# Linux Forensics

Accounting entries:

* utmp
  * Info about currently logged in users
* wtmp
  * Data about past user logins
* btmp
  * Bad login entries for failed login attempts
* lastlog
  * Shows login name, port, and last login time for each user