Linux Log Management
This central directory is where most Linux log files, such as boot.log and messages, are stored.
What is /var/log?
This simple command displays the current time, how long the system has been up, and the load average.
What is uptime?
In Microsoft Outlook, local email data for POP accounts is typically stored in this file format.
What is .pst (Personal Storage Table)?
This is the first critical step in an email crime investigation, which requires a search warrant.
What is seizing the computer and email accounts?
This utility is run automatically by the cron daemon to back up log files and delete old backups to save space.
What is logrotate?
This virtual file contains detailed technical information about the CPU, including model name and cache size.
What is /proc/cpuinfo?
This part of an email message holds vital origin information and cannot be easily forged in its "Received" entries.
What is the bottommost Received header?
This scanning tool in the CentralOps.net suite provides MX records and initiates SMTP sessions to check address validity.
What is Email Dossier?
On modern systemd-based distributions, this command is used to view and filter the system journal.
What is journalctl?
A "load average" of 1.0 on a single-core system indicates this specific state of CPU utilization.
What is Full load (100% utilization)?
This specific header field acts as the "bounce address" for undeliverable mail; if it differs from the "From" address, it often indicates spoofing.
What is the Return-Path?
This forensic tool is used to recover and collect deleted email messages from Outlook .pst files.
What is Paraben’s Electronic Evidence Examiner?
Email Authentication
This DNS-based process enables organizations to list the specific servers authorized to send emails on behalf of their domains.
What is SPF (Sender Policy Framework)?
To monitor a text-based log file in real-time as new entries are added, you would use this command with the -f flag.
What is tail -f?
This powerful tool provides a cumulative overview of CPU, Memory, and I/O usage, gathering data via cron.
What is sar (System Activity Report)?
This cryptographic signature allows a recipient to verify that an email actually originated from the claimed domain and hasn't been modified.
What is DKIM (DomainKeys Identified Mail)?
If a Message-ID shows this as the FQDN instead of a mail server, it clearly indicates a spoofed email.
What is localhost?
This specific configuration file in /etc/ is used to define global log rotation settings, though it can be superseded by files in a sub-directory.
What is /etc/logrotate.conf?
This tool is used to view or configure Linux kernel parameters at runtime to optimize system performance.
What is sysctl?
If a suspect uses an IMAP account in Outlook, their local mailbox data will be stored in this specific file type.
What is .ost (Offline Storage Table)?
Email messages deleted from this specific Outlook folder can still be recovered if the unallocated space is not overwritten.
What is the Deleted Items folder?