Recovering Digital Evidence from Linux Systems

  • Philip Craiger
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 194)

Abstract

As Linux-kernel-based operating systems proliferate there will be an inevitable increase in Linux systems that law enforcement agents must process in criminal investigations. The skills and expertise required to recover evidence from Microsoft-Windows-based systems do not necessarily translate to Linux systems. This paper discusses digital forensic procedures for recovering evidence from Linux systems. In particular, it presents methods for identifying and recovering deleted files from disk and volatile memory, identifying notable and Trojan files, finding hidden files, and finding files with renamed extensions. All the procedures are accomplished using Linux command line utilities and require no special or commercial tools.

Keywords

Digital evidence Linux system forensics 

References

  1. [1]
    B. Buckeye and K. Liston, Recovering deleted files in Linux (www.samag.com/documents/s=7033/sam0204g/sam0204g.htm), 2003.Google Scholar
  2. [2]
    P. Craiger, Computer forensics procedures and methods, to appear in Handbook of Information Security, H. Bigdoli (Ed.), John Wiley, New York, 2005.Google Scholar
  3. [3]
    P. Craiger, M. Pollitt and J. Swauger, Digital evidence and digital forensics, to appear in Handbook of Information Security, H. Bigdoli (Ed.), John Wiley, New York, 2005.Google Scholar
  4. [4]
    A. Crane, Linux undelete how-to (www.praeclarus.demon.co.uk/tech/e2-undel/html/howto.html), 1999.Google Scholar
  5. [5]
    S. Pate, UNIX Filesystems: Evolution, Design and Implementation, John Wiley, New York, 2003Google Scholar
  6. [6]
    T. Warren, Exploring /proc (www.freeos.com/articles/2879/), 2003.Google Scholar

Copyright information

© International Federation for Information Processing 2006

Authors and Affiliations

  • Philip Craiger

There are no affiliations available

Personalised recommendations