Systemd Journal (Persistent Binary Logs)
Location
/var/log/journal/<machine-id>/*.journalDescription
Systemd binary journal files aggregating log output from all systemd services, kernel messages, and stdout/stderr of managed processes. Supports structured fields, forward-secure sealing (FSS), and indexed querying via journalctl.
Forensic Value
The systemd journal aggregates logs from all sources into a single queryable binary format that may contain entries not present in traditional text log files. Forward-secure sealing (FSS) cryptographically protects log integrity, making tamper detection possible. Journal entries include structured metadata fields (unit name, PID, UID) that enable precise filtering. Persistent journals in /var/log/journal survive reboots and may retain longer history than rotated text logs.
Tools Required
Collection Commands
tar
tar czf /forensics/output/systemd_journal.tar.gz /var/log/journal/
journalctl
journalctl --since "2024-01-01" --output json > /forensics/output/journal_export.json
journalctl
journalctl --verify > /forensics/output/journal_integrity.txt 2>&1
journalctl
journalctl -p err --since "7 days ago" > /forensics/output/journal_errors.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
MITRE ATT&CK Techniques
References
Used in Procedures
Rebuild Compromised Systems from Known-Good Images
recover
Phased Service Restoration with Enhanced Monitoring
recover
Generate Comprehensive Incident Report
post-incident
Review Web Application Root Cause and Exposure Window
post-incident
Scope a Supply-Chain Compromise
triage
Roll Back and Block the Compromised Release
contain
Detect and Characterize Unauthorized Mining
triage
Contain the Mining Workload and Entry Vector
contain
Related Blockers
Compromised Vendor Artifact Provenance Lost
The compromised software was distributed through a legitimate channel (update server, package registry) but the vendor cannot or will not produce the exact pre-compromise build artifacts, build manifests, or signing-chain evidence needed to validate provenance. Without that baseline, it is difficult to definitively identify what was malicious versus legitimate in the distributed artifact.
Attack Delivered via Legitimately Signed Update
The malicious artifact carries a valid signature from the vendor's real signing key, so traditional allow-by-signature controls (Authenticode policy, Cosign verification, macOS notarization) do not flag it. Detection must pivot to behavioral indicators, reputation, and anomaly-based signals.
Mining Incident Treated as Low Priority by Stakeholders
Stakeholders frame unauthorized mining as "just a resource cost" and push for immediate process-kill and closure rather than a full investigation. This under-scoping routinely leaves the entry vector open and misses secondary compromise (webshells, backdoors, credential theft) the attacker installed alongside the miner.