I'm looking for a book or articles/papers covering Linux system log analysis and Linux artifact analysis such as internet artifacts, application artifacts etc. I have read Chris Pogue's UNIX and Linux Forensic Analysis book, but it didn't quite get into the detail I was looking for, for the mentioned topics above. I've been searching on Google and all I seem to end up with is tools to do the jobs, but no actual how, why, details or they seem to deal with logs for intrusion analysis.
Kind of hoping to find something that goes into similar detail to the EnCE Official Study Guide by Bunting, but for Linux and doesn't have to be tool specific.
Anybody have any ideas?
Try the
Essential reading if you want to learn from the bottom up is Barry Grundy's excellent
I had the good fortune to attend an 'Introduction to Linux Forensics' course run by Barry. Having never never encountered Linux/Unix before, I'm now developing applications for it (albeit modest one's)…
A lot of the information is about locating and recovering files; thereafter it doesn't really matter what OS you are using for analysis because it's the same file whether viewed in Linux, Solaris, OSX or Windows. I reckon it's just a case of finding the best tool for the job (and the wallet).
Paul
I suspect you will not find it. The book you mention is the only one I am aware of.
From a bog standard provincial LE perspective in the UK we deal predominantly with Windows machines from a home setting. Out of about 500 computers a year we will see less than a handful of Linux systems. So there is little justification for putting the resources into producing the material you seek.
I would guess any work like this would be on an ad hoc basis depending upon specific case by case needs.
H
I suspect you will not find it. The book you mention is the only one I am aware of.
From a bog standard provincial LE perspective in the UK we deal predominantly with Windows machines from a home setting. Out of about 500 computers a year we will see less than a handful of Linux systems. So there is little justification for putting the resources into producing the material you seek.
I would guess any work like this would be on an ad hoc basis depending upon specific case by case needs.
H
There tends to be more in the corporate/business environment, but from a server perspective, rather than an end user device. Looking at hacked Apache/Sendmail/MySQL logs might be a better place to focus rather than Internet Artifacts.
Thank you for your responses everybody. I'll check out your suggestions.
harryparsonage, I was afraid of that response. Everything seems to be geared towards intrusions, hacking etc etc.
Greetings,
In a prior life, I spent an enormous amount of time looking at Unix, Solaris, and Linux log files. I don't have any formal documentation on the analysis of them, but if you have specific questions, perhaps I can help.
-David
Thanks David. I'll send you a PM if I have any questions )
If there is a lack of material available, would you mind asking it on the forum ? That way David's answers could build the available material.
Just a thought. -)
The Linux Cookbook, not forensic but a good resource for anyone interested in how the Linux works. It is available in print and online here http//
There are a number of white papers and links to other linus related forensic web sites available at the 'linuxleo' web site at http//