SSH auth.logSSH auth.log
Look for auth logs cat /var/log/auth.log
which will show the SSH logins into server. If you use public/private keys,
then you will know which key (so who) logged into a "shared" account (like root).
![Screenshot of SSH infos](/blueteam/forensics/forensic-ssh-pubkey.png?h=8d032a0a29075a766d073242b90a95a6)
Data sourcesData sources
-
Microsoft Teams user generated content
(
C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Teams
IndexedDB)