Top 3 Forensic Examination Tools for Linux
The Sleuthkit & Autopsy
For detail tutorial, please join the free forensics class Here
It is a free open source suite of forensic utilities that has a GUI called Autopsy. This tool suite has strong support for Linux file systems and can be used to examine the full details of inodes and other data structures. The Sleuthkit has a plugin framework that supports automated processing. The Autopsy GUI for The Sleuthkit is shown here with a Linux file system:
DFF (Digital Forensics Framework) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API).
Preserve digital chain of custody: Software write blocker, cryptographic hash calculation
Access to local and remote devices: Disk drives, removable devices, remote file systems
Read standard digital forensics file formats: Raw, Encase EWF, AFF 3 file formats
Virtual machine disk reconstruction: VmWare (VMDK) compatible
Windows and Linux OS forensics: Registry, Mailboxes, NTFS, EXTFS 2/3/4, FAT 12/16/32 file systems
Quickly triage and search for (meta-)data: Regular expressions, dictionaries, content search, tags, time-line
Recover hidden and deleted artifacts: Deleted files / folders, unallocated spaces, carving
Volatile memory forensics: Processes, local files, binary extraction, network connections
SMART is a software utility that has been designed and optimized to support data forensic practitioners and Information Security personnel in pursuit of their respective duties and goals.
SMART is more than a stand-alone data forensic program. The features of SMART allow it to be used in many scenarios, including:
“Knock-and-talk” inquiries and investigations
on-site or remote preview of a target system
post mortem analysis of a dead system
testing and verification of other forensic programs
conversion of proprietary “evidence file” formats
baselining of a system
No matter what tool or set of tools are you using, the approach is very important. Your methodology, process, chain of custody and maintaining the integrity of the data is crucial, otherwise you will have nothing in your hands as an evidence. So training is crucial, you need to develop your profile and you need to work with your master so that you will become the master.