Linux File Use & Knowledge Artifacts

This week I talk Linux forensics and breakdown some useful artifacts that may generate leads for investigations.

Show Notes

Linux forensics is often IR driven, but sometimes one comes up in a File Use & Knowledge investigation. It is a given that an examiner will more likely be dealing with a PC or Mac system but when a Linux box eventually rolls in it is good to know some basic triage artifacts so the investigation does not stall completely.

Below are the Linux artifacts I talk about during the podcast. Consider these entry level artifacts that may be easily interpreted, with a little validation testing, by a “non-linux” examiner.

Computer System Profile Information

Screen Shot 2017-03-14 at 2.00.48 PM

ID Suspicious Accounts

Screen Shot 2017-03-14 at 2.02.58 PM

Profile User account activity

Screen Shot 2017-03-14 at 2.06.01 PM

Profile User Login History

Screen Shot 2017-03-14 at 2.07.01 PM

 

Web Browsing Evidence

Screen Shot 2017-03-15 at 4.50.00 PM

Sources & Resources

SANS Forensics Linux Cheat Sheet https://www.sans.org/media/score/checklists/ID-Linux.pdf

Linux Forensics for non Linux users – Hal Pomeranz https://youtu.be/4d326HlQ3V0

SDF Training Class of the Week

Learn More

Windows Shimcache Forensics

FIND EVIDENCE OF PAST AND PRESENT EXECUTABLES ON WINDOWS SYSTEMS AND UNCOVER MALICIOUS TOOLS.
Learn More

DFSP Sponsors make the Podcast possible. Show them your love and support!

The developer of RECON – the fastest and most complete way to process Live running Macs or Mac forensic images

Makers of Insight Forensic  an all-in-one forensic data recovery and acquisition system

Check out all the classes in the SDF series – quality content at a solid training value