Linux/Unix Forensics | Difose Digital Forensic Services

Linux Forensic Analysis

1. Volatile evidences

2. Collecting volatile evidences

3. System time, working process, logged in users, running files, network state

4. Linux /proc Pseudo file system

4.1. Proc file system
4.2. cpuinfo, meminfo and interrupts
4.3. /proc/cmdline and /proc/uptime
4.4. /proc/version and/proc/acpi
4.5. /Proc processes Folders

5. Linux file systems

5.1. EXT2, EXT3 and EXT4
5.2. Superblock and Group Descriptor Tables
5.3. Block Groups
5.4. Inodes
5.5. Hard links and Soft links
5.6. Alter MAC times
5.7. Indirect block pointers
5.8. Data unit layers

6. Linux Boot and services

7. Users and groups

8. Home folder

9. Linux log analysis

9.1. User activities
9.2. Process Accounting
9.3. Lastcomm
9.4. Syslog analysis
9.5. Logrotate analysis
9.6. Auth.log and Kern.log analysis