Tuesday, October 1, 2019

Linux Forensics Tools :: Linux Forensics Software

This report aims to provide an overview of different Linux forensics software. 2 Motivation Nowadays, most of the web, email, database and fileservers are Linux servers. Linux is a UNIX system which implies that it has solid compatibility, stability and security features. Linux is used for the mentioned environments because these services require high security. Further, an increase of attacks on these servers can be observed. Additionally, the methods to prevent intrusions on Linux machines are insufficient. Further, the analysis of incidents on Linux systems are not considered appropriately (Choi, Savoldi, Gubian, Lee, & Lee, 2008). It can also be observed that a lot of investigators do not have experience with Linux forensics (Altheide, 2004). Because of these reasons it is necessary to provide a set of tools that support investigators during their investigations. 3 Linux Forensics Software There is a wide range of Linux forensic software available. There are single tools like file carvers, or there are comprehensive collections of tools. In the following, some of the most popular Linux forensic tools are described. The focus is put on The Sleuth Kit because it is organized according to the different filesystem layers. This provides an interesting insight on how forensics is done on filesystems. 3.1 The Sleuth Kit The Sleuth Kit (TSK) is a collection of filesystem tools which was originally developed by Brian Carrier. TSK is an improved and extended development of The Coroner’s Toolkit (TCT). TCT had severe limitations, so TSK was developed to overcome these shortcomings (Altheide & Carvey, 2011). TSK includes 21 command line utilities. In order to ease the orientation for TSK users the utilities are named in a manner that helps users who are familiar with UNIX and the Linux command line. The name of the tools consists of two parts. There is a prefix that indicates the level of the filesystem at which the tool operates. The suffix provides information on the output that can be expected. Further, there are two layers that do not exactly match the filesystem model (Altheide & Carvey, 2011): j-: Operates against filesystem journals img-: Operates against image files The following table summarizes the meanings of the suffixes. Suffix Description -stat Displays general information about the queried item -ls Lists the contents of the queried layer -cat Extracts the content of the queried layer Table 3‑1: TSK suffixes (Altheide & Carvey, 2011, p. 43) TSK does not include tools that operate on the disk layer. The reason is that TSK is a filesystem forensic analysis framework.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.