1. By Mike Sedgley, Remeca Akins,and Jeff Carroll

2. What is it? 3. Linux - is a freely distributed operating system that behaves likethe Unix operating system. Linux is a free operating system thatwas developed on the internet. It was formed by Linus Torvaldsfirst, and has been developed by users into a hugely diversifiedoperating system that is in use by large companies, academicinstitutions and individual users. The free source code has been a big advantage, which has allowedLinux to become a success in a short period of time. Linux wasdesigned specifically for the PC platform and takes advantage of itsdesign to give users comparable performance to high-end UNIXworkstations. From 1991, Linux quickly developed on hackers webpages as the alternative to Windows and the more expensive UNIXsystems. 4. Each new version becoming more user friendly. Disk installation no longer confusing. Installation interface more intuitive. Graphical environment becoming much more mature. More and more companies are embracing &supporting Linux. IBM has teams of developers working on it. Apples OS now has a UNIX-like core. Novell is now in the Linux business. More and more devices are now running Linux Personal Devices: Cell Phones & PDAs. Electronics: Video Recorders, MP3 Players. 5. Reliability Scalability Flexibility-boot from a CD (to a completeOS), file system support, platform support,etc. Security -not just over your forensicsoftware, but the whole OS and attachedhardware. Price Free (no license fee, open source) Power A Linux distribution is (or can be) aforensic tool. 6. Almost all types of computer users now use LinuxEngineers and scientists use it for code developmentand simulation. System administrators. Network providers:networking is one of the real strengths of Linux(share files, remote logins, SAMBA, ...) Kernel hackers: lots of talented people on web forhelp . Multimedia authors : works with almost all sound &video cards. OpenGL has been ported. Even some Virtual Reality machines now use Linux.Very handy graphics tools called Gimp too. Antartica research stations Oceanography vesselsStudents 7. Some Linuxdistrobutions Flavors 8. Linux is just the kernel (i.e., the heart of the OS),not the OS itself. The OS consists of the kernel and the basic toolsand utilities supporting the kernel, like the filemanipulation and search commands, editors,compilers, etc. The kernel by itself is pretty useless..it is like abrain without a body! Linux kernel + GNU utilities form the Linux OSas most people know it. e.g., RedHat Linux,Mandrake Linux, SuSe Linux, Debian Linux,Slackware Linux 9. Linux Windows Open source File systems-EXT2(inodes),EXT3(journaling) Rieser FS,4,etc. GUI: KDE and Gnome Text Modeinterface:BASH single hierarchaldirectory structure Starting root (/) Lilo and GRUB bootloaders Proprietary File systems- FAT12,16,32 NTFS, exFAT GUI: Windows Text Modeinterface:commandinterpreter(Dos prompt) Partitions with driveletter directories C: D: Ntldr and Boot.ini loaders 10. Hierarchical Data Structure / is the root directory Linux primary file systems Second Extended File System (Ext2fs) Ext3fs, journaling version of Ext2fs Employs inodes Contain information about each file or directory Everything is a file called objects Linux consists of four blocks that contain objects: Boot block(bootstrap code) Superblock (Manages the file system) Inode blocks(file allocation) Data blocks(Where directories and files are stored) 11. Linux treats its devices as files. The special directorywhere these "files are maintained is "/dev". Labeled as path starting at root (/) directory Primary master disk (/dev/hda) First partition is /dev/hda1 Second partition is /dev/hda2 Primary slave or secondary master or slave (/dev/hdb) First partition is /dev/hdb1 SCSI controllers /dev/sda with first partition /dev/sda1 Linux treats SATA, USB, and FireWire devices the same wayas SCSI devices 12. Adepto Autopsy Acquisition-Making a copy ofthe original drive(physical,logical) Validation-Ensuring theintegrity of data being copied(hashing,headers) Discrimination-sorting andsearching through allinvestigation data Extraction-Recovering data isthe first step in analyzing aninvestigations data (keyword,carving,decrypting) Reconstruction-Re-create asuspect drive to show whathappened during a crime oran incident Disk-to-disk copy Image-to-disk copy Partition-to-partition copy Image-to-partition copy Reporting-To complete aforensics disk analysis andexamination, you need tocreate a report 13. dd command used to copy from an input file or device to an output file or device. Simple bitstream imaging. sfdisk and fdisk used to determine the disk structure. grep search files (or multiple files) for instances of an expression or pattern. The loop device allows you to associate regular files with device nodes. This will then allow you to mount a bitstream image without having to rewrite the image to a disk. md5sum and sha1sum create and store an MD5 or SHA hash of a file or list of files (including devices). file reads a files header information in an attempt to ascertain its type, regardless of name or extension. xxd command line hexdump tool. For viewing a file in hex mode. 14. Provide a lower cost way to maximize thetools Typically include the most often used tools1. Paraben2. Encase3. X- Ways Forensics4. FTK5. Pro Discover 15. SMART-Can analyze a variety of file systems withSMART -many plug-in utilities are included Helix-You can load it on a live Windows system -Loads as a bootable Linux OS from a cold boot(does not touch host PC) -contains Adepto to capture image and Autopsyto analyze the image Knoppix-STD-A collection of tools for configuringsecurity measures, including computer and networkforensics The Sleuth Kit Backtrack Coroners Tool Kit FIRE 16. Using Helix on a Linux System 17. Helix is a live Linux CDcarefully tailored forincident response,system investigationand analysis, datarecovery, and securityauditing. Helix has twomodes, including pureLinux bootable live CDand the Windowsmode, where it can beused in-vivo on top ofa running Windowsdesktop. 18. Open Source Platform. Linux platform Bootable Linux OS from a cold boot Easier to script and perform operations Has better compatibility tools i.e. (Adepto andAutopsy) Windows platform-used for safer Livecaptures on running systems Compiled toolkit Lesser dependency at client side Easy to use Ubuntu + GUI interface 19. Adepto DemoHow to capture an image usingAdepto 20. After image is captured with Adepto, then Autopsycan analyze the captured drives data. Autopsy Demonstration 21. LetsRecap