AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Notable reference site: Linux LEO, The Law Enforcement and Forensic Examiner’s Introduction to Linux. Please note, the guide has just received its first update in over a year. Updates should be coming more regularly, according to the guide’s author. Stay tuned for more to come! 

Test data is available GPT Partition Image (gptimage.raw.gz), Fat File System Image (fat_fs.raw), “Able2” Ext2 Disk Image , able2.tar.gz), “Able3” Ext4 Disk Image (able_3.tar.gz), Practice Log Archive (logs.v3.tar.gz), Carve Image (image_carve_2017.raw), and NTFS Image (ntfs_Pract_2017_E01.tar.gz).

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table

See below for a list of Linux Tools.

ToolDescription
lLeappLinux Logs Events Application Program Parser
UACUAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Unix CollectorA shell script for basic forensic collection of various artifacts from UNIX systems.

See below for a list of Linux Artifacts.

Artifact or ProcessResource
AtopParsing Atop log files with Dissect
DiscordFinding Discord chats in Linux - #DFIR review
Image MountingMounting E01 Forensic Images in Linux - Eric Capuano
Ivanti Evidence AcquisitionOverview: Evidence Collection of Ivanti Connected Secure Appliances
Ivanti Log AnalysisIvanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
Linux ForensicsA Linux Forensics Starter Case Study
Linux ForensicsPerforming Linux Forensic Analysis and Why You Should Care!
Linux ForensicsDetecting and Investigating OpenSSL Backdoors on Linux
Linux ForensicsLinux Web Server Forensics: Dr. Ali Hadi's Web Server Case
Linux ForensicsLinux Forensics In Depth
Linux ForensicsInvestigating a Compromised Web Server
Linux ForensicsLinux Incident Response - using lsof to check network connections
Linux ForensicsLinux Live Incident Response - the ps command
Linux ForensicsLinux incident response - understanding endianess
Linux ForensicsLinux Incident Response - getting the EXT4 file creation time
Linux ForensicsLinux Forensic Artifacts
Linux ForensicsUsing the Unix-like Artifacts Collector and Cado Community Edition to Investigate a Compromised Linux System
Linux ForensicsUnderstanding nohup
Linux ForensicsLinux Copy on Write for Incident Responders
Linux ForensicsOrphan Processes in Linux
Memory AcquisitionAArch64 Memory Acquisition for Linux
Memory ForensicsAVML – Memory Forensics For Linux
Memory ForensicsAcquiring Linux Memory using AVML and Using it with Volatility
Memory ForensicsLinux Forensics Series Chapter 1 — Memory Forensics
Memory ForensicsMicrosoft's Project Freta
Memory ForensicsIntro to Linux memory forensics
Memory ForensicsLinux Forensics: Memory Capture and Analysis
Memory ForensicsHow to extract forensic artifacts from Linux swap
TestDiskTestDisk in Linux and recover deleted files
TimestampsLinux History File Timestamps - Thomas Millar
Universal Serial Bus (USB)13Cubed - Linux Forensics! First Look at usbrip
Universal Serial Bus (USB)USB Forensics
Universal Serial Bus (USB)USB 101
VelociraptorVelociraptor - Dig Deeper