Book Review: "Linux Forensics"



"Linux Forensics with Python and Shell Scripting" by Dr. Philip Polstra is a good primer on Linux forensics in general. The book comes jam packed with Python (over 9,000 lines) and Bash scripts (over 800 lines) as well as images of the commands being run, making the book a fun read with lots of pictures and code. The book is a little expensive at ~$43 for 370 pages long, and it reads much quicker with many pages containing only images or code. Overall, I give the book 7/10 stars, and would recommend it to computer science students, forensic investigators, and in general blue teamers. The book is heavy in explaining the computer science behind many of the Linux features, which makes it theory rich as well as practical. The book also covers an excellent set of topics, everything from live analysis, to memory analysis and even dead disk analysis. The book even has a chapter on analyzing Linux malware / binaries, which is an excellent compliment to the book. The following are the chapters of the book, to give you a better idea of it's contents:

Chapter 1: First Steps

What is Forensics?
Types of Forensics
Why Linux Forensics?
General Principles
Phases of Investigation
High-level Process
Building a Toolkit
Summary

Chapter 2: Determining if There Was an Incident

Opening a Case
Talking to Users
Documentation
Mounting Known-Good Binaries
Minimizing Disturbance to the Subject System
Using Scripting to Automate the Process
Introducing our First Subject System
Collecting Volatile Data
Summary

Chapter 3: Live Analysis

There was an Incident: Now What?
Getting File Metadata
Using a Spreadsheet Program to Build a Timeline
Examining User Command History
Getting Log Files
Collecting File Hashes
Dumping RAM
Summary

Chapter 4: Creating Images

Shutting Down the System
Image Formats
Using DD
Using DCFLDD
Hardware Write Blocking
Software Write Blocking
Creating an Image from a Virtual Machine
Creating an Image from a Physical Drive
Summary

Chapter 5: Mounting Images

Partition Basics
Master Boot Record Partitions
Extended Partitions
GUID Partitions
Mounting Partitions from an Image File on Linux
Using Python to Automate the Mounting Process
Summary

Chapter 6: Analyzing Mounted Images

Getting Modification, Access, and Creation Timestamps
Importing Information into LibreOffice
Importing Data into MySQL
Creating a Timeline
Examining Bash Histories
Examining System Logs
Examining Logins and Login Attempts
Optional - Getting All the Logs
Summary

Chapter 7: Extended Filesystems

Extended Filesystem Basics
Superblocks
Extended Filesystem Features
Using Python
Finding Things That Are Out of Place
Inodes
Journaling
Summary

Chapter 8: Memory Analysis

Volatility
Creating a Volatility Profile
Getting Process Information
Process Maps and Dumps
Getting Bash Histories
Volatility Check Commands
Getting Networking Information
Getting Filesystem Information
Miscellaneous Volatility Commands
Summary

Chapter 9: Dealing with More Advanced Attackers

Summary of the PFE Attack
The Scenario
Initial Live Response
Memory Analysis
Filesystem Analysis
Leveraging MySQL
Miscellaneous Findings
Summary of Findings and Next Steps
Summary

Chapter 10: Malware

Is it Malware?
I think It is Malware
Dynamic Analysis
Obfuscation
Summary

Chapter 11: The Road Ahead

Now What?
Communities
Learning More
Congregate
Certify
Summary

The book comes with a ton of resources as well. It's featured on Dr. Polstra's site and has it's own dedicated site. The dedicated book site also contains all of the code, videos on each chapter, and sample images to practice the forensic tools on. While I really enjoyed this book, I disagreed w/ some of Dr.Polstra's methodology. For example, I don't like the idea of sending the forensic evidence around the network unencrypted, using netcat. I would much rather a solution that uses fairly secure crypto for sending data, such as CryptCat. I like that the content stays technical, while following a consistent plot through the evidence examined in the exercises. Overall, it's a great, technical primer on Linux forensics, in which even a seasoned expert could still learning something. I urge you to check out the code and some of the videos, if you enjoy that content then you will enjoy the book!