Open Source Resources for Forensics in the Cloud

EC2 DFIR Workshop

Lab 14: Identify Evidence of Persistence


Examine two common persistence techniques (cron jobs and start-up scripts) for new indicators of compromise.


  1. Investigate cron Jobs
  2. Investigate the Start-up Scripts

Step 1: Investigate cron Jobs

Look for system-wide cron jobs:

cat /mnt/linux_mount/etc/crontab
ls /mnt/linux_mount/etc/cron.*

It is also important to check the cron jobs for all users. To list the users that have cron jobs scheduled on the attached Amazon Linux volume, run:

ls -l /mnt/linux_mount/var/spool/cron/*

To quickly peruse the cron jobs when several user accounts have jobs scheduled, use:

find /mnt/linux_mount/var/spool/cron/* -exec cat {} \; | less

VIDEO: Lab 14 Step 1 - Investigate cron Jobs

Lab 14 – Step 2: Investigate the Start-up Scripts

Use the following command to list the scripts, in reverse chronological order:

ls -als -t /mnt/linux_mount/etc/rc*.d/ --color=always | less -R

Use the baseline comparison technique to identify new and changed start-up scripts:

find /mnt/linux_mount/etc/rc*.d/ -type f -print0 | xargs -0 md5sum \
   | sed 's|\/mnt\/linux_mount||' > /cases/startup-scripts-evidence.log
find /mnt/linux_base/etc/rc*.d/ -type f -print0 | xargs -0 md5sum \
   | sed 's|\/mnt\/linux_base||' > /cases/startup-scripts-baseline.log
diff /cases/startup-scripts-baseline.log /cases/startup-scripts-evidence.log

Examine the suspicious scripts

VIDEO: Lab 14 Step 2 - Investigate the Start-up Scripts