Abstract
As Linux-kernel-based operating systems proliferate there will be an inevitable increase in Linux systems that law enforcement agents must process in criminal investigations. The skills and expertise required to recover evidence from Microsoft-Windows-based systems do not necessarily translate to Linux systems. This paper discusses digital forensic procedures for recovering evidence from Linux systems. In particular, it presents methods for identifying and recovering deleted files from disk and volatile memory, identifying notable and Trojan files, finding hidden files, and finding files with renamed extensions. All the procedures are accomplished using Linux command line utilities and require no special or commercial tools.
Chapter PDF
Similar content being viewed by others
References
B. Buckeye and K. Liston, Recovering deleted files in Linux (www.samag.com/documents/s=7033/sam0204g/sam0204g.htm), 2003.
P. Craiger, Computer forensics procedures and methods, to appear in Handbook of Information Security, H. Bigdoli (Ed.), John Wiley, New York, 2005.
P. Craiger, M. Pollitt and J. Swauger, Digital evidence and digital forensics, to appear in Handbook of Information Security, H. Bigdoli (Ed.), John Wiley, New York, 2005.
A. Crane, Linux undelete how-to (www.praeclarus.demon.co.uk/tech/e2-undel/html/howto.html), 1999.
S. Pate, UNIX Filesystems: Evolution, Design and Implementation, John Wiley, New York, 2003
T. Warren, Exploring /proc (www.freeos.com/articles/2879/), 2003.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Craiger, P. (2006). Recovering Digital Evidence from Linux Systems. In: Pollitt, M., Shenoi, S. (eds) Advances in Digital Forensics. DigitalForensics 2005. IFIP — The International Federation for Information Processing, vol 194. Springer, Boston, MA. https://doi.org/10.1007/0-387-31163-7_19
Download citation
DOI: https://doi.org/10.1007/0-387-31163-7_19
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-30012-2
Online ISBN: 978-0-387-31163-0
eBook Packages: Computer ScienceComputer Science (R0)