Recovering Digital Evidence from Linux Systems

  • Philip Craiger
Conference paper

DOI: 10.1007/0-387-31163-7_19

Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 194)
Cite this paper as:
Craiger P. (2006) Recovering Digital Evidence from Linux Systems. In: Pollitt M., Shenoi S. (eds) Advances in Digital Forensics. DigitalForensics 2005. IFIP — The International Federation for Information Processing, vol 194. Springer, Boston, MA


As Linux-kernel-based operating systems proliferate there will be an inevitable increase in Linux systems that law enforcement agents must process in criminal investigations. The skills and expertise required to recover evidence from Microsoft-Windows-based systems do not necessarily translate to Linux systems. This paper discusses digital forensic procedures for recovering evidence from Linux systems. In particular, it presents methods for identifying and recovering deleted files from disk and volatile memory, identifying notable and Trojan files, finding hidden files, and finding files with renamed extensions. All the procedures are accomplished using Linux command line utilities and require no special or commercial tools.


Digital evidence Linux system forensics 

Copyright information

© International Federation for Information Processing 2006

Authors and Affiliations

  • Philip Craiger

There are no affiliations available

Personalised recommendations