book

Practical Linux Forensics

by Bruce Nikkel

October 2021

Beginner to intermediate

400 pages

11h 15m

English

No Starch Press

Read now

Unlock full access

Why I Wrote This BookTarget Audience and PrerequisitesScope and OrganizationConventions and Format
Digital Forensics HistoryForensic Analysis Trends and ChallengesPrinciples of Postmortem Computer Forensic AnalysisSpecial Topics in Forensics

History of LinuxModern Linux SystemsLinux DistributionsForensic Analysis of Linux Systems
Analysis of Storage Layout and Volume ManagementFilesystem Forensic AnalysisAn Analysis of ext4An Analysis of btrfsAn Analysis of xfsLinux Swap AnalysisAnalyzing Filesystem EncryptionSummary
Linux Directory LayoutLinux File Types and IdentificationLinux File AnalysisCrash and Core DumpsSummary
Traditional SyslogSystemd JournalOther Application and Daemon LogsKernel and Audit LogsSummary
Analysis of BootloadersAnalysis of Kernel InitializationAnalysis of SystemdPower and Physical Environment AnalysisSummary
System IdentificationDistro Installer AnalysisPackage File Format AnalysisPackage Management System AnalysisUniversal Software Package AnalysisOther Software Installation AnalysisSummary
Network Configuration AnalysisWireless Network AnalysisNetwork Security ArtifactsSummary
Linux Time Configuration AnalysisInternationalizationLinux and Geographic LocationSummary
Linux Login and Session AnalysisAuthentication and AuthorizationLinux Desktop ArtifactsUser Network AccessSummary
Linux Peripheral DevicesPrinters and ScannersExternal Attached StorageSummary

Content preview from Practical Linux Forensics

3EVIDENCE FROM STORAGE DEVICES AND FILESYSTEMS

This chapter focuses on the forensic analysis of Linux storage, including partition tables, volume management and RAID, filesystems, swap partitions and hibernation, and drive encryption. Each of these areas have Linux-specific artifacts that we can analyze. You may be able to use commercial forensic tools to perform most of the activities shown here, but for illustrative purposes, the examples in this chapter use Linux tools.

When performing a forensic analysis of a computer system’s storage, the first step is to identify precisely what is on the drive. We must understand the layout, formats, versions, ...