Performing Linux Forensic Analysis and Why You Should Care

Ali Hadi
Champlain College

Brendan Brown
Champlain College


Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems, always gonna be used for ethical purposes?”. The answer is definitely, NO! Another reason to consider Linux forensics, is you arrive to the crime scene and you find out that your suspect’s desktop is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge, ability, and skillset. What should I do? Do I have the skills required to collect data from this system? Where should I look for data and artifacts? What do these artifacts even look like? How can we identify and track user activity? etc.

The goal of this workshop is helping DFIR analysts build the most important knowledge and skills that will give them the confidence when encountering computers running a Linux OS, whether used as desktop or server. Topics covered are:

  1. 1. Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
  2. 2. Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
  3. 3. Understanding EXT4 file system and learn how to analyze them using TSK
  4. 4. Perform log analysis on different system and activity logs.

System Requirements

Hardware: a laptop with the following minimum specifications:

  • 8GB RAM
  • 100GB Free disk space

Software: a Linux/Windows system with:

  • VMWare or VirtualBox
  • Tsurugi Linux running in a Virtual Machine (download from here: If you can’t install Tsurugi, a pre-configured VM can be provided.
About Ali Hadi

Dr. Ali Hadi, is a Senior Information and Cybersecurity Specialist with 14+ years of industrial experience in Information Technology, currently working as a full time professor and researcher for both the Computer and Digital Forensics and Cybersecurity Departments at Champlain College, Vermont, USA. He holds a bachelor in computer science and a masters and PhD both in Computer Information Systems. Dr. Hadi provides consulting in several areas of security including digital forensics and incident response, cyber threat hunting, penetration testing, and vulnerability assessments. Dr. Hadi is also an author, speaker, and freelance instructor where he delivered technical training to law enforcement agencies, banks, telecoms, private companies, and other institutes. Dr. Hadi's research interests include digital forensics, incident response, and cyber threat hunting. More details could be found here.

About Brendan Brown

Brendan Brown is a senior at Champlain College pursuing his bachelors degree in Computer and Digital Forensics and a minor in Cybersecurity. Having always been interested in technology, he quickly found himself working a summer job in IT at 14 and hasn't stopped working in the field since. Recent employment involved a year working part time at MIT's Lincoln Laboratory as a member of their Forensics Analysis team and four years at Champlain College's Digital Investigation Laboratory; most recently as their supervisor of Security Operations.