Notable reference site: Linux LEO, The Law Enforcement and Forensic Examiner’s Introduction to Linux. Please note, the guide has just received its first update in over a year. Updates should be coming more regularly, according to the guide’s author. Stay tuned for more to come!
Test data is available GPT Partition Image (gptimage.raw.gz), Fat File System Image (fat_fs.raw), “Able2” Ext2 Disk Image , able2.tar.gz), “Able3” Ext4 Disk Image (able_3.tar.gz), Practice Log Archive (logs.v3.tar.gz), Carve Image (image_carve_2017.raw), and NTFS Image (ntfs_Pract_2017_E01.tar.gz).
For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table.
| Artifact or Process | Resource | Description |
|---|---|---|
| Artifact Collection | Unix Collector | A shell script for basic forensic collection of various artifacts from UNIX systems. |
| Discord | Finding Discord chats in Linux - #DFIR review | |
| Forensic Analysis | A Linux Forensics Starter Case Study | |
| Linux Forensics | Performing Linux Forensic Analysis and Why You Should Care! | |
| Linux Forensics | Detecting and Investigating OpenSSL Backdoors on Linux | |
| lLeapp | lLeapp | Linux Logs Events Application Program Parser |
| Memory Analysis | AVML – Memory Forensics For Linux | |
| Memory Analysis | Acquiring Linux Memory using AVML and Using it with Volatility | |
| Memory Analysis | Linux Forensics Series Chapter 1 — Memory Forensics | |
| Memory Analysis | Microsoft's Project Freta | Project Freta is a free, cloud-based offering from the New Security Ventures (NSV) team at Microsoft Research that provides automated full-system volatile memory inspection of Linux systems. |
| Memory Analysis | Intro to Linux memory forensics | |
| Memory Analysis | Linux Forensics: Memory Capture and Analysis | |
| Memory Analysis | How to extract forensic artifacts from Linux swap | |
| Timestamps | Linux History File Timestamps - Thomas Millar | Walk-through setting up a Linux VM and then reviewing timestamp and artifact information. |
| Universal Serial Bus (USB) | 13Cubed - Linux Forensics! First Look at usbrip | |
| Universal Serial Bus (USB) | USB Forensics | |
| Universal Serial Bus (USB) | USB 101 | |
| Velociraptor | Velociraptor - Dig Deeper | Hands-on lab detailing a new open-source (AGPL) platform to perform surgical forensic evidence collection and incident response across a distributed computer network |