A resource to help forensic investigators locate, analyze, and understand digital evidence found on modern Linux systems after a crime, security incident or cyber attack.

Practical Linux Forensics dives into the technical details of analyzing postmortem forensic images of Linux systems which have been misused, abused, or the target of malicious attacks. It helps forensic investigators locate and analyze digital evidence found on Linux desktops, servers, and IoT devices. Throughout the book, you learn how to identify digital artifacts which may be of interest to an investigation, draw logical conclusions, and reconstruct past activity from incidents. You\x27ll learn how Linux works from a digital forensics and investigation perspective, and how to interpret evidence from Linux environments. The techniques shown are intended to be independent of the forensic analysis platforms and tools used.

Learn how to:

\- Extract evidence from storage devices and analyze partition tables, volume managers, popular Linux filesystems (Ext4, Btrfs, and Xfs), and encryption
\- Investigate evidence from Linux logs, including traditional syslog, the systemd journal, kernel and audit logs, and logs from daemons and applications
\- Reconstruct the Linux startup process, from boot loaders (UEFI and Grub) and kernel initialization, to systemd unit files and targets leading up to a graphical login
\- Perform analysis of power, temperature, and the physical environment of a Linux machine, and find evidence of sleep, hibernation, shutdowns, reboots, and crashes
\- Examine installed software, including distro installers, package formats, and package management systems from Debian, Fedora, SUSE, Arch, and other distros
\- Perform analysis of time and Locale settings, internationalization including language and keyboard settings, and geolocation on a Linux system
\- Reconstruct user login sessions (shell, X11 and Wayland), desktops (Gnome, KDE, and others) and analyze keyrings, wallets, trash cans, clipboards, thumbnails, recent files and other desktop artifacts
\- Analyze network configuration, including interfaces, addresses, network managers, DNS, wireless artifacts (Wi\-Fi, Bluetooth, WWAN), VPNs (including WireGuard), firewalls, and proxy settings

\- Identify traces of attached peripheral devices (PCI, USB, Thunderbolt, Bluetooth) including external storage, cameras, and mobiles, and reconstruct printing and scanning activity

帮助法医调查员定位、分析和理解犯罪、安全事件或网络攻击后在现代Linux系统上发现的数字证据的资源。

Practical Linux Forensics深入探讨了分析Linux系统死后取证图像的技术细节，这些系统曾被误用、滥用，或成为恶意攻击的目标。它帮助法医调查员定位和分析在Linux台式机、服务器和物联网设备上发现的数字证据。在整个书中，你将学习如何识别可能与调查有关的数字工件，得出逻辑结论，并从事件中重建过去的活动。你将学习Linux如何从数字取证和调查的角度工作，以及如何从Linux环境中解释证据。所展示的技术旨在独立于所使用的取证分析平台和工具。

学习如何

\- 从存储设备中提取证据并分析分区表、卷管理器、流行的Linux文件系统（Ext4、Btrfs和Xfs）以及加密。

\- 调查Linux日志中的证据，包括传统的系统日志、systemd日志、内核和审计日志，以及守护进程和应用程序的日志

\- 重建Linux的启动过程，从启动加载器（UEFI和Grub）和内核初始化，到systemd单元文件和导致图形登录的目标。

\- Perform analysis of power, temperature, and the physical environment of a Linux machine, and find evidence of sleep, hibernation, shutdowns, reboot, and crashes

\- 检查已安装的软件，包括 Debian、Fedora、SUSE、Arch 和其他发行版的发行版安装程序、软件包格式和软件包管理系统。

\- 对Linux系统上的时间和地域设置、国际化（包括语言和键盘设置）以及地理位置进行分析

\- Reconstruct user login sessions (shell, X11 and Wayland), desktops (Gnome, KDE, and others) and analyze keyrings, wallets, trash cans, clipboards, thumbnails, recent files and other desktop artifacts.

\- 分析网络配置，包括接口、地址、网络管理员、DNS、无线设备（Wi\-Fi、蓝牙、WWAN）、VPN（包括WireGuard）、防火墙和代理设置。

\- 识别附加外围设备（PCI、USB、Thunderbolt、蓝牙）的痕迹，包括外部存储、相机和移动电话，并重建打印和扫描活动