Linux/Unix Forensics | Difose Digital Forensic Services

Linux Forensic Analysis

Linux Forensics course is intended for experienced forensic investigators and law enforcement agents. By the end of this course, the participants will be able to identify, collect, and analyze Linux artifacts and evidence. They will develop knowledge and skills to perform live analysis, capture volatile data, make images of media, analyze filesystems, analyze network traffic, analyze files, perform memory analysis, and analyze malware on a Linux system.

1. Volatile evidences

2. Collecting volatile evidences

3. System time, working process, logged in users, running files, network state

4. Linux /proc Pseudo file system

4.1. Proc file system
4.2. cpuinfo, meminfo and interrupts
4.3. /proc/cmdline and /proc/uptime
4.4. /proc/version and/proc/acpi
4.5. /Proc processes Folders

5. Linux file systems

5.1. EXT2, EXT3 and EXT4
5.2. Superblock and Group Descriptor Tables
5.3. Block Groups
5.4. Inodes
5.5. Hard links and Soft links
5.6. Alter MAC times
5.7. Indirect block pointers
5.8. Data unit layers

6. Linux Boot and services

7. Users and groups

8. Home folder

9. Linux log analysis

9.1. User activities
9.2. Process Accounting
9.3. Lastcomm
9.4. Syslog analysis
9.5. Logrotate analysis
9.6. Auth.log and Kern.log analysis