±Forensic Focus Partners
New Today: 3
New Yesterday: 7
· Standard Processes in Windows 10
· NAS Forensics Explained
· Project Spartan Forensics
· FT Cyber Security Summit Europe – London 22nd September
· The Future of Mobile Forensics
· TSFIC 2015 – Recap
· Evidence Acquisition and Analysis from Live Exchange
· TDFCon 2015 – Recap
· Acquiring Windows PCs
Forensic Analysis of Linux System
First of all best wishes for this new year.
Second, I'm looking for an "advanced" training about Forensic Analysis of Linux Systems ... I searched a lot on the web with my friend Google, but did not find any relevant training, do you know a good training?
- Geeko_forensicSecond, I'm looking for an "advanced" training about Forensic Analysis of Linux Systems ... I searched a lot on the web with my friend Google, but did not find any relevant training, do you know a good training?
Um ... I wonder if you're asking the right question.
What kind of Linux? Ubuntu? Debian? Red Hat? There are even people who refer to various *BSD as 'Linux', but that's going to far, I think. You'll find Linux distributions with both Berkeley and AT&T flavours, and you can even find 'Linuxes' (like Debian) built on non-Linux platforms (Debian / FreeBSD), which thus aren't really Linux.
To my mind you'll need to start from a really solid grounding in the actual operating system in all the aspects you'd be called on to investigate. That's something you probably won't find as 'forensic' training, but more probably as system administrator training at various levels ... for Red Hat or Debian or whatever ... but not necessarily for 'Linux'. And depending on the actual distribution, you might need to do that for both a client and a server versions.
Just from a very quick look at the Red Hat training material, I'd suggest at least all the System Administration courses (I, II and III), the Linux Troubleshooting, the Deployment, and the Security courses and perhaps also the SELinux Policy Administration. (You need to wear your forensic hat, and ask questions from that perspective during classes.) The RHCSS could be a subgoal here. If I had to prioritize, the troubleshooting and security courses would be early, along with sysadm I and II. (Note: I'm assuming basic Linux/Unix knowledge here. If you don't know what 'xargs' does, and can't figure it out on your own, you need additional training.)
Then, on top of that, you add any additional forensic details --actual forensic tools and toolkits, and finer details of file systems, partitioning, patching, installation, RAID, etc. I would not call that 'advanced', I'd only call it 'forensic training', as it presupposes an already existing expertise in the OS platform.
But that last part is really *training* -- you already know what tools you are going to use, and need the know-how to use the appropriately and safely.
But this is my take of the subject matter, and as you see 'advanced' doesn't even enter it. (If it did, it would be in very deep kernel or file system details, and so be more a question of Linux kernel development and such.)
I have no good way of knowing what 'advanced' means to you, but perhaps you'll get some ideas of where to look for it.
- Senior Member
If you are wondering how common file systems used in Linux distros function (Ext2/3/4, Reiser) then I don't neccessarily think you need SysAdmin-level knowledge of specific Linux/Unix flavours.
On the other hand, if you're looking for OS artefacts then that knowledge is obviously useful! But still not crucial IMO. Off the top of my head, Skype and Firefox maintain very similar (maybe identical) data structures to those found on Windows OSes, so providing the relevant files are still live you shouldn't have too many problems.
By the way, Geeko - these guys offer a few online Linux Forensic courses (link taken from the forensics wiki) - although I'm not sure if anyone can attest to how good they are...?
- Senior Member