Abstract
This chapter provides an overall methodology for preserving volatile data on a Linux machine in a forensically sound manner, and uses case examples to demonstrate the strengths and shortcomings of the information that is available through the operating system. There are various native Linux commands that are useful for collecting volatile data from a live computer. Since the commands on a compromised system can be undermined by Malware and cannot be trusted, it is necessary to use a toolkit of utilities for capturing volatile data that have minimal interaction with the subject operating system. Using trusted binaries is a critical part of any live examination, and can reveal information that is hidden by a rootkit. However, when a loadable kernel module (LKM) rootkit is involved, even statically compiled binaries that do not rely on components of the subject system are ineffective, making it necessary to explore creative countermeasures and rely on memory forensics and file system forensics.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
