Linux Forensics Tools :: Linux Forensics Software

This report aims to provide an overview of opposite Linux forensics softwargon. 2 MotivationNowadays, most of the web, email, database and fileservers argon Linux servers. Linux is a UNIX system which implies that it has red-blooded compatibility, stability and security features. Linux is used for the mentioned environments because these services require high security. Further, an add of attacks on these servers can be observed. Additionally, the methods to prevent intrusions on Linux machines are insufficient. Further, the abstract of incidents on Linux systems are not considered appropriately (Choi, Savoldi, Gubian, Lee, & Lee, 2008). It can also be observed that a lot of investigators do not have go through with Linux forensics (Altheide, 2004). Because of these reasons it is necessary to provide a set of tools that support investigators during their investigations.3 Linux Forensics software on that point is a wide range of Linux forensic software available. There are sing le tools like file carvers, or there are comprehensive collections of tools. In the following, some of the most popular Linux forensic tools are described. The focus is put on The give away Kit because it is organized tally to the different filesystem layers. This provides an interesting insight on how forensics is done on filesystems.3.1 The Sleuth KitThe Sleuth Kit (TSK) is a collection of filesystem tools which was originally genuine by Brian Carrier. TSK is an improved and extended development of The Coroners Toolkit (TCT). TCT had everlasting(a) limitations, so TSK was developed to overcome these shortcomings (Altheide & Carvey, 2011).TSK includes 21 command line utilities. In order to ease the orientation for TSK users the utilities are named in a way that helps users who are familiar with UNIX and the Linux command line. The name of the tools consists of two parts. There is a prefix that indicates the level of the filesystem at which the tool operates. The suffix provide s information on the output that can be expected. Further, there are two layers that do not exactly match the filesystem model (Altheide & Carvey, 2011)j- Operates against filesystem journalsimg- Operates against image filesThe following dodge summarizes the meanings of the suffixes.SuffixDescription-statDisplays general information about the queried item-lsLists the circumscribe of the queried layer-catExtracts the content of the queried layerTable 31 TSK suffixes (Altheide & Carvey, 2011, p. 43)TSK does not include tools that operate on the disk layer. The reason is that TSK is a filesystem forensic analysis framework.