Linux File System Forensics
The Who, What, When, Where, Why, and how of Investigating a Linux Disk Image
Schedule

Presented by:

C6741f09f444e6d4f069fa0c7c6fdd69

Gary Smith

from Pacific Northwest National Laboratory

Gary started out his professional career as a chemist/materials engineer. His start down the path to the Dark Side of Computing began when he wrote a program to design an optimal extruder screw rather than face thousands of calculations with a slide rule (yes, a slide rule.) Since then, he's done a lot of different things in computing. Always a glutton for punishment, he wrote his own sendmail.cf from scratch. Around 1993, Gary started doing computer security when the semiconductor company he was working for was forced to get on the Internet to send/receive Integrated Circuit designs faster and a firewall/Internet gateway was needed. Since then, Gary's been involved in firewalls, intrusion detection system and application hardening, and anti-spam filters. Gary really does computer security to support his bicycling habit. He has more bikes than most other people have computers. And they're a lot more expensive.

Frequently, performing a forensic analysis of a Linux disk image is often part of incident response to determine if a breach has occurred. Linux forensics is quite a different and fascinating world compared with Microsoft Windows forensics. In this presentation, we will analyze a disk image from a potentially compromised Linux system. We will attempt to determine the who, what, when, where, why, and how, create an event time line and a file system time line. Finally, we will extract artifacts of interest from the disk image. This presentation includes a demo so any sacrifices to appease the demo gods would be appreciated.

Date:
2018 April 28 - 03:45
Duration:
1 h 30 min
Room:
CC-200
Conference:
LinuxFest Northwest 2018
Language:
Track:
Security
Difficulty:
Hard

Happening at the same time:

  1. Linux Sucks. Forever.
    2. Start Time:
    2018 April 28 03:45

    Room:
    HC-108

  2. Harmonize or Resist? A Global Survey of Strategies for Software
    3. Start Time:
    2018 April 28 03:45

    Room:
    CC-114

  3. Linux File System Forensics
    4. Start Time:
    2018 April 28 03:45

    Room:
    CC-200

  4. Perkeep
    5. Start Time:
    2018 April 28 03:45

    Room:
    CC-235

  5. How to Deploy Your React Application While Saving Time and Energy
    6. Start Time:
    2018 April 28 03:45

    Room:
    CC-208

  6. Visual Studio and VS Code for Linux C/C++ development
    7. Start Time:
    2018 April 28 03:45

    Room:
    CC-236

  7. Pop!_OS - A visionary tale of an OS that will.
    8. Start Time:
    2018 April 28 03:45

    Room:
    CC-115

  8. EFF Open Forum
    9. Start Time:
    2018 April 28 03:45

    Room:
    G-103

  9. Migrating MSSQL TO POSTGRES, An Open Source War Story
    10. Start Time:
    2018 April 28 03:45

    Room:
    HC-103 Postgres

  10. Introduction to Working with Vagrant
    11. Start Time:
    2018 April 28 05:00

    Room:
    CC-202 TUT2

  11. Do good things - and talk about it!
    12. Start Time:
    2018 April 28 05:00

    Room:
    CC-201 TUT1