You are previewing UNIX and Linux Forensic Analysis DVD Toolkit.
O'Reilly logo
UNIX and Linux Forensic Analysis DVD Toolkit

Book Description

This book addresses topics in the area of forensic analysis of systems running on variants of the UNIX operating system, which is the choice of hackers for their attack platforms. According to a 2007 IDC report, UNIX servers account for the second-largest segment of spending (behind Windows) in the worldwide server market with $4.2 billion in 2Q07, representing 31.7% of corporate server spending. UNIX systems have not been analyzed to any significant depth largely due to a lack of understanding on the part of the investigator, an understanding and knowledge base that has been achieved by the attacker.

The book begins with a chapter to describe why and how the book was written, and for whom, and then immediately begins addressing the issues of live response (volatile) data collection and analysis. The book continues by addressing issues of collecting and analyzing the contents of physical memory (i.e., RAM). The following chapters address /proc analysis, revealing the wealth of significant evidence, and analysis of files created by or on UNIX systems. Then the book addresses the underground world of UNIX hacking and reveals methods and techniques used by hackers, malware coders, and anti-forensic developers. The book then illustrates to the investigator how to analyze these files and extract the information they need to perform a comprehensive forensic analysis. The final chapter includes a detailed discussion of loadable kernel Modules and malware.

Throughout the book the author provides a wealth of unique information, providing tools, techniques and information that won't be found anywhere else.



  • This book contains information about UNIX forensic analysis that is not available anywhere else. Much of the information is a result of the author's own unique research and work.
  • The authors have the combined experience of law enforcement, military, and corporate forensics. This unique perspective makes this book attractive to all forensic investigators.

Table of Contents

  1. Copyright
  2. Disclaimer
  3. Brief Table of Contents
  4. Table of Contents
  5. List of Figures
  6. List of Tables
  7. Co-Authors
  8. Appendix Contributor
  9. Chapter 1. Introduction
    1. History
    2. Target Audience
    3. What is Covered
    4. What is Not Covered
  10. Chapter 2. Understanding Unix
    1. Introduction
    2. Unix, UNIX, Linux, and *nix
    3. Highlights of The Linux Security Model
    4. The *nix File system Structure
    5. File Systems
    6. Summary
  11. Chapter 3. Live Response
    1. Introduction
    2. Prepare the Target Media
    3. Format the Drive
    4. Gather Volatile Information
    5. Acquiring the Image
    6. Summary
  12. Chapter 4. Initial Triage and Live Response
    1. Introduction
    2. Initial Triage
    3. Tricks of the Trade
    4. User Activity
    5. Network Connections
    6. Running Processes
    7. Open File Handlers
    8. Summary
  13. Chapter 5. The Hacking Top 10
    1. Introduction
    2. The Hacking Top Ten
    3. Reconnaissance Tools
    4. Summary
  14. Chapter 6. The /Proc File System
    1. Introduction
    2. cmdline
    3. cpuinfo
    4. diskstats
    5. driver/rtc
    6. filesystems
    7. kallsyms (ksyms)
    8. kcore
    9. modules
    10. mounts
    11. partitions
    12. sys/
    13. uptime
    14. version
    15. Process IDs
    16. Putting It All Together
    17. sysfs
  15. Chapter 7. File Analysis
    1. The Linux Boot Process
    2. System and Security Configuration Files
    3. Log Files
    4. Identifying Other Files of Interest
  16. Chapter 8. Malware
    1. Introduction
    2. Viruses
    3. Storms on the Horizon
    4. Do it Yourself with Panda and Clam
    5. Scanning the Target Directory
  17. Appendix A. Implementing Cybercrime Detection Techniques on Windows and *nix
    1. Introduction
    2. Security Auditing and Log Files
    3. Firewall Logs, Reports, Alarms, and Alerts
    4. Commercial Intrusion Detection Systems
    5. IP Spoofing and Other Antidetection Tactics
    6. Honeypots, Honeynets, and Other “Cyberstings”
    7. Summary
    8. Frequently Asked Questions
  18. Index
    1. SYMBOL
    2. A
    3. B
    4. C
    5. D
    6. E
    7. F
    8. G
    9. H
    10. I
    11. K
    12. L
    13. M
    14. N
    15. O
    16. P
    17. R
    18. S
    19. T
    20. U
    21. V
    22. W
    23. X