If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a post mortem analysis of a system. tct allows the user to collect information about deleted files, running processes and more. See the included documentation for more information. These same utilities and some others can be found in Sleuthkit and Autopsy (http://www.sleuthkit.org/) by Brian Carrier, which provides a web front-end for forensic analysis of disk images. In Debian you can find both sleuthkit (the tools) and autopsy (the graphical front-end).
Remember that forensics analysis should be done always on the backup copy of the data, never on the data itself, in case the data is altered during analysis and the evidence is lost.
You will find more information on forensic analysis in Dan Farmer's and Wi-etse Venema's Forensic Discovery (http://www.porcupine.org/forensics/ forensic-discovery/) book (available online), as well as in their Computer Forensics Column (http://www.porcupine.org/forensics/column.html) and their Computer Forensic Analysis Class handouts (http://www.porcupine.org/forensics/ handouts.html). Brian Carrier's newsletter The Sleuth Kit Informer (http://www. sleuthkit.org/informer/index.php) is also a very good resource on forensic analysis tips. Finally, the Honeynet Challenges (http://www.honeynet.org/misc/chall.html) are an excellent way to hone your forensic analysis skills as they include real attacks against honeypot systems and provide challenges that vary from forensic analysis of disks to firewall logs and packet captures.
FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.
FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD and with the recovered file system restored on a separate partition.
FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse challenge or DavidDittrich'spapers (http://staff.washington.edu/dittrich/)).
Was this article helpful?