Muutke küpsiste eelistusi

Practical Linux Forensics: A Guide for Digital Investigators [Pehme köide]

4.42/5 (15 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 400 pages, kõrgus x laius: 232x178 mm
  • Ilmumisaeg: 21-Dec-2021
  • Kirjastus: No Starch Press,US
  • ISBN-10: 171850196X
  • ISBN-13: 9781718501966
Teised raamatud teemal:
Practical Linux Forensics: A Guide for Digital InvestigatorsSuurem pilt
  • Formaat: Paperback / softback, 400 pages, kõrgus x laius: 232x178 mm
  • Ilmumisaeg: 21-Dec-2021
  • Kirjastus: No Starch Press,US
  • ISBN-10: 171850196X
  • ISBN-13: 9781718501966
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781718501966.html
Märksõnad:
Practical Linux Forensics dives into the technical details of analyzing postmortem forensic images of Linux systems which have been misused, abused, or the target of malicious attacks. It helps forensic investigators locate and analyze digital evidence found on Linux desktops, servers, and IoT devices. You'll learn how to identify digital artifacts which may be of interest to an investigation, draw logical conclusions, reconstruct past activity from incidents, how Linux works from a digital forensics and investigation perspective, and how to interpret evidence from Linux environments.

Arvustused

Practical Linux Forensics is an excellent resource suitable for those new to Linux, as well as for experienced users. Whether you are an investigator, administrator, developer, or curious student, you will gain imperative knowledge that can easily be applied to your own field and endeavors. Techtyte, Cybersecurity Researcher and Advanced Reviewer

"Thorough . . . Even if this is your first foray into computer forensics, there is a lot to be gained from Nikkels book." Lee Teschler, Microcontroller Tips

"A comprehensive and informative guide . . . The author provides a wealth of information and practical tips that can be used in real-world scenarios, making it a valuable resource for both professionals and students. It is a must-read for anyone looking to gain a deeper understanding of forensic analysis on Linux systems." The Security Noob

"After Practical Forensic Imaging, Bruce Nikkel has produced another fantastic learning resource and reference in Practical Linux Forensics. Made both for professionals more familiar with Windows or macOS forensics as well as adept Linux users looking to learn forensics, it does not need to be read linearly. Each chapter provides focused knowledge on different aspects of Linux systems in a distribution-agnostic manner. Definitely grab a copy to demystify this area of computer forensics." Daniyal S., Advanced Reviewer

"Bruce Nikkel shares some [ insight on] really uncommon and least understood areas of the Linux network stack, which will be very valuable for practitioners . . . [ Practical Linux Forensics] touches on areas ignored by other resources on the subject." Arvind, Advanced Reviewer

Introduction xvii
Why I Wrote This Book xviii
How This Book Is Unique xviii
Linux Forensic Analysis Scenarios xix
Target Audience and Prerequisites xxi
Who Should Read This Book? xxi
Prerequisite Knowledge xxii
Forensic Tools and Platforms Needed xxii
Scope and Organization xxiii
Content Scope xxiii
Book Organization and Structure xxiv
Overview of
Chapters		 xxvi
Conventions and Format xxviii
Formatting and Presentation xxix
Data Flow Diagrams xxx
1 Digital Forensics Overview
1(10)
Digital Forensics History
1(1)
Pre-Y2K
2(1)
2000--2010
2(1)
2010--2020
3(1)
2020 and Beyond
4(1)
Forensic Analysis Trends and Challenges
5(1)
Shift in Size, Location, and Complexity of Evidence
5(1)
Multi-Jurisdictional Aspects
6(1)
Industry, Academia, and Law Enforcement Collaboration
6(1)
Principles of Postmortem Computer Forensic Analysis
7(1)
Digital Forensic Standards
7(1)
Peer-Reviewed Research
7(1)
Industry Regulation and Best Practice
8(1)
Special Topics in Forensics
9(1)
Forensic Readiness
9(1)
Anti-Forensics
9(2)
2 Linux Overview
11(20)
History of Linux
12(1)
Unix Roots
12(2)
Early Linux Systems
14(1)
Early Desktop Environments
15(1)
Modern Linux Systems
16(1)
Hardware
17(1)
The Kernel
18(1)
Devices
19(1)
Systemd
20(1)
The Command Line
21(1)
Modern Desktop Environments
22(1)
Linux Distributions
23(1)
The Evolution of Linux Distributions
24(1)
Debian-Based Distributions
25(1)
SUSE-Based Distributions
26(1)
Red Hat-Based Distributions
27(1)
Arch-Based Distributions
27(1)
Other Distributions
28(1)
Forensic Analysis of Linux Systems
28(3)
3 Evidence From Storage Devices And Filesystems
31(52)
Analysis of Storage Layout and Volume Management
33(1)
Analysis of Partition Tables
33(4)
Logical Volume Manager
37(4)
Linux Software RAID
41(3)
Filesystem Forensic Analysis
44(1)
Linux Filesystem Concepts
44(2)
Forensic Artifacts in Linux Filesystems
46(2)
List and Extract Data
48(2)
An Analysis of ext4
50(1)
Filesystem Metadata: Superblock
51(2)
File Metadata: Inodes
53(2)
List and Extract Files
55(1)
An Analysis of btrfs
56(1)
Filesystem Metadata: Superblock
57(1)
File Metadata: Inodes
58(3)
Multiple Devices and Subvolumes
61(3)
List and Extract Files
64(1)
An Analysis of xfs
65(1)
Filesystem Metadata: Superblock
65(2)
File Metadata: Inodes
67(1)
List and Extract Files
68(1)
Linux Swap Analysis
69(1)
Identifying and Analyzing Swap
69(2)
Hibernation
71(1)
Analyzing Filesystem Encryption
72(2)
LUKS Full-Disk Encryption
74(3)
eCryptfs Encrypted Directories
77(3)
Fscrypt and Ext4 Directory Encryption
80(1)
Summary
81(2)
4 Directory Layout And Forensic Analysis Of Linux Files
83(32)
Linux Directory Layout
83(1)
Filesystem Hierarchy
84(4)
User Home Directory
88(5)
Hashsets and NSRL for Linux
93(2)
Linux File Types and Identification
95(1)
POSIX File Types
95(2)
Magic Strings and File Extensions
97(1)
Hidden Files
98(1)
Linux File Analysis
99(1)
Application Metadata
99(1)
Content Analysis
100(1)
Executable Files
101(3)
Crash and Core Dumps
104(1)
Process Core Dumps
104(3)
Application and Distro-Specific Crash Data
107(2)
Kernel Crashes
109(5)
Summary
114(1)
5 Investigating Evidence From Linux Logs
115(30)
Traditional Syslog
116(1)
Syslog Facility, Severity, and Priority
116(2)
Syslog Configuration
118(1)
Analyzing Syslog Messages
119(2)
Systemd Journal
121(1)
Systemd Journal Features and Components
121(1)
Systemd Journal Configuration
122(3)
Analysis of Journal File Contents
125(4)
Other Application and Daemon Logs
129(1)
Custom Logging to Syslog or Systemd Journal
129(2)
Independent Server Application Logs
131(2)
Independent User Application Logs
133(1)
Plymouth Splash Startup Logs
134(1)
Kernel and Audit Logs
135(1)
The Kernel Ring Buffer
136(3)
The Linux Auditing System
139(4)
Summary
143(2)
6 Reconstructing System Boot And Initialization
145(38)
Analysis of Bootloaders
145(2)
BIOS/MBR GRUB Booting
147(1)
UEFI GRUB Booting
148(2)
GRUB Configuration
150(2)
Other Bootloaders
152(1)
Analysis of Kernel Initialization
153(1)
Kernel Command Line and Runtime Parameters
154(1)
Kernel Modules
155(2)
Kernel Parameters
157(1)
Analyzing initrd and initramfs
158(3)
Analysis of Systemd
161(1)
Systemd Unit Files
161(3)
Systemd Initialization Process
164(2)
Systemd Services and Daemons
166(2)
Activation and On-Demand Services
168(4)
Scheduled Commands and Timers
172(3)
Power and Physical Environment Analysis
175(1)
Power and Physical Environment Analysis
175(1)
Sleep, Shutdown, and Reboot Evidence
176(3)
Human Proximity Indicators
179(3)
Summary
182(1)
7 Examination Of Installed Software Packages
183(42)
System Identification
184(1)
Distro Release Information
185(1)
Unique Machine ID
186(1)
System Hostname
186(1)
Distro Installer Analysis
187(1)
Debian Installer
188(2)
Raspberry Pi Raspian
190(1)
Fedora Anaconda
190(1)
SUSE YaST
191(1)
Arch Linux
192(1)
Package File Format Analysis
193(1)
Debian Binary Package Format
194(4)
Red Hat Package Manager
198(2)
Arch Pacman Packages
200(2)
Package Management System Analysis
202(1)
Debian apt
203(3)
Fedora dnf
206(2)
SUSE zypper
208(2)
Arch pacman
210(2)
Universal Software Package Analysis
212(1)
AppImage
213(2)
Flatpak
215(3)
Snap
218(1)
Software Centers and GUI Frontends
219(2)
Other Software Installation Analysis
221(1)
Manually Compiled and Installed Software
221(1)
Programming Language Packages
222(1)
Application Plug-ins
223(1)
Summary
223(2)
8 Identifying Network Configuration Artifacts
225(30)
Network Configuration Analysis
226(1)
Linux Interfaces and Addressing
226(3)
Network Managers and Distro-Specific Configuration
229(2)
DNS Resolution
231(3)
Network Services
234(3)
Wireless Network Analysis
237(1)
Wi-Fi Artifacts
237(5)
Bluetooth Artifacts
242(2)
WWAN Artifacts
244(2)
Network Security Artifacts
246(1)
WireGuard, IPsec, and OpenVPN
246(3)
Linux Firewalls and IP Access Control
249(3)
Proxy Settings
252(1)
Summary
253(2)
9 Forensic Analysis of Time And Location
255(18)
Linux Time Configuration Analysis
255(1)
Time Formats
256(1)
Time Zones
257(2)
Daylight Saving and Leap Time
259(1)
Time Synchronization
260(2)
Timestamps and Forensic Timelines
262(2)
Internationalization
264(1)
Locale and Language Settings
264(2)
Physical Keyboard Layout
266(2)
Linux and Geographic Location
268(1)
Geographic Location History
269(2)
GeoClue Geolocation Service
271(1)
Summary
272(1)
10 Reconstructing User Desktops And Login Activity
273(52)
Linux Login and Session Analysis
273(2)
Seats and Sessions
275(3)
Shell Login
278(3)
XI1 and Wayland
281(3)
Desktop Login
284(4)
Authentication and Authorization
288(1)
User, Group, and Password Files
288(5)
Elevated Privileges
293(3)
GNOME Keyring
296(2)
KDE Wallet Manager
298(2)
Biometric Fingerprint Authentication
300(1)
GnuPG
301(2)
Linux Desktop Artifacts
303(1)
Desktop Settings and Configuration
303(4)
Desktop Clipboard Data
307(1)
Desktop Trash Cans
308(2)
Desktop Bookmarks and Recent Files
310(1)
Desktop Thumbnail Images
311(2)
Well-Integrated Desktop Applications
313(2)
Other Desktop Forensic Artifacts
315(2)
User Network Access
317(1)
Secure Shell Access
317(3)
Remote Desktop Access
320(1)
Network Shares and Cloud Services
321(3)
Summary
324(1)
11 Forensic Traces of Attached Peripheral Devices
325(14)
Linux Peripheral Devices
326(1)
Linux Device Management
326(1)
Identify Attached USB Devices
327(2)
Identify PCI and Thunderbolt Devices
329(1)
Printers and Scanners
330(1)
Analysis of Printers and Printing History
331(2)
Analysis of Scanning Devices and History
333(1)
External Attached Storage
334(1)
Storage Hardware Identification
335(1)
Evidence of Mounted Storage
336(1)
Summary
337(2)
Afterword 339(4)
Appendix: File/Directory List For Digital Investigators 343(18)
Index 361
Bruce Nikkel is a professor at the Bern University of Applied Sciences in Switzerland, specializing in digital forensics and cybercrime. He is co-head of the universitys research institute for cybersecurity and engineering, and director of the Masters program in Digital Forensics and Cyber Investigation. In addition to his academic work, he has worked in risk and security departments at a global financial institution since 1997. He headed the bank's Cybercrime Intelligence & Forensic Investigation team for more than 15 years and currently works as an advisor. Bruce holds a PhD in network forensics, is the author of Practical Forensic Imaging (No Starch Press, 2016), and is an editor with Forensic Science Internationals Digital Investigation journal. He has been a Unix and Linux enthusiast since the 1990s.