Linux Forensics


OS Forensics is the ART of extracting evidence and important artifacts from a digital crime scene that can help the investigator in reconstructing the chain of events. During this course, students will learn the basics of computer hardware and the Linux-OS filesystem. The students will learn to collect and analyze forensic evidence and write official reports.

Duration: 40 Hours

Target Audience

  • Law enforcement officers & intelligence corps
  • Incident responders
  • Computer investigators
  • IT/network administrators


  • ThinkCyber Level-1 Courses


  • Accessing concealed files on the system and extracting relevant information
  • Mastering the steps of incident response
  • Analyzing relevant case studies


Module 1: Computer Hardware
The first module will cover different components of computer hardware. Students will learn the main components of Storage-Disks, and the structure of the Linux OS.

  • Drives and Disks
    o The Anatomy of a Drive
    o Data Sizes
  • Data Representation
  • Hexadecimal
  • Binary
    o Volumes & Partitions
    o Disk Partitioning and the Disk Management Tool
  • MBR vs. GPT
  • Understanding UEFI
  • The HPA
    o Solid State Drive (SSD) Features
  • Understanding Linux-OS Structure
    o Linux Directory Structure
  • Bin
  • Dev
  • Etc
  • Usr
  • Proc
    o Services and systemd
    o Users and Groups
    o Understanding Shells


Module 2: Forensic Fundamentals
This module will expose students to the internal components of the Linux OS. Students will learn about tools that will help them with the Forensics investigation process.

  • Understanding Hashes and Encodings
    o Hash as a Digital Signature
    o The Use of Hash for Forensics
    o Base Encodings
  • Linux-OS Artifacts
    o User Activity Files
  • Profile and Bashrc
  • Shell History
  • Analyzing Opened Files
    o Physically Accessing Running Process
    o Service Logging Using Journalctl
    o Logfile Analysis
  • auth.log
  • deamon.log
  • syslog or messages
    o Cracking the Shadow and Passwd Files
    o Files in /dev
    o SUID/SGID files
  • Data and Files structure
    o Hexadecimal Editing Tools
  • Bvi
  • Xxd
  • Hexedit
  • Hexyl
    o File Structure
  • Headers and Trailer
  • Magic Number
    o Embedded Metadata
  • ExifTool
  • Exiv2
    o Working with Clusters
  • Slack Space
  • Unallocated and Allocated Spaces


Module 3: Collecting Evidence
During this module, students will master techniques for collecting evidence, accessing and retrieving volatile and non-volatile information. Students will master techniques for collecting evidence, accessing, and retrieving volatile and non-volatile information.

  • Forensic Data Carving
    o Using Bvi for Forensics Carving
  • Carving files from an existing File
    o Automatic File Carving Tools
  • Foremost
  • Scalpel
  • Bulk-Extractor
    o Files with Basic System-Info and Suspicious User-Info
  • Collecting Information
    o Indenting Evidence of Program Execution
    o Detecting Hidden Files and Directories
    o Collecting Network Information
  • Network Routing
  • Using BMON and TCPTRACK
  • Collecting Netstat Information
    o Investigating Server Logs
  • Analyzing Webserver Logs
  • Analyzing MySQL Logs
  • Analyzing FTP and SSH Logs
    o Mounted Filesystems
    o Loaded Kernel Modules
  • Drive Data Acquisition
    o Introduction to FTK-Imager CLI
  • Exploring System Files
  • Creating an Image
  • dd and dcfldd as an Alternative Image Capture Tool
    o Capturing Volatile-Memory using LiME vs. using fmem
  • Introduction to Memory Acquisition Basics
  • Compiling LiME
  • Dumping a Memory-File
  • Understanding the /proc/kcore


Module 4: Analyzing Forensic Findings
In this module, students will understand how to uncover hidden information, detect tampered files, work with memory, and analyze the RAM.

  • Analyzing captured images
    o Features of FTK CLI
  • Extracting Protected Files
  • Mounting an Image as a drive
  • Volatile Memory Capturing
    o Analyzing Inode Numbering
    o Building Timelines as a CSV
    o Extracting and Examining System Logs
  • Advanced Linux-OS Analysis
    o Strace and Ltrace
    o Understanding Obfuscation
    o Working with Binaries
  • Introduction to ELF Files
  • Headers, Sections, and Strings
  • Program headers and Program loading
    o Introduction to GDB
  • Working with Volatile-Memory
    o Extracting Data from RAM
    o Identifying Network Connections
    o Dumping Processes from Memory
    Module 5: Data Labelling and Report Writing
    Participants will study different forensics reports prepared by investigators following past incidents and learn how to write a professional summary, including which points to consider when addressing the documentation of findings of an event.
  • Introduction to Report Writing
    o Device Identification
    o Preservation of Data
    o Collecting Evidence
    o Examination and Analysis
    o Documentation
    o Evidence Presentation
    o Final Guidelines
  • Tools for Correct Reporting
    o Autopsy
    o Dradis