3EVIDENCE FROM STORAGE DEVICES AND FILESYSTEMS
This chapter focuses on the forensic analysis of Linux storage, including partition tables, volume management and RAID, filesystems, swap partitions and hibernation, and drive encryption. Each of these areas have Linux-specific artifacts that we can analyze. You may be able to use commercial forensic tools to perform most of the activities shown here, but for illustrative purposes, the examples in this chapter use Linux tools.
When performing a forensic analysis of a computer system’s storage, the first step is to identify precisely what is on the drive. We must understand the layout, formats, versions, ...
Get Practical Linux Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
