Chapter 1: Digital Forensics Overview
Chapter 2: Linux Overview
Chapter 3: Evidence from Storage Devices and Filesystems
Chapter 4: Directory Layout and Forensic Analysis of Linux Files
Chapter 5: Investigating Evidence from Linux Logs
Chapter 6: Reconstructing System Boot and Initialization
Chapter 7: Examination of Installed Software Packages
Chapter 8: Identifying Network Configuration Artifacts
Chapter 9: Forensic Analysis of Time and Location
Chapter 10: Reconstructing User Desktops and Login Activity
Chapter 11: Forensic Traces of Attached Peripheral Devices
Appendix A: File and Directory List for Digital Investigators
Practical Linux Forensics
Practical Linux Forensics dives into the technical details of analyzing postmortem forensic images of Linux systems that have been misused, abused, or the target of malicious attacks. This essential practitioner’s guide will show you how to locate and interpret digital evidence found on Linux desktops, servers, and IoT devices, draw logical conclusions, and reconstruct timelines of past activity after a crime or security incident. It's a book written for investigators with varying levels of Linux experience, and the techniques shown are independent of the forensic analysis platform and tools used.
Early chapters provide an overview of digital forensics as well as an introduction to the Linux operating system and popular distributions. From there, the book describes the analysis of storage, filesystems, files and directories, installed software packages, and logs. Special focus is given to examining human user activity such as logins, desktop environments and artifacts, home directories, regional settings, and peripheral devices used.
You’ll learn how to:
- Analyze partition tables, volume management, Linux filesystems, and directory layout
- Reconstruct the Linux startup process, from system boot and kernel initialization, to systemd unit files leading up to a graphical login
- Perform historical analysis of power, temperature, and physical environment, and find evidence of sleep, hibernation, shutdowns, reboots, and crashes
- Analyze network configuration, including interfaces, addresses, network managers, DNS, wireless artifacts, VPNs, firewalls, and proxy settings
- Perform analysis of time and locale settings, internationalization (language and keyboard settings), and Linux geolocation services
- Reconstruct user login sessions, analyze desktop artifacts, and identify traces of attached peripheral devices, including disks, printers, and mobile devices
“Practical Linux Forensics is an excellent resource suitable for those new to Linux, as well as for experienced users. Whether you are an investigator, administrator, developer, or curious student, you will gain imperative knowledge that can easily be applied to your own field and endeavors.”
—Techtyte, Cybersecurity Researcher and Advanced Reviewer
"Thorough . . . Even if this is your first foray into computer forensics, there is a lot to be gained from Nikkel’s book."
—Lee Teschler, Microcontroller Tips
"After Practical Forensic Imaging, Bruce Nikkel has produced another fantastic learning resource and reference in Practical Linux Forensics. Made both for professionals more familiar with Windows or macOS forensics as well as adept Linux users looking to learn forensics, it does not need to be read linearly. Each chapter provides focused knowledge on different aspects of Linux systems in a distribution-agnostic manner. Definitely grab a copy to demystify this area of computer forensics."
—Daniyal S., Advanced Reviewer
"Bruce Nikkel shares some [insight on] really uncommon and least understood areas of the Linux network stack, which will be very valuable for practitioners . . . [Practical Linux Forensics] touches on areas ignored by other resources on the subject."
—Arvind, Advanced Reviewer
View the latest errata.