Investigation Commands
Summary
This note is a quick reference for commands that often support basic investigation and triage work, especially on Linux and in lab environments.
When to use this note
- when you already have an alert, symptom, or suspicious event to investigate
- when you need fast host, log, or network checks before deeper analysis
- when you want quick recall without opening a full workflow note
Logs and evidence
| Command | Purpose |
|---|
journalctl -xe | inspect recent system and service events |
tail -f <logfile> | watch a log in real time |
grep <pattern> <logfile> | search for a value in a log file |
Process and host checks
| Command | Purpose |
|---|
ps aux | inspect running processes |
top | inspect active processes and resource use |
whoami | confirm current user context |
Network checks
| Command | Purpose |
|---|
ip addr | inspect interface and IP state |
ip route | inspect route table |
ping <host> | test basic reachability |
nslookup <name> | test name resolution |
Example sequence
whoami
ps aux
journalctl -xe
ip addr
nslookup suspicious.example
Notes
- these are support commands, not a full investigation methodology
- the same command becomes more useful when you know what question you are trying to answer
- command reference should stay lighter than the investigation guide itself
Common mistakes
- running commands without a clear question in mind
- treating one command result as proof without checking context
- jumping into tooling before narrowing user, host, time, or service scope