Performing Linux Forensic Analysis and Why You Should Care

Ali Hadi
Champlain College

Track 1

Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question “are these tools and systems, always gonna be used for ethical purposes?”. The answer is definitely, NO! Another reason to consider Linux forensics, is you arrive to the crime scene and you find out that your suspect’s desktop is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge, ability, and skillset. What should I do? Do I have the skills required to collect data from this system? Where should I look for data and artifacts? What do these artifacts even look like? How can we identify and track user activity? etc.

The goal of this presentation is to help DFIR analysts build the most important knowledge and skills that will give them confidence when encountering computers running a Linux OS, whether used as desktop or server. Topics covered are:

  1. 1. Understanding Linux FHS, Kernel, Boot Process, and System and Service Managers (init and systemd)
  2. 2. Search, Identify and Collect important data from devices, volumes, shells, default scripts, variables, users, groups, processes, applications, network services, network connections, cron jobs, and procfs
  3. 3. Understanding EXT4 file system and learn how to analyze them using TSK
  4. 4. Perform log analysis on different systems and activity logs.
About Ali Hadi

Dr. Ali Hadi, is a Senior Information and Cybersecurity Specialist with 14+ years of industrial experience in Information Technology, currently working as a full time professor and researcher for both the Computer and Digital Forensics and Cybersecurity Departments at Champlain College, Vermont, USA. He holds a bachelor in computer science and a masters and PhD both in Computer Information Systems. Dr. Hadi provides consulting in several areas of security including digital forensics and incident response, cyber threat hunting, penetration testing, and vulnerability assessments. Dr. Hadi is also an author, speaker, and freelance instructor where he delivered technical training to law enforcement agencies, banks, telecoms, private companies, and other institutes. Dr. Hadi's research interests include digital forensics, incident response, and cyber threat hunting. More details can be found here.