Introduction to linux forensics
1 / 15

Introduction to Linux Forensics - PowerPoint PPT Presentation

  • Uploaded on

Introduction to Linux Forensics. By Chris Marko June 2005. Linux is Growing in Popularity. Each new version becoming more user friendly. Disk installation no longer confusing. Installation interface more intuitive. Graphical environment becoming much more mature.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Introduction to Linux Forensics' - Mercy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Introduction to linux forensics

Introduction toLinux Forensics

By Chris Marko

June 2005

Linux is growing in popularity
Linux is Growing in Popularity

  • Each new version becoming more user friendly.

    • Disk installation no longer confusing.

    • Installation interface more intuitive.

    • Graphical environment becoming much more mature.

  • More and more companies are embracing & supporting Linux.

    • IBM has teams of developers working on it.

    • Apple’s OS now has a UNIX-like core.

    • Novell is now in the Linux business.

  • More and more devices are now running Linux

    • Personal Devices: Cell Phones & PDA’s.

    • Electronics: Video Recorders, MP3 Players.

Linux boot sequence
Linux Boot Sequence

  • Start your computer that has Linux installed.

Floppy disk analysis
Floppy Disk Analysis

  • Insert Floppy

  • Obtain SHA hash

Create floppy disk image
Create Floppy Disk Image

  • Use dd to create forensic image.

  • Compare SHA hash of image against floppy to confirm good image.

Identify file system
Identify File System

  • Use file utility to identify the file system of floppy disk image.

  • file utility can identify more than 30 different file system types & many more standard file types.

Mount the image for analysis
Mount the Image for Analysis

  • Create a directory to mount the image against.

  • Use mount utility to mount the image, using loop back to trick OS into thinking this is a physical device.

Obtain sha hash of contents
Obtain SHA Hash of Contents

  • Obtain SHA hash of each file on the floppy disk.

  • Check file to confirm all looks as expected.

Identify file contents
Identify File Contents

  • ls to view all the files on floppy.

  • file utility to identify file header.

    • Tells us that this is actually a Microsoft Office Document.

View file contents
View File Contents

  • strings utility to extract raw text from a binary file.

Evidential search criteria
Evidential Search Criteria

  • Put together keyword list to use in search applied against evidence.

    • This screenshot shows the use of the vi editor.

Apply search list
Apply Search List

  • Apply the search list against the entire image of the floppy by using the grep utility.

View search results
View Search Results

  • Viewing the Search Results File with cat shows binary, so we use strings instead to just view the ASCII text from the file. HEX location is shown in [numeric]: I.e. “49189:”

Search hit example
Search Hit Example

  • xxd utility used to perform a hex dump of data.

  • # xxd -s 49189 /evidence/floppy1.img | less

  • Note the match giving an address to the Boston Crackdlr of 11 Clarendon Apt 6 in Boston’s Back Bay


  • You have now seen an introductory to analyzing a floppy disk with a few tools.

  • Next, you might further analyze the addressbook file

    • file utility to identify type

    • strings utility to extract raw text

  • Maybe copy the .d file to a machine with Microsoft Word to view interpreted content