A Guide For Digital Investigators
Linux Forensic Analysis Scenarios
The motivation for performing forensic analysis on target systems is wide ranging. We can divide the forensic analysis of computer systems into two broad categories: victims and perpetrators. In the case of victims, the analysis typically involves cyber attacks, intrusions, and online social engineering incidents. These systems are owned by the victims and are usually provided to forensic investigators voluntarily.
- Servers that have been hacked or compromised by technical exploitation of vulnerabilities or misconfiguration
- Unauthorized access to servers using stolen credentials
- Client desktops that have been compromised by malware, usually from users clicking malicious links or downloading malicious executables and scripts
- Victims of social engineering who have been tricked into performing actions they wouldn’t otherwise do
- Users who are being coerced or blackmailed into performing actions they wouldn’t otherwise do
- Computer systems that need to be analyzed as part of a larger investigation in a victimized organization
In all of these scenarios, digital traces can be found that help reconstruct past events or provide evidence of wrongdoing. In the case of perpetrators, analysis typically involves computer systems seized by authorities or corporate investigation and incident response teams.
These systems may be owned, managed, or operated by a perpetrator suspected of malicious or criminal activity. For example:
- Servers set up to host phishing sites or distribute malware
- Command and control servers used to manage botnets
- Users who have abused their access to commit malicious activity or violate organizational policy
- Desktop systems used to conduct illegal activity such as possessing or distributing illicit material, criminal hacking, or operating illegal underground forums
- Computer systems that need to be analyzed as part of a larger criminal investigation (organized crime, drugs, terrorism, and so on)
- Computer systems that need to be analyzed as part of a larger civilinvestigation (litigation or ediscovery for example)
In all of these scenarios, digital traces can be found that help reconstruct past events or provide evidence of wrongdoing.
When Linux systems are lawfully seized by authorities, seized by organizations who own the systems, or voluntarily provided by Victims, they can be forensically imaged and then analyzed by digital forensic investiga tors. Linux is already a common platform for server systems and Internet of Things (IoT) and other embedded devices, and the use of Linux on the desktop is growing. As Linux usage increases, the number of both victim and perpetrator systems needing forensic analysis will increase.
In some cases, especially where people have been falsely accused or are innocent and under suspicion, forensic analysis activity may also provide evidence of innocence.
Download Book Now: