at the moment of the file write? What was the last thing that happened before the host went offline? Timelines reframe the artifacts as a story.
Triage vs deep dive. Modern IR programs run a triage tool first — KAPE for Windows, UAC for Linux, fls/log2timeline for cross-platform — that pulls the high-value artifacts in minutes rather than acquiring full disk images that take hours. Triage is enough to answer most "is this compromised?" questions. Full imaging is reserved for the cases that need it.
The point
Host forensics is artifact triage at speed. You won't memorize every file path on this page in one sitting; you will memorize them after using them a few times. The discipline is knowing which artifact answers which question, and reaching for it without hesitation.
Build a list. When you see "Amcache" in a DFIR write-up, you should think "Windows execution history." When you see "auth.log," think "Linux logon timeline." That mental map — not the deep internals — is what makes the next investigation faster than the last one.
References
Formatted in APA 7.
Carrier, B. (2005). File system forensic analysis. Addison-Wesley.
Carvey, H. (2018). Windows registry forensics: Advanced digital forensic analysis of the Windows registry (2nd ed.). Syngress.
Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The art of memory forensics: Detecting malware and threats in Windows, Linux, and Mac memory. Wiley.