Since the DigiFirm is planning to carry out a forensic investigation of the computers running Linux, I would like to report on three Web sites that offer valuable information about Linux forensic investigations and appropriate tools. The first Web site that should be consulted is Symantec.connect, particularly, the article located there, which is called Forensic Analysis of a Live Linux System, Pt. 1.
This article describes the four key stages of forensic investigation – “fitting to the environment, preparing the forensic toolkit media, data collecting from a live system…, initial data analysis, and keywords searching” – describing what aspects should be considered while completing these stages on computers running Linux (Burdach, 2004, par. 7). Studying this source will help to acquire a clear idea of how to approach the investigation.
The second Web site I would recommend is infosecinstitute.com, particularly the section that is called Linux and Disk Forensics. This site provides a detailed description of the tools that are appropriate for forensic investigation applied to computers running Linux, classifying them into four groups: “image acquiring tools, data recovery tools, forensic analysis tools, and forensic suites” (Linux and Disk Forensics, 2013, par. 3). For each group of tools, there is a concise description and the specific examples of the tools that refer to this very group.
The third Web site is linoxide.com, particularly the article called 10 Best Known Forensics Tools That Works on Linux. This article describes ten forensic tools that are especially effective for the investigation of Linux. Thus, there are both well-known tools such as SIFT or Kali and those tools that might be unfamiliar to the general public at large, such as Sleuth kit or Santoku (10 Best Known Forensics Tools That Works on Linux, 2016). This source can help to select free tools and to minimize the investigation costs in such a manner.