Название: Practical Linux Forensics: A Guide for Digital Investigators (Final)
Автор: Bruce Nikkel
Издательство: No Starch Press, Inc.
Год: 2022
Страниц: 420
Язык: английский
Формат: epub
Размер: 10.2 MB

Practical Linux Forensics dives into the technical details of analyzing postmortem forensic images of Linux systems that have been misused, abused, or the target of malicious attacks. This essential practitioner’s guide will show you how to locate and interpret digital evidence found on Linux desktops, servers, and IoT devices, draw logical conclusions, and reconstruct timelines of past activity after a crime or security incident. It's a book written for investigators with varying levels of Linux experience, and the techniques shown are independent of the forensic analysis platform and tools used.

Early chapters provide an overview of digital forensics as well as an introduction to the Linux operating system and popular distributions. From there, the book describes the analysis of storage, filesystems, files and directories, installed software packages, and logs. Special focus is given to examining human user activity such as logins, desktop environments and artifacts, home directories, regional settings, and peripheral devices used.

You’ll learn how to:

Analyze partition tables, volume management, Linux filesystems, and directory layout
Reconstruct the Linux startup process, from system boot and kernel initialization, to systemd unit files leading up to a graphical login
Perform historical analysis of power, temperature, and physical environment, and find evidence of sleep, hibernation, shutdowns, reboots, and crashes
Analyze network configuration, including interfaces, addresses, network managers, DNS, wireless artifacts, VPNs, firewalls, and proxy settings
Perform analysis of time and locale settings, internationalization (language and keyboard settings), and Linux geolocation services
Reconstruct user login sessions, analyze desktop artifacts, and identify traces of attached peripheral devices, including disks, printers, and mobile devices

Target Audience and Prerequisites:
I wrote this book with a specific audience in mind. It is primarily aimed at digital forensics practitioners who are experienced at performing Windows, Mac, and mobile forensics and want more knowledge in the area of Linux. Forensic examiners need to know basic Linux concepts, where to find forensic artifacts, and how to interpret evidence collected. This does not mean examiners must know how to use Linux (though it can help); they need to know only what to look for and how to draw conclusions from the evidence found.

Who Should Read This Book?
This book will directly benefit people working in private- and public-sector digital forensics labs who are responsible for conducting forensic examinations of computer systems, including Linux. The book specifically targets the growing number of forensic practitioners from incident response teams; computer forensic investigators within large organizations; forensic and e-discovery technicians from legal, audit, and consulting firms; and traditional forensic practitioners from law enforcement agencies. Although this book is intended primarily for experienced digital forensic investigators wanting to advance their Linux knowledge, it will benefit other groups of people, as well.

Experienced Unix and Linux administrators who want to learn digital forensic analysis and investigative techniques will also benefit from this book. This could be system administrators wanting to transition into the field of digital forensics or to leverage digital forensic methods to improve their troubleshooting skills.
Security professionals will also find this book useful. Information security risks associated with a default Linux installation may need to be assessed, resulting in security-driven changes. This may include reducing the amount of information stored on a system for confidentiality reasons. Conversely, forensic readiness requirements may result in increasing the amount of information logged or saved on a system.

BRIEF CONTENTS
Introduction
Chapter 1: Digital Forensics Overview
Chapter 2: Linux Overview
Chapter 3: Evidence from Storage Devices and Filesystems
Chapter 4: Directory Layout and Forensic Analysis of Linux Files
Chapter 5: Investigating Evidence from Linux Logs
Chapter 6: Reconstructing System Boot and Initialization
Chapter 7: Examination of Installed Software Packages
Chapter 8: Identifying Network Configuration Artifacts
Chapter 9: Forensic Analysis of Time and Location
Chapter 10: Reconstructing User Desktops and Login Activity
Chapter 11: Forensic Traces of Attached Peripheral Devices
Afterword
Appendix: File/Directory List for Digital Investigators
Index