In this lab, you will take on the role of a Security Operations Center (SOC) analyst tasked with investigating suspicious activities conducted by an employee named Karen. Karen is suspected of engaging in unauthorized and potentially illegal actions within her organization, TAAUSAI. The investigation is based on a forensic disk image of Karen’s Linux-based workstation, which is analyzed to uncover evidence of malicious activity.
The walkthrough demonstrates how to investigate insider threats by examining system logs, Bash history, downloaded files, and artifacts using FTK Imager. It highlights practical techniques for analyzing file integrity, identifying privilege escalation, and uncovering potential attacks. By the end of this lab, you will gain insights into endpoint forensics, log analysis, and the importance of monitoring insider threats to secure organizational systems.
To determine the Linux distribution being used on this machine, we begin by examining the file system captured in the disk image using FTK Imager. After loading the disk image, we navigate through the directory structure to locate logs or configuration files that can reveal system information. A good starting point is the /var/log/ directory, which often contains logs related to system activiti