I have recently enrolled for my degree project and chose the topic to be "Linux Forensics". I'm not particularly very technical but would like to make use of this chance to develop my knowledge of Linux and forensics at the same time. I wasn't able to focus my topic any further and therefore I would appreciate it if someone on this forum could help me with this issue. This work needs to have all components of a research project such as an into, problem statement, scope, methodology. development/experimentation, results and a conclusion. I have about 2 months to finish it. Thanks in advance for any guidance.
Greetings,
How much knowledge of Linux and forensics do you have? If the answer is "not much", I'd strongly suggest you acquire at least a basic knowledge of both Linux and forensics. This will allow you to refine your scope on your own, ask better questions, and evaluate the information you're getting more effectively.
Get Helix, Farmer's Boot CD, and any other Linux based forensics tools. Simply making a list of the various forensic/pentest Linux tools would be educational. Figure out what they do, how they do it, and what they don't do.
Read all the threads on here about Linux, forensics methodology, tools, etc. Listen to podcasts and watch any related webinar you can find.
If you educate yourself a fair bit, you'll find something that interests you, or see an unanswered question, or read someone's suggestion for a project that's already been suggested, and then you'll be better equipped to take on your project.
-David
First step would be to define your topic (more distinctly than "Linux Forensics" - such as a particular area of Linux and forensics or a general overview, ETC.).
Second step would be to familiarize yourself with Linux and the operating system environment.
Third step would be to focus on the area(s) defined by your more distinctly defined topic.
Two months time - no chance to "learn it all". I'd recommend narrowing your focus under the Linux Forensics umbrella.
Cheers!
farmerdude
Thank you both for taking the time to answer. Actually my Forensics knowledge is very basic and even my programming skills aren't that sharp either. The purpose of this project is to give a practical exposure to this field. This project also needs to include a contribution to this science although a very small one would be sufficient. This could be in the form of adding a user interface to a function that lacks one or visualize a certain process in order to simply that task for a forensic practitioner… etc
The good news is that I have available help with any programming issues I might face but the problem here is to pinpoint that topic. Any help would be greatly appreciated.
Project suggestion
"Linux and Imaging Evidence"
Provides a narrower scope, allows you to research various Linux-based tools and methods, and is one the first things you need to learn in computer forensics.
"Linux and Imaging Evidence" sounds good especially if, as you say, its the starting point of learning forensics. I did give 'Linux RAM forensics' an attempt but it turned out to be quite a complicated topic and will definitely require more time to digest. I do hope imaging will be easier to tackle.
For a start, do you recommend any readings on this topic? guides, academic papers…?
Project suggestion "Linux and Imaging Evidence"
Provides a narrower scope, allows you to research various Linux-based tools and methods, and is one the first things you need to learn in computer forensics.
This is exactly where I have started with a small project ( yeah, it's another bloomin' Live CD -P ) and i really the essence of all that follows; dont touch anything, get the data as quickly, smoothly & effectively as possible for examination etc.
"Linux and Imaging Evidence" sounds good especially if, as you say, its the starting point of learning forensics. I did give 'Linux RAM forensics' an attempt but it turned out to be quite a complicated topic and will definitely require more time to digest. I do hope imaging will be easier to tackle.
Yeah, until you can get the environment down to using – and therefore overwriting – as little memory as possible, I too am sticking with something lighter!
For a start, do you recommend any readings on this topic? guides, academic papers…?
There is another thread about standards etc. but I think I'll start a tag on delicious for beginners-forensics or somethig similar. Have a look for the thread for starters )
Ben
(1st post, whoo!)
"Evaluating non-volatile memory under various embedded Linux systems"
Now that would be a cool research.
A more reasonable research (less technical ) that might not fit class requirements
"Use of Linux in Forensic Investigation - Perceived trust and reliability of Linux solutions by Forensic Investigating Professionals"
Quality books to read (Listed alphabetically)
Digital Evidence and Computer Crime by Eoghan Casey
File System Forensic Analysis by Brian Carrier
Windows Forensic Analysis by Harlan Carvey
Quality books to read (Listed alphabetically)
Digital Evidence and Computer Crime by Eoghan Casey
File System Forensic Analysis by Brian Carrier
Windows Forensic Analysis by Harlan Carvey
Thank you for this valuable list. I'm working on this project now and the topic will be a guideline for forensic handling of a hard disk of an Ubuntu computer. Of course this generally would apply to any Linux but through the course of this work I will try to identify any configuration peculiarities of Ubuntu that need attention by a forensic practitioner and maybe deal with some ext4 issues (since this is the default currently). I plan to support this work with a list of experiments on analysing Ubuntu imagaes, most likely using TSK.
I will likely be returning to this forum for further discussions and more insight.
Thanks again