Forensic Artifacts

Scheduled Jobs

Collect the crontab files

Each line of these files will have to be analyzed, and the executable file or script will need to be extracted for further analysis.

# system wide
/etc/crontab
/etc/anacrontab
/var/spool/at/<Jobs>
# user specific
/var/spool/cron/<user_id>
/var/spool/anacron/<user_id>

Collect script files from the following folders

/etc/cron.d
/etc/cron.hourly
/etc/cron.daily
/etc/cron.weekly
/etc/cron.monthly