±Forensic Focus Partners
New Today: 5
New Yesterday: 9
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
· Why Offender Profiling is Changing Thanks to Mobile Forensics and Increasingly ‘Social’ Criminal Activity
· Understanding Cyber Bullying – Notes for Digital Forensics Examiners
· Investigating the Dark Web – The Challenges of Online Anonymity for Digital Forensics Examiners
· The Complete Workflow of Forensic Image and Video Analysis
· Browser Anti Forensics
· Coming apart at the SIEMs …
±Follow Forensic Focus
Incident Response toolkit for a linux machine
I am currently doing a project named "Live forensics in a linux machine" and for it I wanted some advice as in what toolkits i should use. I was thinking to use 2 toolkits but i am unable to determine which one.
Also i m a bit newbie in linux so would really appreciate if i could now how to use them if they are in command format.
I have read about few commands like netcat, etc. but i dont how do i use them in the suspects machine and get its output on my pd which has the toolkit.
Thanks in advance.
Really need some help on it.
Linux itself is built with a number of handy tools. Just running netstat can provide a lot of info. Fport (downloaded from www.mcafee.com/us/down...port.aspx) can show executables attached to open ports, etc. What are you looking for? Is it mainly network connections?
For a 'toolkit' there's Helix, or Deft (http://www.deftlinux.net/).
Any reason why you couldn't use a live boot disc like Paladin or any of the other Linux based live distros that are out there and then conduct the examination on the drive?
Much more forensically sound than running CLI strings on a live system.
- Senior Member