1 answer

Subject: Computer forensics Q) Summarize where data of interest to a forensic investigator would reside in...

Question:

Subject: Computer forensics

Q) Summarize where data of interest to a forensic investigator would reside in Linux systems. Discuss a tool that would be used to extract that data during an investigation.


Answers

The data of interest to a forensic investigator resides in hard disk,running processes, open network sockets and network connections, DLL's loaded for each process, cached registry hives, process IDs, and more of linux system.

Linux is an open source operating system that is installed in personal computer,super computer,servers etc.Linux having many file systems such as ext2, ext3, and ext4. The file system provides an operating system with a way to data on the hard disk.The file system also identifies how hard drive & device stores forensics data.The data of interest to a forensic investigator resides in these file systems on the hard disk of Linux systems.Data and file recovery techniques for these file systems include data carving, slack space, and data hiding. The important feature of OS forensics is memory forensics, which incorporates virtual memory, Linux memory, memory extraction, and swapping. The Forensic investigators should analyze the following folders and directories.

/etc [%SystemRoot%/System32/config]

This contains system configurations directory that holds separate configuration files for each application.

/var/log

This directory contains application logs and security logs.

/home/$USER

This directory holds user data and configuration information.

/etc/passwd

This directory has user account information

Digital forensic investigation required tools to extract desired data from the devices.
  
Followings are the tools used for digital forensic investigation

1. Forensic Toolkit for Linux:

Forensic investigators use a forensic toolkit to collect evidence data from a Linux Operating System.

The forensic toolkit contains many tools such as Dmesg, Hunter.O,DateCat,Insmod, NetstatArproute and NC.

2. Helix:
Helix is the distributor of the Knoppix Live Linux CD. It provides access to a Linux kernel, hardware detections, and many other applications.

3. Volatility:
The memory analysis is the most important for digital investigations. Volatility is an memory forensics framework for incident response and malware analysis which allows to extract digital artifacts from volatile memory dumps such as RAM.The Volatility can extract information about running processes, open network sockets and network connections, DLL's loaded for each process, cached registry hives, process IDs, and more.

.

Similar Solved Questions

1 answer
You are going to send email from a PC over a LAN with the message that...
You are going to send email from a PC over a LAN with the message that starts with your name.    Show the first 3 letters of your name using Differential Manchester encoding...
1 answer
Match the term with its definition. 1. Substances released during digestion to adjust pH in the...
Match the term with its definition. 1. Substances released during digestion to adjust pH in the intestine Denaturation > 2. Zymogen form of pancreatic protein digesting enzymes > Trypsinogen and Chymotrypsinogen 3. Destruction of secondary and tertiary protein structure 48 4. Cleavage of a pro...
1 answer
Represent the FSM in Figure 1 in form of an ASM chart. DN/0 S1 N/0 S3...
Represent the FSM in Figure 1 in form of an ASM chart. DN/0 S1 N/0 S3 D/0 N/0 S2 DN/0 Figure 1 Mealy-type FSM for Question 2....
1 answer
Kohll’s Pharmacy and Homecare provides a large and extremely detailed emergency preparedness and response plan (EPRP)...
Kohll’s Pharmacy and Homecare provides a large and extremely detailed emergency preparedness and response plan (EPRP) that is accessible online. Kohll’s EPRP is split into 15 different sections that discusses how they prevent, respond, and mediate a variety of emergency situations rangin...
1 answer
A. Approximate the given quantity using a Taylor polynomial with n 3 the absolute error ite approximation assuming the exact value is given by a calculator. P(21) (Do not round until the final ans...
a. Approximate the given quantity using a Taylor polynomial with n 3 the absolute error ite approximation assuming the exact value is given by a calculator. P(21) (Do not round until the final answer. Then round to five decimal places as needed.) b. absolute error s as needed. Do nat round unitl the...
1 answer
Para el mecanismo plano de la Figura, 2 - 28 krad/s constante, 82-35 grados, r2- 45...
Para el mecanismo plano de la Figura, 2 - 28 krad/s constante, 82-35 grados, r2- 45 cm y 83-90 grados en el momento mostrado. Cual es la componente horizontal (en el eje x) de la aceleracion de coriolis en el eslabon deslizante B en cm/s? HINT: Destaca en tu procedimiento el valor de r3, velocidad d...
1 answer
5. Given that the sample size is 1500 and the confidence interval of p is (0.050,0.083)....
5. Given that the sample size is 1500 and the confidence interval of p is (0.050,0.083). Find the confidence level and the number of successes...
1 answer
Find the area under the normal curve with mean 45 and standard deviation 3.5 between x=42.1...
Find the area under the normal curve with mean 45 and standard deviation 3.5 between x=42.1 and x=50.3. Round to four decimal places....
1 answer
Potential difference
What potential difference is needed to give a helium nucleus (q=2e) 60.0 keV of kinetic energy?...
1 answer
A small, 2.00-mm-diameter circular loop with R = 1.20×10−2 Ω is at the center of a...
A small, 2.00-mm-diameter circular loop with R = 1.20×10−2 Ω is at the center of a large 100-mm-diameter circular loop. Both loops lie in the same plane. The current in the outer loop changes from +1.0A to −1.0A in 0.100 s . What is the induced current in the inner loop?...
1 answer
Please solve as if you didnt have the answer. 5. Solve u(a,0) = 0 ( 2)...
Please solve as if you didnt have the answer. 5. Solve u(a,0) = 0 ( 2) Answer: u ( r, θ) =-( a2-r...
1 answer
The cost of manufacturing x tennis balls is C(x)=0.1x^(2)+25x+1000 if 0<x<700 . a) Find the average...
The cost of manufacturing x tennis balls is C(x)=0.1x^(2)+25x+1000 if 0<x<700 . a) Find the average cost function C(x) . b) Identify all intervals on which C(x) is increasing. c) Identify all intervals on which C(x) is decreasing. d) Identify the x-coordinate for all local extrema of C(x) ....
1 answer
How dose the Personality Theory relates to the clinical personality measure (The Rorschach Test)?
How dose the Personality Theory relates to the clinical personality measure (The Rorschach Test)?...
1 answer
Decide whether each of the following is water-soluble. If soluble, tell what ions are produced when...
Decide whether each of the following is water-soluble. If soluble, tell what ions are produced when the compound dissolves in water (a) NajCO (b) CuSO (c) NiS (d) BaBe. b. Predict the products of each precipitation reaction. Balance the equation, and then write the net ionic equation. (a) NiCl(aq) +...
1 answer
Use any method to determine if the series converges or diverges. Give reasons for your answer....
Use any method to determine if the series converges or diverges. Give reasons for your answer. Σ 15" 15 n=1 Select the correct choice below and fill in the answer box to complete your choice. O A. The series converges per the Integral Test because | dx = 15% OB. The series diverges because...