Slashdot Mirror
Linux and Data Forensics?
An anonymous reader asks: "Data Forensics has been discussed in the past. I am entering the field soon and aside from rifling through Slashdot and Google and reading some technical data on the software that I am going to be using I haven't had much time to learn everything about the position (I will be officially trained when I move over to the role). I am wondering, though, if Linux has played a strong role in the courtroom when it comes to validating evidence that has been used in a lawsuit case. Those in the field who are reading this, have you used open-source software to prove facts to the court? I don't mean using dd to make an image of a disk but rather a suite of tools whose purpose is to analyze data, indicate relationships, create hash tables, et cetera. That being said, if that software is not available (the programmer side of me asks), is there enough interest in the community to create a package that rivals and is as accountable and recognizable as commercial products?"
I expect those in Data Forensics to be bright, inquisitive people who are willing to quickly learn new things.
I expect that the role requires it.
So, when someone asks "Linux and Data Forensics" without taking a few minutes to think about the problem, it disturbs me.
Perhaps that person would be better suited for a less imaginative job.
Off the top of my head, I could figure out several tools useful in data forensics. Copy the original drive block-by-block to a new drive. Mount the copy as read-only. Examine typical file locations for email and web caches. Use find to locate most documents. Use grep to search for specific words. Use find to look for all files newer then a specific date. If you want to get more involved, write up scripts that compare the drive to an original OS install and find differences. Write scripts that go through the drive and figure out what each file is. Etc, etc.
Learn how a few common unix commands work, and learn perl. You should be set.
Just my $.02