Linux

Notable reference site: Linux LEO, The Law Enforcement and Forensic Examiner’s Introduction to Linux. Please note, the guide has just received its first update in over a year. Updates should be coming more regularly, according to the guide’s author. Stay tuned for more to come! 

Test data is available GPT Partition Image (gptimage.raw.gz), Fat File System Image (fat_fs.raw), “Able2” Ext2 Disk Image , able2.tar.gz), “Able3” Ext4 Disk Image (able_3.tar.gz), Practice Log Archive (logs.v3.tar.gz), Carve Image (image_carve_2017.raw), and NTFS Image (ntfs_Pract_2017_E01.tar.gz).

For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table. 

Artifact or Process	Resource	Description
Discord	Finding Discord chats in Linux - #DFIR review
Forensic Analysis	A Linux Forensics Starter Case Study
Linux Forensics	Performing Linux Forensic Analysis and Why You Should Care!
Linux Forensics	Detecting and Investigating OpenSSL Backdoors on Linux
Memory Analysis	AVML – Memory Forensics For Linux
Memory Analysis	Acquiring Linux Memory using AVML and Using it with Volatility
Memory Analysis	Linux Forensics Series Chapter 1 — Memory Forensics
Memory Analysis	Microsoft's Project Freta	Project Freta is a free, cloud-based offering from the New Security Ventures (NSV) team at Microsoft Research that provides automated full-system volatile memory inspection of Linux systems.
Memory Analysis	Intro to Linux memory forensics
Memory Analysis	Linux Forensics: Memory Capture and Analysis
Memory Analysis	How to extract forensic artifacts from Linux swap
Universal Serial Bus (USB)	13Cubed - Linux Forensics! First Look at usbrip
Universal Serial Bus (USB)	USB Forensics
Universal Serial Bus (USB)	USB 101
Velociraptor	Velociraptor - Dig Deeper	Hands-on lab detailing a new open-source (AGPL) platform to perform surgical forensic evidence collection and incident response across a distributed computer network