| Command | Purpose |
|---|---|
| who -a | Check active sessions and logins |
| netstat -tulnp | List active network connections |
| ps aux --sort=-%cpu | Identify high CPU processes |
| df -h | Check disk usage |
| uptime | Review system load and uptime |
| Tool | Purpose |
|---|---|
| Autopsy | GUI-based digital forensics platform |
| Volatility | Analyze memory dumps for artifacts |
| FTK Imager | Create forensic disk images |
| Wireshark | Capture and analyze network traffic |
| Chkrootkit | Scan for rootkits on Unix systems |
| Step | Action |
|---|---|
| 1. Contain | Isolate affected systems from network |
| 2. Preserve | Capture logs, memory, and disk images |
| 3. Analyze | Use forensic tools to identify root cause |
| 4. Report | Document findings and notify stakeholders |
| 5. Recover | Restore systems and monitor for recurrence |