Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
2Activity
0 of .
Results for:
No results containing your search query
P. 1
Forensic Guide to Linux

Forensic Guide to Linux

Ratings: (0)|Views: 231|Likes:
Published by agtpkustoms13

More info:

Published by: agtpkustoms13 on May 08, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/24/2010

pdf

text

original

1

The Law Enforcement and
Forensic Examiner
Introduction to Linux

A Beginner's Guide

Barry J. Grundy
Special Agent
NASA Office of Inspector General
Computer Crimes Division
Code 190 Greenbelt Rd.
Greenbelt, MD 20771
(301) 286-3358
bgrundy@imx.hq.nasa.gov

VER 2.0.5
January 2004
2

LEGALITIES................................................................................................................................................3 FOREWORD................................................................................................................................................. 4 A WORD ABOUT THE “GNU”IN GNU/LINUX............................................................................................. 5 WHY LEARN LINUX?.................................................................................................................................. 5

I. INSTALLATION..................................................................................................................................... 6

DISTRIBUTIONS.......................................................................................................................................... 7 INSTALLATION METHODS:.......................................................................................................................... 9 INSTALLATION OVERVIEW....................................................................................................................... 10 THE NEW 2.6 LINUX KERNEL................................................................................................................... 12

II. LINUX DISKS, PARTITIONS AND THE FILESYSTEM.............................................................. 13

DISKS....................................................................................................................................................... 13 PARTITIONS.............................................................................................................................................. 13 USING MODULES....................................................................................................................................... 15 MODULES ON NEWER SYSTEMS................................................................................................................ 16 THE FILESYSTEM...................................................................................................................................... 17

III. THE LINUX BOOT SEQUENCE (SIMPLIFIED)........................................................................... 19

BOOTING THE KERNEL.............................................................................................................................. 19 INITIALIZATION........................................................................................................................................ 20 RUNLEVEL................................................................................................................................................ 21 GLOBAL STARTUP SCRIPTS...................................................................................................................... 22 BASH........................................................................................................................................................ 22

IV. DOS / LINUX EQUIVALENT COMMANDS................................................................................. 24

"DOSCOMMA ND" = LINUX EQUIVALENT................................................................................................. 24 ADDITIONAL USEFUL COMMANDS............................................................................................................ 27 FILE PERMISSIONS.................................................................................................................................... 29 METACHARACTERS.................................................................................................................................. 31 COMMAND HINTS..................................................................................................................................... 32 PIPES AND REDIRECTION.......................................................................................................................... 32 THE SUPERUSER....................................................................................................................................... 33

V. EDITING WITH VI............................................................................................................................. 35
USING VI.................................................................................................................................................. 35
VI COMMAND SUMMARY.......................................................................................................................... 36
VI. MOUNTING FILE SYSTEMS ON DISKS...................................................................................... 37
THE MOUNT COMMAND........................................................................................................................... 37
THE FILE SYSTEM TABLE (/ETC/FSTAB)..................................................................................................... 39
VII. LINUX AND FORENSICS................................................................................................................ 41

INCLUDED FORENSIC TOOLS.................................................................................................................... 41 ANALYSIS ORGANIZATION........................................................................................................................ 42 DETERMINING THE STRUCTURE OF THE DISK............................................................................................ 43 CREATING A FORENSIC IMAGE OF THE SUSPECT DISK................................................................................ 44 MOUNTING A RESTORED IMAGE................................................................................................................ 45 FILE HASH................................................................................................................................................ 46 THE ANALYSIS.......................................................................................................................................... 47 MAKING A LIST OF ALL FILES.................................................................................................................... 48 MAKING A LIST OF FILE TYPES.................................................................................................................. 49 VIEWING FILES......................................................................................................................................... 49 SEARCHING UNALLOCATED AND SLACK SPACE FOR TEXT......................................................................... 51

3
VIII. COMMON FORENSIC ISSUES..................................................................................................... 54
HANDLING LARGE DISKS.......................................................................................................................... 54
PREPARING A DISK FOR THE SUSPECT IMAGE............................................................................................ 56
IX. ADVANCED (BEGINNER) FORENSICS........................................................................................ 58

THE COMMAND LINE ON STEROIDS.......................................................................................................... 58 FUN WITH DD........................................................................................................................................... 64 SPLITTING FILES AND IMAGES................................................................................................................... 64 DATA CARVING WITH DD......................................................................................................................... 66 CARVING PARTITIONS WITH DD................................................................................................................ 69 THE NASA ENHANCED LOOPBACK DRIVER............................................................................................ 74 DETERMINING THE SUBJECT DISK FILESYSTEM STRUCTURE.................................................................... 76

X. ADVANCED FORENSIC TOOLS..................................................................................................... 80

SLEUTHKIT............................................................................................................................................... 81 AUTOPSY.................................................................................................................................................. 88 SMARTFOR LINUX............................................................................................................................... 100 OTHER ADVANCED LINUX FORENSIC TOOLS......................................................................................... 104

XI. BOOTABLE LINUX DISTRIBUTIONS......................................................................................... 105

TOMSRTBT - BOOT FROM A FLOPPY......................................................................................................... 105 KNOPPIX - FULL LINUX WITHOUT THE INSTALL...................................................................................... 105 PENGUIN SLEUTH - KNOPPIX WITH A FORENSIC FLAVOR........................................................................ 105 WHITE GLOVE LINUX - DR. FRED COHEN.............................................................................................. 106 SMARTFOR LINUX - ITS BOOTABLE!................................................................................................... 106 CONCLUSION.......................................................................................................................................... 107

XI. LINUX SUPPORT............................................................................................................................ 108
WEB SITES TO CHECK FOR SUPPORT:....................................................................................................... 108
Legalities
All trademarks are the property of their respective owners.

© 1998-2004 Barry J. Grundy (bgrundy@imx.hq.nasa.gov): This document
may be redistributed, in its entirety, including the whole of this copyright
notice, without additional consent if the redistributor receives no
remuneration and if the redistributor uses these materials to assist and/or
train members of Law Enforcement or Security / Incident Response
professionals. Otherwise, these materials may not be redistributed without
the express written consent of Barry J. Grundy.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->