Linux for Digital

Forensics
Overview
• Introduction to OS and file Systems
• Virtual file system
• File structure
• Path and path variable
• Linux commands
OS and File Systems
Common features of OS
• Process management
• Memory management
• File system
• Device drivers
• Networking
• Security
• I/O

https://en.wikipedia.org/wiki/Operating_system
File Systems
• A file
• is a collection of correlated
information
• information is recorded on secondary
or non-volatile storage like magnetic
disks, optical disks, and tapes.
• A file system
• defines how files are named, stored,
and retrieved from a storage device.
http://home.easy-key.info/images/stories/file_structure.gif
File systems used by operating
systems
• By Unix and Unix-like operating systems
• Linux: XFS, JFS, and btrfs. extended file system
• Solaris
• macOS:
• Hierarchical File System (HFS) + : No support for
dates beyond February 6, 2040
• By Microsoft Windows
• FAT: File Allocation Table
• NTFS: New Technology File System
Manage files vs. manage storage
boxes
Assumption: One person
rents one or multiple boxes.

Name Boxes ID
Frank 1,2,3
… …
 Storage File Storage
Unit Box Sector
Usage Person rents boxes File uses sectors
Manage Rental File management
ment management system, (e.g., FAT)
system system
Virtual file system (VFS)
Without an interpreter

With an interpreter File Systems

Virtual file system

Linux is a VFS
• VFS allows client applications to access different
types of concrete file systems in a uniform way
• provides an abstract layer for upper-layer
applications
• The same techniques can be utilized to investigate
different types of devices
• Each and everything in Linux is a file (Everything
appears somewhere in the filesystem)
• file, directory, hard disks, CD/DVD, NIC, USB
• devices can be represented as file-like objects
under /dev/ filesystem.
• OS recognizes files by
• inode (index node)

https://developer.ibm.com/technologies/linux/tutorials/l-virtual-filesystem-switch/
Linux for digital forensics- Good and
Bad
• Pro
• widely support for many file systems (Virtual file system)
• advanced and powerful tools available
• free and open-source
• compile source code
• flexibility
• Con
• learning curve, e.g., no graphic interface
• trustworthiness of open-source tools
Open a Linux Terminator

same as cmd
 • -i, --inode print the
index number of each
file
• -a, --all do not ignore
entries starting with .

File inode (hidden file)

dir
What is inode?
• inode is an ID of a file/folder
• unique number
• inode is a data structure of a file
• You store your information in a file,
and the operating system stores the permission information
information/metadata about a file in
an inode
• inode points to the content of a file
• How to access to a file?
• inode ID block pointers
• file name=>inode ID

https://www.slashroot.in/inode-and-its-structure-linux
Disk free information (df) inode

-i, --inodes list inode information

wmic logicaldisk get size, freespace, caption

Show human readable format
File Structure
Unix has no direct equivalent of the Windows registry. The same information is scattered through the filesystem, largely in /etc, /proc and /sys.

https://www.linux.com/sites/lcom/files/styles/rendered_file/public/standard-unix-filesystem-hierarchy.png?itok=CVqmyk6P
Show Linux file system from root /
Check where you are (impact all the commands you entered)

Clear screen

cd, cls
Show details of a file/directory
Show Linux file system from root
with tree
Remember use following
command for help
tree --help
Show current working directory
(pwd) with tree
Linux commands are files!
Display ls command under /bin

Why can ls be executed in any folder? => Need to understand path (see next slide)
Path and Path variable
What is path in a file system?
• A path is a hierarchical representation of the location (address) of a
file or directory within the file system's directory structure.
• A path describes the route or sequence of directories (folders) you
must navigate through to reach a specific file or directory.
• Paths are used to uniquely identify and access files and directories on
a computer or storage device.
Example of paths

• Absolute path to file.txt: /home/user-1/folder-1/file.txt

• Relative path to file.txt (Under folder-2): ../folder-1/file.txt
Switch to the parent path using
relative path

cd .. 32
Path variable ($PATH)

• How does OS execute a command, e.g., ls?

• search the command in the current directory
• if can’t find it, search for the command in each path defined in the path
variable
• if can’t find it, OS throws the command not found error message

path
Adding a new path (export)

setx path "%path%;C:\Program Files\Java\jdk1.8.0_202\bin" -m

Persisting the new path (.zshrc)

we discuss the details later

Create folders and files

36
Create folders (mkdir)

home

\myfolder

\mysubfolder

mkdir
Delete folders (rmdir)

rmdir
Create a new text file (echo)

\user home

\myfolder
Show the content of the file

hello
my_first_file.txt
world
Create a file (leafpad)

or nano command

40
File Copy & Deletion

41
Copy a file (cp)

copy
Copy a file to a different location

How to copy a folder? -r recursive

• Basic syntax: cp -r source_folder destination_folder
• Example: cp -r ~/myfolder ~/myfolder_copy

43
Remove a file (rm)

44
Rename a file (mv)

45
move/ copy and ren
Search for information
Search for a string in a text file
(grep)
grep search

backslash forward slash

Show line number while displaying the output

type/findstr /c:"error" log.txt

 Search for file names that that
contains the given string/pattern
grep help Search for file contains “hello”
Networking
Test network connection using
domain name

50
Test network connection using IP

51
List all open TCP ports
-l, --listening display listening server sockets
-n, --numeric port number (don't resolve names)
-t, --tcp

ssh (22) port is listening

Open port 21 and verify the port is listening

nmap localhost -p 21
 Download a file (wget)

https://pbs.twimg.com/media/DulILzQXcAAkFMV.jpg
Create a script file
Create a simple script file
Create a script using leafpad shebang: indicate the interpreter
that should be used to execute the
script or program that follows

#!/bin/sh

Check permission of files

.bat
Linux Permissions

57
Execute a script file in a different
folder
Add a path to the path variable
Update/Install software
Update software
Install terminator
63
Zip/unzip files