Question

Subject: Computer forensics

Q) Summarize where data of interest to a forensic investigator would reside in Linux systems. Discuss a tool that would be used to extract that data during an investigation.

Answer 1

The data of interest to a forensic investigator resides in hard disk,running processes, open network sockets and network connections, DLL's loaded for each process, cached registry hives, process IDs, and more of linux system.

Linux is an open source operating system that is installed in personal computer,super computer,servers etc.Linux having many file systems such as ext2, ext3, and ext4. The file system provides an operating system with a way to data on the hard disk.The file system also identifies how hard drive & device stores forensics data.The data of interest to a forensic investigator resides in these file systems on the hard disk of Linux systems.Data and file recovery techniques for these file systems include data carving, slack space, and data hiding. The important feature of OS forensics is memory forensics, which incorporates virtual memory, Linux memory, memory extraction, and swapping. The Forensic investigators should analyze the following folders and directories.

/etc [%SystemRoot%/System32/config]

This contains system configurations directory that holds separate configuration files for each application.

/var/log

This directory contains application logs and security logs.

/home/$USER

This directory holds user data and configuration information.

/etc/passwd

This directory has user account information

Digital forensic investigation required tools to extract desired data from the devices.
  
Followings are the tools used for digital forensic investigation

1. Forensic Toolkit for Linux:

Forensic investigators use a forensic toolkit to collect evidence data from a Linux Operating System. The forensic toolkit contains many tools such as Dmesg, Hunter.O,DateCat,Insmod, NetstatArproute and NC.

2. Helix:
Helix is the distributor of the Knoppix Live Linux CD. It provides access to a Linux kernel, hardware detections, and many other applications.

3. Volatility:
The memory analysis is the most important for digital investigations. Volatility is an memory forensics framework for incident response and malware analysis which allows to extract digital artifacts from volatile memory dumps such as RAM.The Volatility can extract information about running processes, open network sockets and network connections, DLL's loaded for each process, cached registry hives, process IDs, and more.