Notable reference site: Linux LEO, The Law Enforcement and Forensic Examiner’s Introduction to Linux. Please note, the guide has just received its first update in over a year. Updates should be coming more regularly, according to the guide’s author. Stay tuned for more to come!
Test data is available GPT Partition Image (gptimage.raw.gz), Fat File System Image (fat_fs.raw), “Able2” Ext2 Disk Image , able2.tar.gz), “Able3” Ext4 Disk Image (able_3.tar.gz), Practice Log Archive (logs.v3.tar.gz), Carve Image (image_carve_2017.raw), and NTFS Image (ntfs_Pract_2017_E01.tar.gz).
For information on file signature analysis (OS agnostic and file-type specific), please check out Gary Kessler’s File Signature Table.
|Artifact or Process||Resource||Description|
|Discord||Finding Discord chats in Linux - #DFIR review|
|Forensic Analysis||A Linux Forensics Starter Case Study|
|Linux Forensics||Performing Linux Forensic Analysis and Why You Should Care!|
|Linux Forensics||Detecting and Investigating OpenSSL Backdoors on Linux|
|Memory Analysis||AVML – Memory Forensics For Linux|
|Memory Analysis||Acquiring Linux Memory using AVML and Using it with Volatility|
|Memory Analysis||Linux Forensics Series Chapter 1 — Memory Forensics|
|Memory Analysis||Microsoft's Project Freta||Project Freta is a free, cloud-based offering from the New Security Ventures (NSV) team at Microsoft Research that provides automated full-system volatile memory inspection of Linux systems.|
|Memory Analysis||Intro to Linux memory forensics|
|Memory Analysis||Linux Forensics: Memory Capture and Analysis|
|Memory Analysis||How to extract forensic artifacts from Linux swap|
|Universal Serial Bus (USB)||13Cubed - Linux Forensics! First Look at usbrip|
|Universal Serial Bus (USB)||USB Forensics|
|Universal Serial Bus (USB)||USB 101|
|Velociraptor||Velociraptor - Dig Deeper||Hands-on lab detailing a new open-source (AGPL) platform to perform surgical forensic evidence collection and incident response across a distributed computer network|