Linux Forensic Junior - 5 days


Digital investigation makes it possible to reconstruct and understand in detail the chronology of a system’s present and past activities. In this case, we are interested in the Linux kernel and two types of Linux distribution. While the examples and illustrations will focus apt and rpm-based distributions, most of the elements presented can be generalized to others.

During a security incident or a search for computer malware, the first questions deal with establishing the perimeter of compromise and the attacker's methods. The technical approach to such an investigation is intended to be as exhaustive as possible and, above all, reproducible.

During these five days of training, the participants will be exposed to the fundamentals in order to carry out a digital investigation for a Linux distribution and thus identify the traces of malicious intent. Each module will be illustrated by guided practical work allowing to apply the theoretical concepts previously taught. The training includes a role-play on several artifacts (disk, memory, pcap).

  • 5 days (35 hours)

  • 11 course modules covering the fundamentals of Linux forensic investigation

  • Cold or hot approach to cover several intervention situations

  • Practical work on example artifacts

Public and prerequisites

This training was designed for people with initial experience understanding Linux environments (administration, troubleshooting, advanced usage) and wishing to go further in the field of digital investigation.

  • Advanced users (developers)

  • System administrators

  • Level 2 SOC analysts or from a cybersecurity team

  • Beginner forensic analysts

Concepts of offensive security and good Windows & Unix knowledge are recommended to follow this training.


Day 1

Getting started / the command line: training environment (virtual machine, Linux system). Reminder of the main commands for Linux. Linux and distribution: description of how Linux works including processes, file descriptors, security model (user/group, ACL, cgroup), named pipes, signals, terminal and command interpreter, X11. Filesystem: main filesystem types found in Linux systems (ext4, LVM, XFS). Specifics and special features for forensics: management of dates, deleted files, metadata, etc. Case of LUKS and virtual disks (qcow, vmdk).

Day 2

Boot sequence: identify the boot sequence in order to verify the integrity of the launch chain (grub, initramfs, UEFI case). Backdoor search on Systemd. Case of SecureBoot and kernel module signing. Program management: control of programs installed on the system (integrity, permissions). ELF format: program and library. Using apt and rpm package managers. Logging: type of logs (/var/log) and associated processes (syslog, auditd). Traces of compromise.

Day 3

Persistence mechanism: means of system and user persistence, device manager, Systemd. Process Analysis: process diagnostic tools, top Linux processes (ssh, X11), remote execution, procfs. Network Analysis: network configuration, network diagnostic tools, network socket, commonly encountered protocol and tunnel, network capture.

Day 4

Malicious code: analysis tools and methods allowing an initial study to be carried out on malicious code and thus extract the information of interest (behavior, IOC). Artifact: other artifacts (coredump, viminfo). Memory analysis: techniques for acquiring and identifying suspicious elements are discussed in order to complete the analysis of offline elements. Running processes, network connections, cached files, memory injections and API hooking.

Day 5

Container: Trace finding in containers and system reconstruction. Data collection: file extraction (disk copy) and selective (velociraptor). Case study: several images are provided to the participants to put into practice all the techniques studied during the training. These images include various data such as a disk image, a memory capture and network captures.