Sometimes logging isn’t enough; it can fail, or it can be incomplete, or it can be compromised. Sometimes it is simply too late by the time someone reads the log. And other times bad things just happen. That is where forensics comes in, giving users the capability to take snapshots of the forest before the tree falls, as well as allowing them to search the underbrush for fallen trees.

In this chapter we give you an overview of forensics and show how some open source tools can be used to monitor filesystem integrity and the options available for analyzing hard disk data in a postmortem situation.