Linux Forensic Triage: Overview of Process and Tools

Digital forensics dates back into the 1980s, but the importance of Linux forensics was not taken into place until recently. Linux forensics is a distinctive world compared to example Microsoft Windows forensics. Although it is commonly used as a name for the entire operating system, Linux is just the name of the kernel, a piece of software that handles interactions between the hardware and end-user applications. Its popularity has not reached the popularity of the Windows operating system, therefore, without many reliable tools on the market, it represents a bigger challenge for digital forensics investigators. Digital triage is the process in which an investigator collects, assembles, analyzes, and prioritizes digital evidence from a crime. Since there are not many available tools on the market for performing Linux triage, the most important part is to understand the tool and its capabilities in order to know which one to use for a certain situation. This paper will describe how the Linux system is structured, what its architecture contains, how should one correctly approach and acquire the system, and how to understand the tools and results they provide.