This lab is the forensic sequel to a container-escape intrusion. The story it tells is one that defenders meet often but rarely enjoy: an attacker who did not just break in, but who took the time to stay. After pivoting from a compromised container onto the underlying Ubuntu host, the adversary killed the running packet-capture process, dropped malicious files, loaded a kernel-level rootkit, and then deliberately wiped the installation artifacts before logging off. Days later the host began behaving strangely - processes that could not be explained, outbound connections to an address no administrator recognized, and intermittent instability - and a live-response collection was finally taken with UAC (Unix-like Artifacts Collector).
What makes this investigation worth your full attention is the class of threat involved. A loadable kernel module (LKM) rootkit runs in ring 0, the same privilege level as the operating system itself. From there it can hook syscalls, hide files, hide processes, and lie to every userspace tool you would normally trust. The single most important habit this lab will build in you is never trusting one source of truth on a compromised box. lsmod, ps, and netstat all ask the kernel politely for information, and a rootkit sitting between them and the kernel can simply edit the answer. The technique that cracks this case is cross-referencing independent artifacts - comparing what userspace tools report against what the kernel filesystem (/sys/module/), the kernel ring buffer (dmesg), and the on-disk persistence files actually contain. When those sources disagree, the disagreement itself is your evidence.
A second theme runs throughout: time reconstruction. Kernel log timestamps are not wall-clock times - they are seconds elapsed since b