Notable reference site: Linux LEO, The Law Enforcement and Forensic Examiner’s Introduction to Linux. Please note, the guide has just received its first update in over a year. Updates should be coming more regularly, according to the guide’s author. Stay tuned for more to come!
Test data is available GPT Partition Image (gptimage.raw.gz), Fat File System Image (fat_fs.raw), “Able2” Ext2 Disk Image , able2.tar.gz), “Able3” Ext4 Disk Image (able_3.tar.gz), Practice Log Archive (logs.v3.tar.gz), Carve Image (image_carve_2017.raw), and NTFS Image (ntfs_Pract_2017_E01.tar.gz).
For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table.
Artifact or Process | Resource | Description |
---|---|---|
Artifact Collection | Unix Collector | A shell script for basic forensic collection of various artifacts from UNIX systems. |
Discord | Finding Discord chats in Linux - #DFIR review | |
Forensic Analysis | A Linux Forensics Starter Case Study | |
Image Mounting | Mounting E01 Forensic Images in Linux - Eric Capuano | Mounting an E01 Image using ewf-tools on Linux |
Linux Forensics | Performing Linux Forensic Analysis and Why You Should Care! | |
Linux Forensics | Detecting and Investigating OpenSSL Backdoors on Linux | |
Linux Forensics | Linux Web Server Forensics: Dr. Ali Hadi's Web Server Case | Walk-through of Dr. Ali Hadi's Web Server Case CTF |
lLeapp | lLeapp | Linux Logs Events Application Program Parser |
Memory Acquisition | AArch64 Memory Acquisition for Linux | Use of DumpIt-Linux on Arm64 systems |
Memory Analysis | AVML – Memory Forensics For Linux | |
Memory Analysis | Acquiring Linux Memory using AVML and Using it with Volatility | |
Memory Analysis | Linux Forensics Series Chapter 1 — Memory Forensics | |
Memory Analysis | Microsoft's Project Freta | Project Freta is a free, cloud-based offering from the New Security Ventures (NSV) team at Microsoft Research that provides automated full-system volatile memory inspection of Linux systems. |
Memory Analysis | Intro to Linux memory forensics | |
Memory Analysis | Linux Forensics: Memory Capture and Analysis | |
Memory Analysis | How to extract forensic artifacts from Linux swap | |
Timestamps | Linux History File Timestamps - Thomas Millar | Walk-through setting up a Linux VM and then reviewing timestamp and artifact information. |
Universal Serial Bus (USB) | 13Cubed - Linux Forensics! First Look at usbrip | |
Universal Serial Bus (USB) | USB Forensics | |
Universal Serial Bus (USB) | USB 101 | |
Velociraptor | Velociraptor - Dig Deeper | Hands-on lab detailing a new open-source (AGPL) platform to perform surgical forensic evidence collection and incident response across a distributed computer network |