Authors: Ali Hadi and Mariam Khader
DFRWS USA 2022
Abstract
Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems always going to be used for ethical purposes?” The answer is definitely not!
Another reason to consider learning Linux forensics is that not everyone uses Windows. You may arrive at a crime scene only to find that your suspect’s computer is a Linux operating system! If you don’t have the proper skillset, you will end up shocked and questioning your own knowledge and abilities. What should I do? Do I have the skills required to collect data from this system? Where should I look for artifacts? What do these artifacts even look like? How can we identify and track user activity? etc. The goal of this workshop is to help DFIR analysts build the most important knowledge and skills that will give them confidence when encountering computers running a Linux OS.
Topics covered are:
- Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
- Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
- Understanding EXT4 file system and learning how to analyze it using TSK
- Perform log analysis on different system and activity logs.
System Requirements
Hardware: a laptop with the following minimum specifications:
- 8GB RAM
- 100GB Free disk space
Software: a Linux/Windows system with:
- VMWare or VirtualBox
- Tsurugi Linux running in a Virtual Machine (download from here:
https://tsurugi-linux.org/downloads.php). If you can’t install Tsurugi, a
pre-configured VM can be provided.
Bio
Ali Hadi
Dr. Ali Hadi, is a Senior Information and Cybersecurity Specialist with 14+ years of industrial experience in Information Technology, currently working as a full time professor and researcher for both the Computer and Digital Forensics and Cybersecurity Departments at Champlain College, Vermont, USA. He holds a bachelor in computer science and a masters and PhD both in Computer Information Systems. Dr. Hadi provides consulting in several areas of security including digital forensics and incident response, cyber threat hunting, penetration testing, and vulnerability assessments. Dr. Hadi is also an author, speaker, and freelance instructor where he delivered technical training to law enforcement agencies, banks, telecoms, private companies, and other institutes. Dr. Hadi’s research interests include digital forensics, incident response, and cyber threat hunting. More details could be found here.
Mariam Khader
Dr. Mariam Khader is an Assistant Professor at Champlain College, USA. She holds a PhD in Computer Science and MSc in IT security and Digital Criminology. She is also a researcher at the Leahy Center focusing on Mobile and Operating System Forensics, and Big Data Forensics.
Materials
Before starting the workshop, we would like to ask you to prepare your workstation so you can follow the instructions and apply them yourself. We prefer learning by doing, so we will assume you have a working workstation or virtual machine ready for the workshop. To help you get prepared, we recommend you do the following:
- Watch the video that explains the Files
- Download the Tsurugi Linux VM
- Download the Workshop Files
- Set up the VM or copy the forensic image into your preferred VM
More detailed instructions are in the README. All the workshop files are available on Dropbox.
Downloads
linux-forensics-README.pdf (Other) |