Cron Jobs

Overview

Evidence: Cron Jobs Description: Collect Cron Jobs Category: System Platform: Linux Short Name: cronjobs Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Linux cron jobs provide information about scheduled tasks and automated processes. This data is essential for understanding system automation, detecting unauthorized scheduled tasks, and investigating persistence mechanisms.

Data Collected

This collector gathers structured data about cron jobs.

Cron Jobs Data

Field
Description
Example

ID

Primary key (auto-increment)

1

Minute

Minute field (0-59)

0

Hour

Hour field (0-23)

2

DayOfMonth

Day of month field (1-31)

*

Month

Month field (1-12)

*

DayOfWeek

Day of week field (0-7)

*

Command

Command to execute

/usr/bin/backup.sh

Path

Cron file path

/etc/crontab

Event

Special event (e.g., @hourly)

Collection Method

This collector parses the necessary data from the cron_jobs table.

This collector collects files from the following locations:

  • /etc/crontab

  • /etc/cron.d/

  • /var/spool/cron/

Usage

This evidence is crucial for forensic investigations as it provides scheduled task information. It helps investigators understand system automation, detect unauthorized scheduled tasks, and investigate persistence-based attacks. The data can reveal scheduled tasks, automation patterns, and potential persistence mechanisms. Analysts can use this information to identify persistence compromises, trace scheduled activities, and assess automation security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

Last updated

Was this helpful?