Forensic Artifacts
SSHD Logs
Collect the log files from
/var/log/secure
SSH Keys
Collect the keys found on the filesystem
grep -ir "BEGIN RSA PRIVATE KEY" /*
grep -ir "BEGIN DSA PRIVATE KEY" /*
Collect the SSH Authorized keys from
~/ssh/authorized_keys
Collect the Known hosts, SSH config, and bash history files for all users
~/.known_hosts
~/.bash_history
~/.ssh/config
Other RAT tools
Look for installed applications and find any RAT tools such as
X WindowVNCXrdp