Linux - AboutDFIR - The Definitive Compendium Project

Notable reference site: Linux LEO, The Law Enforcement and Forensic Examiner’s Introduction to Linux. Please note, the guide has just received its first update in over a year. Updates should be coming more regularly, according to the guide’s author. Stay tuned for more to come!

Test data is available GPT Partition Image (gptimage.raw.gz), Fat File System Image (fat_fs.raw), “Able2” Ext2 Disk Image , able2.tar.gz), “Able3” Ext4 Disk Image (able_3.tar.gz), Practice Log Archive (logs.v3.tar.gz), Carve Image (image_carve_2017.raw), and NTFS Image (ntfs_Pract_2017_E01.tar.gz).

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table.

Artifact or Process:

Resource:

Resource Link:

Summary:

wdt_ID	Artifact or Process	Resource	Resource Link	Summary
15	Memory Analysis	AVML – Memory Forensics For Linux	Link
14	Memory Analysis	Acquiring Linux Memory using AVML and Using it with Volatility	Link
13	Discord	Finding Discord chats in Linux - #DFIR review	Link
16	Velociraptor	Velociraptor - Dig Deeper	Link	Hands-on lab detailing a new open-source (AGPL) platform to perform surgical forensic evidence collection and incident response across a distributed computer network
17	Linux Forensics	Performing Linux Forensic Analysis and Why You Should Care!	Link
18	Memory Analysis	Linux Forensics Series Chapter 1 — Memory Forensics	Link
19	Universal Serial Bus (USB)	13Cubed - Linux Forensics! First Look at usbrip	Link
20	Universal Serial Bus (USB)	USB Forensics	Link
21	Universal Serial Bus (USB)	USB 101	Link
22	Memory Analysis	Microsoft's Project Freta	Link	Project Freta is a free, cloud-based offering from the New Security Ventures (NSV) team at Microsoft Research that provides automated full-system volatile memory inspection of Linux systems.
	Artifact or Process	Resource	Resource Link	Summary