Performing Linux Forensic Analysis & Why You Should Care

Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems always going to be used for ethical purposes?” The answer is definitely, NO! Another reason to consider learning Linux forensics is that not everyone uses Windows. You may arrive at a crime scene only to find that your suspect’s computer is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge and abilities. What should I do? Do I have the skills required to collect data from this system? Where should I look for artifacts? What do these artifacts even look like? How can we identify and track user activity? etc. The goal of this workshop is to help DFIR analysts build the most important knowledge and skills that will give them confidence when encountering computers running a Linux OS, whether used as a desktop or server.

Topics covered are:

1. Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
2. Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
3. Understanding EXT4 file system and learning how to analyze it using TSK
4. Perform log analysis on different system and activity logs.