Book Review: "Linux Forensics"
"Linux Forensics with Python and Shell Scripting" by Dr. Philip Polstra is a good primer on Linux forensics in general. The book comes jam packed with Python (over 9,000 lines) and Bash scripts (over 800 lines) as well as images of the commands being run, making the book a fun read with lots of pictures and code. The book is a little expensive at ~$43 for 370 pages long, and it reads much quicker with many pages containing only images or code. Overall, I give the book 7/10 stars, and would recommend it to computer science students, forensic investigators, and in general blue teamers. The book is heavy in explaining the computer science behind many of the Linux features, which makes it theory rich as well as practical. The book also covers an excellent set of topics, everything from live analysis, to memory analysis and even dead disk analysis. The book even has a chapter on analyzing Linux malware / binaries, which is an excellent compliment to the book. The following are the chapters of the book, to give you a better idea of it's contents:
Chapter 1: First Steps
What is Forensics?Types of Forensics
Why Linux Forensics?
General Principles
Phases of Investigation
High-level Process
Building a Toolkit
Summary
Chapter 2: Determining if There Was an Incident
Opening a CaseTalking to Users
Documentation
Mounting Known-Good Binaries
Minimizing Disturbance to the Subject System
Using Scripting to Automate the Process
Introducing our First Subject System
Collecting Volatile Data
Summary
Chapter 3: Live Analysis
There was an Incident: Now What?Getting File Metadata
Using a Spreadsheet Program to Build a Timeline
Examining User Command History
Getting Log Files
Collecting File Hashes
Dumping RAM
Summary
Chapter 4: Creating Images
Shutting Down the SystemImage Formats
Using DD
Using DCFLDD
Hardware Write Blocking
Software Write Blocking
Creating an Image from a Virtual Machine
Creating an Image from a Physical Drive
Summary
Chapter 5: Mounting Images
Partition BasicsMaster Boot Record Partitions
Extended Partitions
GUID Partitions
Mounting Partitions from an Image File on Linux
Using Python to Automate the Mounting Process
Summary
Chapter 6: Analyzing Mounted Images
Getting Modification, Access, and Creation TimestampsImporting Information into LibreOffice
Importing Data into MySQL
Creating a Timeline
Examining Bash Histories
Examining System Logs
Examining Logins and Login Attempts
Optional - Getting All the Logs
Summary
Chapter 7: Extended Filesystems
Extended Filesystem BasicsSuperblocks
Extended Filesystem Features
Using Python
Finding Things That Are Out of Place
Inodes
Journaling
Summary
Chapter 8: Memory Analysis
VolatilityCreating a Volatility Profile
Getting Process Information
Process Maps and Dumps
Getting Bash Histories
Volatility Check Commands
Getting Networking Information
Getting Filesystem Information
Miscellaneous Volatility Commands
Summary
Chapter 9: Dealing with More Advanced Attackers
Summary of the PFE AttackThe Scenario
Initial Live Response
Memory Analysis
Filesystem Analysis
Leveraging MySQL
Miscellaneous Findings
Summary of Findings and Next Steps
Summary
Chapter 10: Malware
Is it Malware?I think It is Malware
Dynamic Analysis
Obfuscation
Summary
Chapter 11: The Road Ahead
Now What?Communities
Learning More
Congregate
Certify
Summary
The book comes with a ton of resources as well. It's featured on Dr. Polstra's site and has it's own dedicated site. The dedicated book site also contains all of the code, videos on each chapter, and sample images to practice the forensic tools on. While I really enjoyed this book, I disagreed w/ some of Dr.Polstra's methodology. For example, I don't like the idea of sending the forensic evidence around the network unencrypted, using netcat. I would much rather a solution that uses fairly secure crypto for sending data, such as CryptCat. I like that the content stays technical, while following a consistent plot through the evidence examined in the exercises. Overall, it's a great, technical primer on Linux forensics, in which even a seasoned expert could still learning something. I urge you to check out the code and some of the videos, if you enjoy that content then you will enjoy the book!
