Practical Linux Forensics. A Guide for Digital Investigators

Practical Linzo Forensics dives into the details of analyzing postmortem images of Linux systems that were misused, abused, or attacked. You'll learn how to locate and interpret digital evidence on Linux desktops, servers, and loT devices, and reconstruct a timeline of events after a crime or security incident. Following an overview of the Linux operating system, you'll learn how to analyze storage, filesystems, and installed software, as well as package management systems from a range of distributions.
You'll investigate syslog, the systemd journal, kernel and audit logs, and daemon and application logs. In addition, you'll inspect network configurations including interfaces, addresses, network managers, DNS, wireless artifacts, VPNs, firewalls, and proxy settings. You'll also learn how to : Examine settings for time, locale, language, and keyboard, as well as timelines and geolocation ; Reconstruct the Linux startup process, from system boot and kernel initialization to the login screen ; Analyze partition tables, volume management, filesystems, directory layout, installed software, and network configuration ; Perform historical analysis of power, temperature, and physical environment, as well as shutdowns, reboots, and crashes ; Investigate user login sessions and identify traces of attached peripherals including disks, printers, and other external devices.
This comprehensive guide is platform- and tool-agnostic and written for investigators with varying Linux skill levels. Begin your digital forensics journey here.