Linux Forensics Tools :: Linux Forensics Software

This report aims to provide an overview of different Linux rhetoricals softw atomic number 18. 2 MotivationNowadays, most of the web, email, database and fileservers are Linux servers. Linux is a UNIX system which implies that it has solid compatibility, stability and security features. Linux is used for the mentioned environments because these services require high security. Further, an increase of attacks on these servers can be observed. Additionally, the methods to prevent intrusions on Linux machines are insufficient. Further, the analysis of incidents on Linux systems are not considered appropriately (Choi, Savoldi, Gubian, Lee, & Lee, 2008). It can also be observed that a lot of investigators do not deplete experience with Linux forensics (Altheide, 2004). Because of these reasons it is necessary to provide a set of tools that support investigators during their investigations.3 Linux Forensics Software in that location is a wide range of Linux forensic software available. There are single tools like file carvers, or there are comprehensive collections of tools. In the following, some of the most popular Linux forensic tools are described. The center on is put on The sight Kit because it is organized according to the different filesystem layers. This provides an interesting insight on how forensics is done on filesystems.3.1 The Sleuth KitThe Sleuth Kit (TSK) is a collection of filesystem tools which was originally developed by Brian Carrier. TSK is an improved and extended development of The Coroners Toolkit (TCT). TCT had severe limitations, so TSK was developed to flog these shortcomings (Altheide & Carvey, 2011).TSK includes 21 command line utilities. In order to ease the orientation for TSK users the utilities are taked in a manner that helps users who are familiar with UNIX and the Linux command line. The name of the tools consists of two parts. There is a prefix that indicates the level of the filesystem at which the tool operates. The suf fix provides information on the output that can be expected. Further, there are two layers that do not exactly match the filesystem model (Altheide & Carvey, 2011)j- Operates against filesystem journalsimg- Operates against image filesThe following table summarizes the meanings of the suffixes.SuffixDescription-statDisplays general information about the queried stop-lsLists the contents of the queried layer-catExtracts the content of the queried layerTable 31 TSK suffixes (Altheide & Carvey, 2011, p. 43)TSK does not include tools that operate on the disk layer. The reason is that TSK is a filesystem forensic analysis framework.