Malware Forensic Field Guides: Tool Box
Chapter 3 Forensic Examination Tools for Linux Systems
In this chapter we discussed approaches to conducting postmortem digital forensic analyis on Linux systems. There are a number of forensic analysis tools that you should be aware of and familiar with. In this section, we explore these tool alternatives, often demonstrating their functionality. This section can also simply be used as a “tool quick reference” or “cheat sheet” as there will inevitably be an instance during an investigation where having an additional tool that is useful for a particular function would be beneficial, but while responding in the field you will have little time to conduct research for or regarding the tool(s). It is important to perform your own testing and validation of these tools to ensure that they work as expected in your environment and for your specific needs.
| Name: The Sleuthkit & Autopsy |
| Page Reference: 167 |
| Author/Distributor: Brian Carrier and Open Source Collaborators |
| Available From: http://www.sleuthkit.org |
Description: The Sleuthkit is a free open source suite of forensic utilities that has a GUI called Autopsy. This tool suite has strong support for Linux file systems and can be used to examine the full details of inodes and other data structures. The Sleuthkit has a plugin framework that supports automated processing. The Autopsy GUI for The Sleuthkit is shown here with a Linux file system: |
| Name: PTK |
| Page Reference: 188 |
| Author/Distributor: DFLAbs |
| Available From: http://www.dflabs.com |
Description: The PTK suite builds on The Sleuthkit framework to provide added functionality, including keyword indexing and signature matching. This tool uses a database to provide stability and flexibility, saving processing results between uses. |
Additional Options: PTK has options to index forensic duplicate for keyword searching, to create a file system time line, calculate file hashes, and perform signature/header analysis as shown here in the indexing operations screen for a forensic duplicate. The resulting time line can be filtered by date and displayed in a tabular or graphical form.  |
| Name: SMART |
| Page Reference: 188 |
| Author/Distributor: ASR Data |
| Available From: http://www.asrdata.com |
Description: The SMART tool can be used to perform an examination of a Linux file system, including browsing directories and keyword searching of active and unallocated space. This tool does not display names of recoverable deleted files that are still referenced in a Linux file system, but does provide access to unallocated space, which contains the content of deleted files. The SMART GUI is shown below with a Linux file system and several examination options. |
| Name: Digital Forensics Framework |
| Page Reference: 3 |
| Author/Distributor: DFF |
| Available From: http://www.digital-forensic.org/ |
| Description: The Digital Forensics Framework is a free open source tool that has strong support for Linux file systems. The DFF has a plugin framework that supports the development and integration of customizedfeatures. The DFF GUI is shown here with a Linux file system:.  |
Features and Plugins: DFF has a variety of features, including keyword searching shown below, and uses a plugin approach to adding capabilities.  |
| Name: EnCase |
| Page Reference: 168, 192 |
| Author/Distributor: Guidance Software |
| Available From: http://www.guidancesofware.com |
Description: EnCase is a commercial integrated digital forensic examination program that has a wide range of features for examining forensic duplicates of storage media. This tool has limited support for Linux file systems but does not provide access to the full range of file system metadata: |
| Name: FTK |
| Page Reference: 168, 192 |
| Author/Distributor: AccessData |
| Available From: http://www.accessdata.com |
Description: FTK is a commercial integrated digital forensic examination program that has a wide range of features for examining forensic duplicates of storage media. This tool has strong Linux files system support as shown in the following figure, displaying inode metadata in full detail. In addition to parsing and displaying common file systems, FTK recovers deleted files and performs indexing to facilitate keyword searching. |
| Name: Nuix |
| Page Reference: 192 |
| Author/Distributor: Nuix |
| Available From: http://www.nuix.com |
Description: Nuix is a suite of commercial digital forensic programs for extracting information from forensic duplicates of storage media, categorizing content, and performing correlation. This tool has strong Linux files system support, including EXT, no Android devices as shown in the following figure, displaying detailed inode metadata. Correlation can be performed between activities on a single system, or across multiple systems to create an overall viewpoint of activities in an investigation. In addition to parsing and displaying various file formats, including e-mail and chat communications, Nuix recovers deleted files and performs indexing to facilitate keyword searching. Data extracted using Nuix can be displayed and analyzed visually using temporal information, file type, and other characteristics. |
| Name: Plaso |
| Page Reference: 183 |
| Author/Distributor: Kristo Gudjonsson |
| Available From: https://code.google.com/p/plaso/ and http://plaso.kiddaland.net |
| Description: The log2timeline and psort tools are part of a free open source suite called plaso that extracts information from a variety of logs and other date-time stamps data sources and consolidates the information in a comprehensive time line for review. This tool suite can be used to process individual files or an entire mounted file system to extract information from supported file formats. For example, the following command processes a forensic duplicate of a Linux system, creating a database named “l2timeline.db” that can be examined using psort (e.g., to extract items between August 16–18, 2013 in this example), and other tools in the plaso suite: % log2timeline -i -f linux -z EST5EDT l2timeline.db host1.dd <cut for length> % psort -o L2tcsv l2timeline.db host1.dd \ -t 2013-08-16 -T 2013-08-18 -w output.csv |
