This article is the first in a three-part series on tools that are useful during incident response and investigation after a compromise has occurred on a OpenBSD, Linux, or Solaris system. This installment will focus on system tools, the second part will discuss file-system tools, and the concluding article will look at network tools. The information used in these articles is based on OpenBSD 3.2, Debian GNU/Linux 3.0 (woody), RedHat 8.0 (psyche), and Solaris 9 (aka Solaris 2.9 or SunOS 5.9).

MORE
This is a pretty good article from SecurityFocus- the first of a 3-part series on Incident Response for Unix.

It walks through various tools you might use for forensics once a system is compromised and explains a little about the syntax and the use of the output for each tool.