Recovering Digital Evidence from Linux Systems
- Cite this paper as:
- Craiger P. (2006) Recovering Digital Evidence from Linux Systems. In: Pollitt M., Shenoi S. (eds) Advances in Digital Forensics. DigitalForensics 2005. IFIP — The International Federation for Information Processing, vol 194. Springer, Boston, MA
As Linux-kernel-based operating systems proliferate there will be an inevitable increase in Linux systems that law enforcement agents must process in criminal investigations. The skills and expertise required to recover evidence from Microsoft-Windows-based systems do not necessarily translate to Linux systems. This paper discusses digital forensic procedures for recovering evidence from Linux systems. In particular, it presents methods for identifying and recovering deleted files from disk and volatile memory, identifying notable and Trojan files, finding hidden files, and finding files with renamed extensions. All the procedures are accomplished using Linux command line utilities and require no special or commercial tools.