Forensic Analysis o...
 
Notifications
Clear all

Forensic Analysis of Linux System

5 Posts
5 Users
0 Likes
865 Views
(@geeko_forensic)
Posts: 2
New Member
Topic starter
 

Hi everyone !

First of all best wishes for this new year.

Second, I'm looking for an "advanced" training about Forensic Analysis of Linux Systems … I searched a lot on the web with my friend Google, but did not find any relevant training, do you know a good training?

Thx

 
Posted : 03/01/2013 6:23 pm
(@chrispa)
Posts: 5
Active Member
 

I'm also interested in Linux forensics, especially everything concerning rootkits.

 
Posted : 10/01/2013 1:40 am
(@athulin)
Posts: 1156
Noble Member
 

Second, I'm looking for an "advanced" training about Forensic Analysis of Linux Systems … I searched a lot on the web with my friend Google, but did not find any relevant training, do you know a good training?

Um … I wonder if you're asking the right question.

What kind of Linux? Ubuntu? Debian? Red Hat? There are even people who refer to various *BSD as 'Linux', but that's going to far, I think. You'll find Linux distributions with both Berkeley and AT&T flavours, and you can even find 'Linuxes' (like Debian) built on non-Linux platforms (Debian / FreeBSD), which thus aren't really Linux.

To my mind you'll need to start from a really solid grounding in the actual operating system in all the aspects you'd be called on to investigate. That's something you probably won't find as 'forensic' training, but more probably as system administrator training at various levels … for Red Hat or Debian or whatever … but not necessarily for 'Linux'. And depending on the actual distribution, you might need to do that for both a client and a server versions.

Just from a very quick look at the Red Hat training material, I'd suggest at least all the System Administration courses (I, II and III), the Linux Troubleshooting, the Deployment, and the Security courses and perhaps also the SELinux Policy Administration. (You need to wear your forensic hat, and ask questions from that perspective during classes.) The RHCSS could be a subgoal here. If I had to prioritize, the troubleshooting and security courses would be early, along with sysadm I and II. (Note I'm assuming basic Linux/Unix knowledge here. If you don't know what 'xargs' does, and can't figure it out on your own, you need additional training.)

Then, on top of that, you add any additional forensic details –actual forensic tools and toolkits, and finer details of file systems, partitioning, patching, installation, RAID, etc. I would not call that 'advanced', I'd only call it 'forensic training', as it presupposes an already existing expertise in the OS platform.

But that last part is really *training* – you already know what tools you are going to use, and need the know-how to use the appropriately and safely.

But this is my take of the subject matter, and as you see 'advanced' doesn't even enter it. (If it did, it would be in very deep kernel or file system details, and so be more a question of Linux kernel development and such.)

I have no good way of knowing what 'advanced' means to you, but perhaps you'll get some ideas of where to look for it.

 
Posted : 10/01/2013 12:42 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Good post, although I think it is interesting to delineate what someone is specifically looking for with regards to "Linux Forensics".

If you are wondering how common file systems used in Linux distros function (Ext2/3/4, Reiser) then I don't neccessarily think you need SysAdmin-level knowledge of specific Linux/Unix flavours.

On the other hand, if you're looking for OS artefacts then that knowledge is obviously useful! But still not crucial IMO. Off the top of my head, Skype and Firefox maintain very similar (maybe identical) data structures to those found on Windows OSes, so providing the relevant files are still live you shouldn't have too many problems.

By the way, Geeko - these guys offer a few online Linux Forensic courses (link taken from the forensics wiki) - although I'm not sure if anyone can attest to how good they are…?

 
Posted : 10/01/2013 3:35 pm
(@ian90)
Posts: 2
New Member
 

You could always start here Linux Leo

 
Posted : 12/03/2013 3:08 pm
Share: