z Filesystem Hierarchy

The Linux Foundation maintains a

Filesystem Hierarchy Standard (FHS). This FHS defines
the directory structure and the content/purpose of the
directories in Linux distributions.

The top of this hierarchical tree is

called the root directory, or / (not to
be confused with the root user’s
home directory /root).
All subdirectories, mounted storage
media, mounted network shares, or
other mounted virtual filesystems, are
attached to this “upside down” tree
below the root.
This process is called mounting a
filesystem, and the directory (typically
empty) where it is mounted is called
the mount point.
z
z

 /bin – Binaries

 The ‘/bin’ directly contains the executable files of many basic shell
commands like ls, cp, cd etc. Mostly the programs are in binary format
here and accessible by all the users in the Linux system.

 /etc – Configuration files

 The /etcThe phrase file type can have one of two meanings. In the
context of lowerlayer filesystems, it refers to Unix or POSIX file typ
directory contains the core configuration files of the system, use
primarily by the administrator and services, such as the password file
and networking files.
 Linux File Types and
Identification
The phrase file type can have one of two meanings. In the context of lower
layer filesystems, it refers to Unix or POSIX file types

POSIX File Types Linux was developed with the Unix philosophy of
“everything is a file.” To implement this concept, special file types were needed
to extend functionality beyond regular files and directories.
z
• Regular file
• Directory
• Symbolic link
• Named pipe or FIFO
• Block special
• Character special
• Socket
z

Regular files A regular file is exactly that, a file containing data,

such as text, pictures, videos, office documents, executable
programs, databases, encrypted data, or any other content
normally stored in a file. The data in a regular file is stored in
filesystem blocks on the storage medium.
 z
Hashsets for linux
 A common method of identifying files in digital forensics is to use
cryptographic hashes (MD5, SHA­1, and so on) to create a
unique fingerprint or signature.

 You can create lists of cryptographic hashes from software

packages or other known collections of files. These lists of
known file hashes are called hashsets or hash databases.

 In digital forensics, hashsets are typically used either to ignore

uninteresting files or identify especially interesting files
z
When identifying especially interesting files

 Examples of known files typically of interest during forensic analysis include:

 Indicators of compromise (IOCs), which may include hashes of malware

components

 Certain classifications of software (keyloggers or bitcoin miners, for example)

 Known illicit material (these hashsets are usually available only to law enforcement)

 Known leaked or sensitive documents in a corporate environment

Hashsets also are used to find modified or trojaned versions of binary

executables by comparing installed files with the expected vendor­supplied
hash values.
NIST maintains the National Software Reference Library (NSRL)
z
Linux File Analysis

Application Metadata

The metadata from applications found on Linux systems is

generally a subset of that found in proprietary environments.