book

Practical Linux Forensics

by Bruce Nikkel

October 2021

Beginner to intermediate

400 pages

11h 15m

English

No Starch Press

Read now

Unlock full access

Why I Wrote This BookTarget Audience and PrerequisitesScope and OrganizationConventions and Format
Digital Forensics HistoryForensic Analysis Trends and ChallengesPrinciples of Postmortem Computer Forensic AnalysisSpecial Topics in Forensics

History of LinuxModern Linux SystemsLinux DistributionsForensic Analysis of Linux Systems
Analysis of Storage Layout and Volume ManagementFilesystem Forensic AnalysisAn Analysis of ext4An Analysis of btrfsAn Analysis of xfsLinux Swap AnalysisAnalyzing Filesystem EncryptionSummary
Linux Directory LayoutLinux File Types and IdentificationLinux File AnalysisCrash and Core DumpsSummary
Traditional SyslogSystemd JournalOther Application and Daemon LogsKernel and Audit LogsSummary
Analysis of BootloadersAnalysis of Kernel InitializationAnalysis of SystemdPower and Physical Environment AnalysisSummary
System IdentificationDistro Installer AnalysisPackage File Format AnalysisPackage Management System AnalysisUniversal Software Package AnalysisOther Software Installation AnalysisSummary
Network Configuration AnalysisWireless Network AnalysisNetwork Security ArtifactsSummary
Linux Time Configuration AnalysisInternationalizationLinux and Geographic LocationSummary
Linux Login and Session AnalysisAuthentication and AuthorizationLinux Desktop ArtifactsUser Network AccessSummary
Linux Peripheral DevicesPrinters and ScannersExternal Attached StorageSummary

Content preview from Practical Linux Forensics

6RECONSTRUCTING SYSTEM BOOT AND INITIALIZATION

This chapter covers the forensic analysis of the Linux system boot and initialization process. We’ll examine the early boot stages where the BIOS or UEFI firmware pass control to the bootloader, the loading and executing of the kernel, and systemd initialization of a running system. Also included here is analysis of power management activities like sleep and hibernation, and the final shutdown process of the system.

Analysis of Bootloaders

Traditional PCs used a BIOS (basic input/output system) chip to run code from the first sector of a disk to boot the computer. This first sector is called the ...