AFTERWORD
In theory, an exhaustive forensic examination of a Linux system would include understanding the origin, purpose, and contents of every file and directory on the entire system. This is typically hundreds of thousands of files.1 Clearly not all of these files are of forensic interest. Documenting every possible file and directory from a forensics perspective is infeasible. There are too many fringe use cases, and each distro and system administrator introduces their own files and applications. In addition, the free and open source landscape is in a state of perpetual change. New files are introduced and legacy files are deprecated.
In ...
Get Practical Linux Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
