A resource to help forensic investigators locate, analyze, and understand digital evidence found on modern Linux systems after a crime, security incident or cyber attack.
Practical Linux Forensics dives into the technical details of analyzing postmortem forensic images of Linux systems which have been misused, abused, or the target of malicious attacks. It helps forensic investigators locate and analyze digital evidence found on Linux desktops, servers, and IoT devices. Throughout the book, you learn how to identify digital artifacts which may be of interest to an investigation, draw logical conclusions, and reconstruct past activity from incidents. You’ll learn how Linux works from a digital forensics and investigation perspective, and how to interpret evidence from Linux environments. The techniques shown are intended to be independent of the forensic analysis platforms and tools used.
Learn how to:
- Extract evidence from storage devices and analyze partition tables, volume managers, popular Linux filesystems (Ext4, Btrfs, and Xfs), and encryption
- Investigate evidence from Linux logs, including traditional syslog, the systemd journal, kernel and audit logs, and logs from daemons and applications
- Reconstruct the Linux startup process, from boot loaders (UEFI and Grub) and kernel initialization, to systemd unit files and targets leading up to a graphical login
- Perform analysis of power, temperature, and the physical environment of a Linux machine, and find evidence of sleep, hibernation, shutdowns, reboots, and crashes
- Examine installed software, including distro installers, package formats, and package management systems from Debian, Fedora, SUSE, Arch, and other distros
- Perform analysis of time and Locale settings, internationalization including language and keyboard settings, and geolocation on a Linux system
- Reconstruct user login sessions (shell, X11 and Wayland), desktops (Gnome, KDE, and others) and analyze keyrings, wallets, trash cans, clipboards, thumbnails, recent files and other desktop artifacts
- Analyze network configuration, including interfaces, addresses, network managers, DNS, wireless artifacts (Wi-Fi, Bluetooth, WWAN), VPNs (including WireGuard), firewalls, and proxy settings
- Identify traces of attached peripheral devices (PCI, USB, Thunderbolt, Bluetooth) including external storage, cameras, and mobiles, and reconstruct printing and scanning activity
Cover Page Title Page Copyright Page Dedication About the Author About the Technical Reviewer BRIEF CONTENTS CONTENTS IN DETAIL INTRODUCTION Why I Wrote This Book Target Audience and Prerequisites Scope and Organization Conventions and Format 1 DIGITAL FORENSICS OVERVIEW Digital Forensics History Forensic Analysis Trends and Challenges Principles of Postmortem Computer Forensic Analysis Special Topics in Forensics 2 LINUX OVERVIEW History of Linux Modern Linux Systems Linux Distributions Forensic Analysis of Linux Systems 3 EVIDENCE FROM STORAGE DEVICES AND FILESYSTEMS Analysis of Storage Layout and Volume Management Filesystem Forensic Analysis An Analysis of ext4 An Analysis of btrfs An Analysis of xfs Linux Swap Analysis Analyzing Filesystem Encryption Summary 4 DIRECTORY LAYOUT AND FORENSIC ANALYSIS OF LINUX FILES Linux Directory Layout Linux File Types and Identification Linux File Analysis Crash and Core Dumps Summary 5 INVESTIGATING EVIDENCE FROM LINUX LOGS Traditional Syslog Systemd Journal Other Application and Daemon Logs Kernel and Audit Logs Summary 6 RECONSTRUCTING SYSTEM BOOT AND INITIALIZATION Analysis of Bootloaders Analysis of Kernel Initialization Analysis of Systemd Power and Physical Environment Analysis Summary 7 EXAMINATION OF INSTALLED SOFTWARE PACKAGES System Identification Distro Installer Analysis Package File Format Analysis Package Management System Analysis Universal Software Package Analysis Other Software Installation Analysis Summary 8 IDENTIFYING NETWORK CONFIGURATION ARTIFACTS Network Configuration Analysis Wireless Network Analysis Network Security Artifacts Summary 9 FORENSIC ANALYSIS OF TIME AND LOCATION Linux Time Configuration Analysis Internationalization Linux and Geographic Location Summary 10 RECONSTRUCTING USER DESKTOPS AND LOGIN ACTIVITY Linux Login and Session Analysis Authentication and Authorization Linux Desktop Artifacts User Network Access Summary 11 FORENSIC TRACES OF ATTACHED PERIPHERAL DEVICES Linux Peripheral Devices Printers and Scanners External Attached Storage Summary AFTERWORD APPENDIX: FILE/DIRECTORY LIST FOR DIGITAL INVESTIGATORS INDEX
How to download source code?
1. Go to:
2. Search the book title:
Practical Linux Forensics: A Guide for Digital Investigators, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Download the Source Code.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.