Computer Forensics

didosld

forensic3e_ppt_ch09.pptx

Home >Information Systems homework help >Computer Forensics

System Forensics, Investigation, and Response

Lesson 9

Linux Forensics

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Learning Objective

Summarize various types of digital forensics.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Key Concepts

Linux file systems

What to look for in Linux system logs

Forensically interesting Linux directories

Important Linux shell commands

How to undelete files from Linux

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

History of Linux

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

1969: UNIX created at Bell Laboratories

1972: UNIX operating system released

1983: Richard Stallman creates GNU (GNU’s Not UNIX

7/3/2017

1969 UNIX created

1972 UNIX released

1983 GNU

History of Linux (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

1987: Andrew S. Tanenbaum creates Minix, another UNIX variant

1991: Linus Torvalds begins creating Linux

2017: Hundreds of Linux distributions are available

7/3/2017

1987 Minix

1991 Linux

2017

Hundreds of Linux distros

Linux Shells

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Many Linux administrators work entirely in the shell without ever using a graphical user interface (GUI). Linux offers many different shells, such as:

Bourne shell (sh)—This was the original default shell for UNIX. It was first released in 1977.

Bourne-again shell (Bash)—This is the most commonly used shell in Linux. It was released in 1989.

C shell (csh)—This shell derives its name from the fact that it uses very C-like syntax. Linux users who are familiar with C will like this shell. It was first released for UNIX in 1978.

Korn shell (ksh)—This is a popular shell developed by David Korn in the 1980s. The Korn shell is meant to be compatible with the Bourne shell, but to also incorporate true programming language capabilities.

7/3/2017

Bourne shell (sh)

Bourne-again shell (Bash)

C shell (csh)

Korn shell (ksh)

Common Linux Shell Commands

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Common Linux Shell Commands (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Common Linux Shell Commands (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

GNU Network Object Model Environment (GNOME)

Courtesy of The GNOME Project

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

GNU Network Object Model Environment (GNOME)

Most Linux distributions include GNOME

Is built on GTK+

Is a cross-platform toolkit for creating graphical user interfaces

Includes hundreds of free applications, including Inkscape (drawing program), Gimp (paint program), and Banshee (music and video player)

One of the two most popular GUIs for Linux

7/3/2017

K Desktop Environment (KDE)/Plasma

Courtesy of TKDE

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

K Desktop Environment (KDE)

Most Linux distributions ship with either KDE or GNOME, or both.

Is built on the Qt framework, a multiplatform GUI framework written in C++.

The name KDE was intended as a word play on the Common Desktop Environment (CDE) available for UNIX systems. Today, the K stands for nothing and the acronym stands for K Desktop Environment.

Like GNOME, KDE includes hundreds of free applications, such as Karbon14 (scalable graphics program), KolourPaint (paint program), and KPlayer (multimedia player)

7/3/2017

Other Linux GUIs

Common Desktop Environment (CDE)

Originally developed in 1994 for UNIX systems

Based on HP’s Visual User Environment (VUE)

Enlightenment

Relatively new

Designed for graphics developers

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Linux Boot Process

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Step 1

Linux is often used on embedded systems, even smartphones. In such cases, when the system is first powered on, the first step is to load the bootstrap environment. On a PC, booting Linux begins in the BIOS (basic input/output system) at address 0xFFFF0.

Just as with Windows, the first sector on any disk is called the boot sector. It contains executable code that is used in the boot process. A boot sector also has the hex value 0xaa55 in the final two bytes. Also, as in Windows, after the BIOS has been loaded and the power-on self test (POST) has completed, the BIOS locates the master boot record (MBR) and passes control to it.

Step 2

The MBR then loads up a boot loader program, such as LILO (Linux Loader) or GRUB (Grand Unified Bootloader). Often boot loaders are larger than a single sector, so they are loaded in stages. When a bootable device is found, the first-stage boot loader is loaded into random access memory (RAM) and executed.

In Linux, there are actually two boot loaders.

The first boot loader is less than 512 bytes in length (a single sector), and its job is to load the second-stage boot loader.

The second boot loader is responsible for loading the Linux kernel.

Step 3

When the second-stage boot loader is loaded into RAM and executing, a splash screen is commonly displayed. At this point, the Linux image is loaded into RAM. When the images are loaded, the second-stage boot loader passes control to the kernel image and the kernel is decompressed and initialized.

At this point, the second-stage boot loader checks the system hardware and any attached peripherals. Once the devices are enumerated, the second-stage boot loader can attempt to mount the root device and load the necessary kernel modules.

Step 4

The second-stage boot loader loads the kernel image. This is called the kernel stage of the boot process. The kernel must initialize any devices the system has. Even devices that have been initialized by the BIOS must be reinitialized. The system then switches the CPU from real mode to protected mode. The system now loads the compressed kernel and calls the decompress_kernel() function. It is at this point that you may see the “Uncompressing Linux...” message displayed on the screen. Now the start_kernel() function is called, and the uncompressed kernel displays a large number of messages on the screen as it initializes the various hardware items and processes such as the scheduler.

7/3/2017

BIOS

POST

MBR

GRUB

LILO

Kernel

Initializes devices

Real mode to protected mode

Linux Boot Process (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Step 5

Once the kernel is initialized, the first user program starts. In PC-based Linux systems, that first process is called init. The kernel_thread() function is called next to start init. The kernel goes into an idle loop and becomes an idle thread with process ID 0. The process init() begins high-level system initialization. Note that unlike PC systems, embedded systems have a simpler first user process than init.

Step 6

The boot process then inspects the /etc/inittab file to determine the appropriate run level. Based on the run level, the init process then executes the appropriate start-up script. Those scripts are located in subdirectories of the /etc/rc.d directory. Scripts used for run levels 0 to 6 are located in subdirectories /etc/rc.d/rc0.d through /etc/rc.d/rc6.d, respectively. The default boot run level is set in the file /etc/inittab with the initdefault variable. At this point, the boot process is over, and Linux is up and running!

7/3/2017

INIT

Runlevels

Run Levels

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Logical Volume Manager

An abstraction layer that provides volume management for the Linux kernel

On a single system (like a single desktop or server), primary role is to allow:

The resizing of partitions

The creation of backups by taking snapshots of the logical volumes

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Linux Distributions

Open source operating system

Popular distributions:

Ubuntu

Red Hat Enterprise Linux (RHEL)

OpenSUSE

Debian

Slackware

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Linux is open source, so a number of different distributions are available. They all have the same Linux shells but they each have differences.

Ubuntu—Very popular with beginners

Red Hat Enterprise Linux (RHEL)—Often used with large-scale servers

openSUSE—A popular, general-purpose Linux distribution

Debian—Another popular, general-purpose Linux distribution

Slackware—Becoming more popular

7/3/2017

Linux File Systems

Extended File System (ext)

Current version is 4

ext4 supports volumes up to 1 exabyte and single files up to 16 terabytes

ext3 and ext4 support three types of journaling:

journal (most secure)

ordered

writeback (least secure)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Journaling levels:

The most secure and safe level is called journal–With the journal level, metadata and file contents are written to the journal before being written to the main file system.

The next level is called ordered–It is slightly less secure than journal. With the ordered level only metadata is written to the journal; however, changes to files are not journaled until they have been committed to the disk.

The least secure level is writeback–With the writeback level, only metadata is written to the journal, and it might be written to the journal before or after it is actually committed. Ext4 added checksums in the journal to prevent errors.

7/3/2017

Linux File Systems (Cont.)

Reiser File System

Supports journaling

Performs well when hard disk has large number of smaller files

Berkeley Fast File System

Also known as UNIX File System

Developed at UC-Berkeley for Linux

Uses a bitmap to track free clusters, indicating availability

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The Reiser File System (ReiserFS) was first introduced as a part of the Linux kernel version 2.4.1. ReiserFS has always supported journaling. ReiserFS performs very well when the hard drive has a large number of smaller files. In fact, when you are dealing with files that are under 4 KB in size, ReiserFS outperforms ext2 and ext3.

The Berkeley Fast File System is also known as the UNIX File System. It was developed at University of California, Berkeley specifically for use with Linux. This system uses a bitmap to track free clusters, indicating which clusters are available and which are not.

7/3/2017

Linux Logs

Log	Contents
/var/log/faillog	Failed user logins
/var/log/kern.log	Messages from the operating system’s kernel
/var/log/lpr.log	Items that have been printed
/var/log/mail.*	Email activity
/var/log/mysql.*	MySQL database server activity

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

/var/log/faillog

This log file contains failed user logins. This can be very important when tracking attempts to crack into the system. Numerous failed login attempts, or even frequent failed login attempts that occur at diverse times, can be an indicator of someone trying to compromise access to the system. It is also worth noting the times of failed login attempts. If an employee normally works from 8:00 a.m. to 5:00 p.m. and there are failed login attempts at 11:00 p.m., that may be a warning sign.

/var/log/kern.log

This log file is used for messages from the operating system’s kernel. This log is less interesting forensically. It is more likely to show systemwide problems. However, it is possible for someone to mistake system issues for some intrusion or malware. If you have odd behavior on a target system and find related messages in the kern.log, it may allow you to rule out malware.

/var/log/lpr.log

This is the printer log. It can give you a record of any items that have been printed from this machine. That can be useful in many cases. For example, corporate espionage cases often involve the criminal printing out sensitive documents.

/var/log/mail.*

This is the mail server log. It can be very useful in any computer crime investigation. Email can also be useful in criminal investigations (such as cyberstalking cases) as well as in civil litigation cases.

/var/log/mysql.*

This log records activities related to the MySQL database server. These are of most interest in crimes involving database attacks. For example, SQL injection attacks might leave a record in the database log.

7/3/2017

Linux Logs (Cont.)

Log	Contents
/var/log/apache2/*	Apache web server activity
/var/log/lighttpd/*	Lighttpd web server activity
/var/log/apport.log	Application crashes
Intrusion detection system logs	Suspicious traffic

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

/var/log/apache2/*

If the machine is running the Apache web server, then this log shows related activity. This can be very useful in tracking attempts to hack into the web server. You can examine the log to see attempts at buffer overflow attacks, denial of service attacks, and a variety of other attacks.

/var/log/lighttpd/*

If the machine is running the Lighttpd web server, then this log shows related activity. This can be very useful in tracking attempts to hack into the web server.

/var/log/apport.log

This log records application crashes. Sometimes these can reveal attempts to compromise the system or the presence of malware. Of course, it can also simply reveal a buggy application.

Other logs

Any other applications running on the Linux computer that store logs can be useful in your forensic examination. For example, if you are using an intrusion detection system (IDS) such as Snort, it keeps logs of all suspicious traffic. That can be very useful in your investigation.

7/3/2017

Viewing Logs

Text editor in GUI

Any of these commands work from the shell:

dmesg | lpr

# tail -f /var/log/lpr.log

# less /var/log/ lpr.log

# more -f /var/log/ lpr.log

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Linux Directories

Key directories are important to the functioning of every operating system

Directories are also important places to seek out evidence in an investigation

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

/root

Home directory for the root user

Contains data for the administrator

Linux root user is equivalent to Windows Administrator

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

The /bin Directory

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Holds binary or compiled files used by ordinary users

Can include malware

7/3/2017

/sbin

Similar to /bin

Contains binary files not intended for the average computer user

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

For example, the mke2fs command, a file system utility that is usually utilized by administrators, is in this directory.

7/3/2017

/etc

Contains configuration files, such as for web servers, boot loaders, security software, and many other applications

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The /etc folder contains configuration files. Most applications require some configuration when they start up. The web servers, boot loaders (LILO and GRUB), and many other applications have configuration files. Obviously, an intruder into a system may want to change how a given application behaves. web server, boot loader, and security software configuration files would be attractive targets for any hacker.

7/3/2017

/etcinittab File

Sets boot-up process and operation

Example: init level for the system on start-up

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

inittab entries:

• label—A unique identification label of up to four characters.

• run_level—The init level at which the entry is executed.

• action:a—A keyword indicating the action that init is to take on the process.

• process—The process init executes upon entering the specified run level.

• boot—Starts the process and continues to the next entry without waiting for the

process to complete. When the process dies, init does not restart the process.

• bootwait—Starts the process once and waits for it to terminate before going on to the next inittab entry.

• initdefault—Determines which run level to enter initially, using the highest number in the run_level field. If there is no initdefault entry in inittab, then init requests an initial run level from the user at boot time.

• sysinit—Starts the process the first time init reads the table and waits for it to terminate before going on to the next inittab entry.

7/3/2017

label

run_level

action:a

process

boot

bootwait

initdefault

sysinit

/dev

Contains device files

Interfaces to devices

All devices should have a device file in /dev

Device naming conventions:

hd = hard drive

fd = floppy drive

cd = CD

Example: Main hard drive can be /dev/hd0

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

/mnt

Many devices are mounted in /mnt

Drives must be mounted prior to use

Checking this directory lets you know what is currently mounted on system

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Many devices, such as floppy and CD-ROM drives, are mounted in the /mnt directory. Any drive must be mounted prior to its use. The process of mounting a drive simply involves the operating system accessing it and loading it into memory. Modern Linux distributions do this for you. From a forensic perspective, checking this directory lets you know what things are currently mounted on the system.

7/3/2017

/boot

Contains files critical for booting

Boot loader (LILO or GRUB) looks in this directory

Kernel images commonly located in /boot

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The boot directory contains those files critical for booting. Your boot loader (whether it is LILO or GRUB) looks in this directory. It is a common practice to keep kernel images in this directory.

7/3/2017

/usr

Contains subdirectories for individual users

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

This directory contains the subdirectories for individual users. In cases of suspected corporate espionage, these directories might contain valuable evidence.

7/3/2017

/var and /varspool

/var

Contains data that is changed during system operation

/varspool

Contains the print queue

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The /var directory contains data that is changed during system operation. This directory is only useful on a live system. Once you shut down the system, the contents of this directory will be different the next time the system is booted up.

The /varspool directory contains the print queue, so it can be very important if something is currently in the print queue.

7/3/2017

The /proc Directory

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Not stored on hard disk

Is created in memory and keeps information about currently running processes

Contains subdirectories that can be used to recover files and evidence

Assume that an intruder has downloaded a password cracker and is attempting to crack system passwords. The tool is attempting a number of passwords

in a text file called pass. The intruder subsequently deletes both the executable and the text file, but the process is still running in memory. You can use ps or pstree to find the running processes and get the process ID. Assume the process ID is 3201. Now in the /proc directory, you can find /proc/3201. If you simply copy the executable from /proc to some other directory, it recovers that deleted executable. Of course, this works only on a live system, prior to shutting it down.

7/3/2017

Shell Commands for Forensics

Linux has hundreds of shell commands

Some can be very useful in forensic investigations

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

The dmesg Command

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

When your system boots up, you see a lot of information telling you what processes are starting, what processes failed, what hardware is being initialized, and more. This can be invaluable information to a forensic investigation. You can use the dmesg command to view all the messages that were displayed during the boot process.

The command dmesg displays the messages for you. However, it does tend to fill up multiple screens. It is recommended that you simply pipe the output to some file (for example, dmesg>myfile.txt) and then search that file.

7/3/2017

The pstree Command

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The pstree command is similar to the ps command, except it shows all the processes in the form of a tree structure.

The tree format gives more information particular to a given forensic investigation.

Not only will you know what processes are running, but also which process initiated those processes.

7/3/2017

The file Command

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The file command can tell you exactly what a file is regardless of whether or not it has been renamed or had its extension changed. This can be very important in a forensic investigation. The file command will help you in situations where the criminal has changed the file extension to make the file appear to be something other than what it is.

7/3/2017

Undeleting Linux Files: Manually

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

When you refer to a file by name, the operating system uses the filename to look up the corresponding inode, which then enables the system to obtain the information it needs about the file to perform further operations.

From the operating system’s perspective, a filename is really just an entry in a table with inode numbers. The name is just a human-readable method of locating the inode number. The inode is a link to the file. The operating system keeps a count of references to this link. When the reference count reaches zero, the file is deleted. This is why deleted files can sometimes be recovered.

There are many methods for recovering deleted files in Linux. One manual method is to:

1. Move the system to single-user mode. The init command can be used for this purpose.

2. Once you have moved to single user mode, there are several methods you might use. The following is a rather traditional UNIX/Linux method using the grep

command. Use the following grep syntax:

grep -b ‘search-text’ /dev/partition > file.txt

grep -a -B[size before] -A[size after] ‘text’ /dev/[your_partition] > file.txt

The flags used are defined as follows:

-i—Ignore case distinctions in both the PATTERN and the input files; that is,

match both uppercase and lowercase characters.

-a—Process a binary file as if it were text.

-B—Print number lines/size of leading context before matching lines.

-A—Print number lines/size of trailing context after matching lines.

For example, to recover a text file starting with “criminalevidence” on /dev/sda1, you can try the following command:

# grep -i -a -B10 -A100 ‘criminalevidence’ /dev/sda1 > file.txt

3. Use a command-line text editor to view the file contents, such as file.txt. You can then save that file.

7/3/2017

Move system to single-user mode

Use grep or similar command

Example: grep -b ‘search-text’ /dev/partition > file.txt

Use command-line editor to view file

Let’s Play: Identify the Shell Command

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Command 1

Displays the commands that have previously been entered

Answer choices:

dmesg

grep

history

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 1

history

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The history command allows you to see the commands that have previously been entered. By default, this command returns the last 500 shell commands. This command can be very useful on a live system. When you first locate a Linux machine that is suspect, this is one of the commands you might want to run and record the results of before powering down the system.

7/3/2017

Command 2

Shows all the processes in the form of a tree structure

Answer choices:

pstree

top

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 2

pstree

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The pstree command is very similar to the ps command, except it shows all the processes in the form of a tree structure. The tree format gives more information particular to a given forensic investigation. Not only will you know what processes are running, but also which process initiated those processes.

7/3/2017

Command 3

Takes the name you provide and returns the ID for that process; can work with partial names

Answer choices:

pgrep

grep

file

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 3

pgrep

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The pgrep command takes the name you provide it and returns the ID for that process. It can even work with partial names. This is useful as many other commands require the process ID, so pgrep can help you retrieve that if you know the name of a process.

7/3/2017

Command 4

Lists the processes in the order of how much CPU time the process is utilizing

Answer choices:

top

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 4

top

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The top command is similar to the ps command, except it lists the processes in the order of how much CPU time the process is utilizing. When examining a drive for the presence of malware, this can be a useful command. A virus or worm may be using up an excessive amount of CPU time, thus slowing down the infected machine.

7/3/2017

Command 5

A criminal changes a file extension. This command can identify the file.

Answer choices:

history

file

mount

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 5

file

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The file command can tell you exactly what a file is regardless of whether it has been renamed or had its extension changed. This can be very important in a forensic investigation. The file command will help you in situations where the criminal has changed the file extension to make the file appear to be something other than what it is.

7/3/2017

Command 6

Halts a running process based on the process ID (PID) you provide

Answer choices:

kill

dmesg

finger

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 6

kill

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The kill command is perhaps the simplest command of all. You simply type in the word kill followed by the process ID (PID) to halt a running process. For example:

kill 1045

7/3/2017

Command 7

Invokes the super user mode

Answer choices:

who

grep

finger

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 7

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

At times, you may be at a Linux machine where someone has logged in, and you need to perform some task that requires the privileges of the root user. Logging out, then logging back in as the root, can be tedious. Fortunately, you don’t have to do that. You can simply invoke the super user mode. If you type in su at the shell, you are asked for the root password. If you can successfully supply it, you will then have root privileges.

7/3/2017

Command 8

Provides information about a specific user

Answer choices:

finger

who

grep

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Answer 8

finger

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The finger command is used to get back information regarding a specific user. This is often useful for a system administrator. For example, if you run top, and see that one specific user is spawning several processes on your server, and those processes are consuming resources, then you may want to find out about that user. This is great to use along with the who command. After you know who is on your system, you can find out specific information about that user.

7/3/2017

Kali Linux

Has a number of forensics tools

Can use as quality control tool to complement OSForensics, FTK, or Encase

Includes Autopsy, a web-based graphical user interface for the command-line tool Sleuth Kit

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Autopsy

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Autopsy (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Autopsy (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Autopsy (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Summary

Linux file systems

What to look for in Linux system logs

Forensically interesting Linux directories

Important Linux shell commands

How to undelete files from Linux

Page ‹#›

System Forensics, Investigation, and Response