±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 5
Overall: 27628
Visitors: 50

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Forensic Analysis of Linux System

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Forensic Analysis of Linux System

Post Posted: Thu Jan 03, 2013 7:23 am

Hi everyone !

First of all best wishes for this new year.

Second, I'm looking for an "advanced" training about Forensic Analysis of Linux Systems ... I searched a lot on the web with my friend Google, but did not find any relevant training, do you know a good training?

Thx  

Geeko_forensic
Newbie
 
 
  

Re: Forensic Analysis of Linux System

Post Posted: Wed Jan 09, 2013 2:40 pm

I'm also interested in Linux forensics, especially everything concerning rootkits.  

chrisPA
Newbie
 
 
  

Re: Forensic Analysis of Linux System

Post Posted: Thu Jan 10, 2013 1:42 am

- Geeko_forensic
Second, I'm looking for an "advanced" training about Forensic Analysis of Linux Systems ... I searched a lot on the web with my friend Google, but did not find any relevant training, do you know a good training?


Um ... I wonder if you're asking the right question.

What kind of Linux? Ubuntu? Debian? Red Hat? There are even people who refer to various *BSD as 'Linux', but that's going to far, I think. You'll find Linux distributions with both Berkeley and AT&T flavours, and you can even find 'Linuxes' (like Debian) built on non-Linux platforms (Debian / FreeBSD), which thus aren't really Linux.

To my mind you'll need to start from a really solid grounding in the actual operating system in all the aspects you'd be called on to investigate. That's something you probably won't find as 'forensic' training, but more probably as system administrator training at various levels ... for Red Hat or Debian or whatever ... but not necessarily for 'Linux'. And depending on the actual distribution, you might need to do that for both a client and a server versions.

Just from a very quick look at the Red Hat training material, I'd suggest at least all the System Administration courses (I, II and III), the Linux Troubleshooting, the Deployment, and the Security courses and perhaps also the SELinux Policy Administration. (You need to wear your forensic hat, and ask questions from that perspective during classes.) The RHCSS could be a subgoal here. If I had to prioritize, the troubleshooting and security courses would be early, along with sysadm I and II. (Note: I'm assuming basic Linux/Unix knowledge here. If you don't know what 'xargs' does, and can't figure it out on your own, you need additional training.)

Then, on top of that, you add any additional forensic details --actual forensic tools and toolkits, and finer details of file systems, partitioning, patching, installation, RAID, etc. I would not call that 'advanced', I'd only call it 'forensic training', as it presupposes an already existing expertise in the OS platform.

But that last part is really *training* -- you already know what tools you are going to use, and need the know-how to use the appropriately and safely.

But this is my take of the subject matter, and as you see 'advanced' doesn't even enter it. (If it did, it would be in very deep kernel or file system details, and so be more a question of Linux kernel development and such.)

I have no good way of knowing what 'advanced' means to you, but perhaps you'll get some ideas of where to look for it.  

athulin
Senior Member
 
 
  

Re: Forensic Analysis of Linux System

Post Posted: Thu Jan 10, 2013 4:35 am

Good post, although I think it is interesting to delineate what someone is specifically looking for with regards to "Linux Forensics".

If you are wondering how common file systems used in Linux distros function (Ext2/3/4, Reiser) then I don't neccessarily think you need SysAdmin-level knowledge of specific Linux/Unix flavours.

On the other hand, if you're looking for OS artefacts then that knowledge is obviously useful! But still not crucial IMO. Off the top of my head, Skype and Firefox maintain very similar (maybe identical) data structures to those found on Windows OSes, so providing the relevant files are still live you shouldn't have too many problems.

By the way, Geeko - these guys offer a few online Linux Forensic courses (link taken from the forensics wiki) - although I'm not sure if anyone can attest to how good they are...?  

Chris_Ed
Senior Member
 
 
  

Re: Forensic Analysis of Linux System

Post Posted: Tue Mar 12, 2013 5:08 am

You could always start here: Linux Leo  

Ian90
Newbie
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1