This book is a comprehensive and informative guide for those interested in digital forensics and investigations. The book covers a wide range of topics related to forensic analysis of Linux systems, including data acquisition, evidence preservation, and various forensic techniques.
It is a fantastic read, even before going deep into it forensically, the digital and Linux overview pages it was worth it alone for picking up, reads so well and haven’t even got into the actual investigating yet. Really impressed.
Practical Linux Forensics – A Guide for Digital Investigators by Bruce Nikkel
“Bruce Nikkel is a professor at the Bern University of Applied Sciences in Switzerland, specializing in digital forensics and cybercrime. He is co-head of the university’s research institute for cybersecurity and engineering, and director of the Masters program in Digital Forensics and Cyber Investigation.In addition to his academic work, he has worked in risk and security departments at a global financial institution since 1997. He headed the bank’s Cybercrime Intelligence & Forensic Investigation team for more than 15 years and currently works as an advisor. Bruce holds a PhD in network forensics, is the author of Practical Forensic Imaging (No Starch Press, 2016), and is an editor with Forensic Science International’s Digital Investigation journal. He has been a Unix and Linux enthusiast since the 1990s.”
Table of contents
- Introduction
- Chapter 1: Digital Forensics Overview
- Chapter 2: Linux Overview
- Chapter 3: Evidence from Storage Devices and Filesystems
- Chapter 4: Directory Layout and Forensic Analysis of Linux Files
- Chapter 5: Investigating Evidence from Linux Logs
- Chapter 6: Reconstructing System Boot and Initialization
- Chapter 7: Examination of Installed Software Packages
- Chapter 8: Identifying Network Configuration Artifacts
- Chapter 9: Forensic Analysis of Time and Location
- Chapter 10: Reconstructing User Desktops and Login Activity
- Chapter 11: Forensic Traces of Attached Peripheral Devices
- Afterword
- Appendix A: File and Directory List for Digital Investigators
“Practical Linux Forensics dives into the technical details of analyzing postmortem forensic images of Linux systems which have been misused, abused, or the target of malicious attacks. It helps forensic investigators locate and analyze digital evidence found on Linux desktops, servers, and IoT devices. You’ll learn how to identify digital artifacts which may be of interest to an investigation, draw logical conclusions, reconstruct past activity from incidents, how Linux works from a digital forensics and investigation perspective, and how to interpret evidence from Linux environments.”
One of the strengths of this book is its clear and concise writing style. The author does an excellent job of explaining complex concepts in a way that is easy to understand, making it accessible to readers of all levels of experience. The book is also well-organized, with a logical flow that makes it easy to follow along and understand the material.
The author also provides a wealth of practical tips and tricks that can be used in real-world scenarios, making the book a valuable resource for both professionals and students. Using quizzes like the one here http://whyfund.net/Digital%20Forensics/Test%20%20Digital%20Forensic%20Final%20MULTIPLE%20CHOICE.htm I have been practicing the knowledge.
Another great feature of this book is the inclusion of practical examples and case studies throughout the book, which help to illustrate the concepts discussed in the text.
Working in DFIR I found some great chapters like chapter 5 as I spend a lot of time in logs.
INVESTIGATING EVIDENCE FROM LINUX LOGS
- Traditional Syslog
- Syslog Facility, Severity, and Priority
- Syslog Configuration
- Analyzing Syslog Messages
- Systemd Journal
- Systemd Journal Features and Components
- Systemd Journal Configuration
- Analysis of Journal File Contents
- Other Application and Daemon Logs
- Custom Logging to Syslog or Systemd Journal
- Independent Server Application Logs
- Independent User Application Logs
- Plymouth Splash Startup Logs
- Kernel and Audit Logs
- The Kernel Ring Buffer
- The Linux Auditing System
There is just great content throughout like in chapter 10 going through the Linux desktop artifacts to name just one of many, delighted to have this added to my book collection for future reference.
Overall, this is an excellent resource for anyone interested in digital forensics and investigations. The author provides a wealth of information and practical tips that can be used in real-world scenarios, making it a valuable resource for both professionals and students. It is a must-read for anyone looking to gain a deeper understanding of forensic analysis on Linux systems.