Linux • Updated Feb 15, 2026
Linux Triage Commands
Practical commands for fast on-host triage during IR.
Linux linux dfir triage
Process and persistence
ps auxfsystemctl list-units --type=service --state=runningcrontab -lls -la /etc/cron.*Info Prefer capturing command output to a timestamped file rather than copy/paste.
Network
ss -tulpenip aip rlsof -i -n -P | headAuth and logs
last -a | headjournalctl -S "-2h" --no-pager | tail -200grep -R "Accepted" /var/log/auth.log | tail -50