Chapter 18 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of UNIX Systems

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.1 Remote view of a Windows system using FIRE with its VNC connection feature.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.2 Conceptual representation of a directory and inode where the file types include regular, directory, symbolic link, and socket.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.3 Overview of UNIX file systems.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.4 Contents of the root directory’s inode, interpreted as a directory using lde (

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.5 inode for /etc/passwd.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.6 Viewing a Linux system using the Sleuth Kit and Autopsy Forensic Browser.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.7 Microsoft NTFS file system and Word embedded metadata viewed PTK.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.8 SMART file recovery process saves deleted files onto the examination system for further analysis using other tools.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.9 FTK used to view ext2 file system in the file “honeynet.hda8.dd,” available from

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE Lazarus from the Coroner’s Toolkit used to classify data on a disk and recover deleted data such as the partial image shown here.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE The Sleuth Kit showing (A) /var/log directory with inode number ; (B) information relating to inode number , including the associated block group 31, which can also be obtained using the istat command.

Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE A histogram of deleted inodes from a compromised machine showing a spike on November 8 as a result of an intruder’s activities.