Authors: Ali H. Hadi, Ph.D., Champlain College



Time: 4 Hours

Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems, always going to be used for ethical purposes?” The answer is definitely not!

Another reason to consider learning Linux forensics is that not everyone uses Windows. You may arrive at a crime scene only to find that your suspect’s computer is a Linux operating system! If you don’t have the proper skillset, you will end up shocked and questioning your own knowledge and abilities. What should I do? Do I have the skills required to collect data from this system? Where should I look for artifacts? What do these artifacts even look like? How can we identify and track user activity? etc.

The goal of this workshop is to help DFIR analysts build the most important knowledge and skills that will give them confidence when encountering computers running a Linux OS. Topics covered are:

  1. Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
  2. Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
  3. Understanding EXT4 file system and learning how to analyze it using TSK
  4. Perform log analysis on different system and activity logs.

Back to the USA 2020 Conference Page