Forensic Analysis of UNIX Systems

Dario V. Forte, University of Milan, Crema Italy


Some Basics of UNIX Forensics

UNIX File Systems: An Overview

Details on File System Structure

Tools and Techniques for Forensic Investigations

Preservation Phase: Imaging Disk under UNIX

Survey and Search Phase: Seeking Evidence under UNIX

UNIX and Network Forensics

Logs: Characteristics and Requisites

Log File Analysis

Experimentation: Using GPL Tools for Investigation and Correlation

Applying UNIX Forensics in a Coordinated Incident Response Procedure: A Case History

Conducting International Forensic Operations in Incident Response: Some Observations


Cross References


Further Reading


The spreading use of distributed systems is forcing the development of increasingly varied investigative procedures in digital forensics regarding both the target and the analysis platforms. A “target platform” is one that has been attacked or used to perpetrate some policy or criminal violation, whereas an “analysis platform” is the one that supports the forensic workstation. In this chapter I discuss UNIX-based platforms and the various “dialects” such as Solaris, AIX, xBSD, and, of course, Linux.

Some Basics of UNIX Forensics

The principles in forensic operations are essentially platform independent, though some file systems are not. In keeping with the rules of due diligence contained in the IACIS (International Association of Computer Investigative Specialists, ...

Get Handbook of Information Security: Information Warfare, Social, Legal, and International Issues and Security Foundations, Volume 2 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.