Practical Linux Forensics: A Guide for Digital Investigators
- 6h 46m
- Bruce Nikkel
- No Starch Press
- 2021
Practical Linux Forensics dives into the technical details of analyzing postmortem forensic images of Linux systems that have been misused, abused, or the target of malicious attacks. This essential practitioner’s guide will show you how to locate and interpret digital evidence found on Linux desktops, servers, and IoT devices, draw logical conclusions, and reconstruct timelines of past activity after a crime or security incident. It's a book written for investigators with varying levels of Linux experience, and the techniques shown are independent of the forensic analysis platform and tools used.
Early chapters provide an overview of digital forensics as well as an introduction to the Linux operating system and popular distributions. From there, the book describes the analysis of storage, filesystems, files and directories, installed software packages, and logs. Special focus is given to examining human user activity such as logins, desktop environments and artifacts, home directories, regional settings, and peripheral devices used.
You’ll learn how to:
- Analyze partition tables, volume management, Linux filesystems, and directory layout
- Reconstruct the Linux startup process, from system boot and kernel initialization, to systemd unit files leading up to a graphical login
- Perform historical analysis of power, temperature, and physical environment, and find evidence of sleep, hibernation, shutdowns, reboots, and crashes
- Analyze network configuration, including interfaces, addresses, network managers, DNS, wireless artifacts, VPNs, firewalls, and proxy settings
- Perform analysis of time and locale settings, internationalization (language and keyboard settings), and Linux geolocation services
- Reconstruct user login sessions, analyze desktop artifacts, and identify traces of attached peripheral devices, including disks, printers, and mobile devices
About the Author
Bruce Nikkel is a professor at the Bern University of Applied Sciences in Switzerland, specializing in digital forensics and cybercrime. He is co-head of the university’s research institute for cybersecurity and engineering, and director of the Masters program in Digital Forensics and Cyber Investigation.In addition to his academic work, he has worked in risk and security departments at a global financial institution since 1997. He headed the bank's Cybercrime Intelligence & Forensic Investigation team for more than 15 years and currently works as an advisor. Bruce holds a PhD in network forensics, is the author of Practical Forensic Imaging (No Starch Press, 2016), and is an editor with Forensic Science International’s Digital Investigation journal. He has been a Unix and Linux enthusiast since the 1990s.
In this Book
-
Digital Forensics Overview
-
Linux Overview
-
Evidence from Storage Devices and Filesystems
-
Directory Layout and Forensic Analysis of Linux Files
-
Investigating Evidence from Linux Logs
-
Reconstructing System Boot and Initialization
-
Examination of Installed Software Packages
-
Identifying Network Configuration Artifacts
-
Forensic Analysis of Time and Location
-
Reconstructing User Desktops and Login Activity
-
Forensic Traces of Attached Peripheral Devices
-
Afterword
-
Footnotes