1. Chapter 18 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of UNIX Systems

2. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.1 Remote view of a Windows system using FIRE with its VNC connection feature.

3. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.2 Conceptual representation of a directory and inode where the file types include regular, directory, symbolic link, and socket.

4. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.3 Overview of UNIX file systems.

5. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.4 Contents of the root directory’s inode, interpreted as a directory using lde (http://lde.sourceforge.net).http://lde.sourceforge.net.

6. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.5 inode for /etc/passwd.

7. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.6 Viewing a Linux system using the Sleuth Kit and Autopsy Forensic Browser.

8. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.7 Microsoft NTFS file system and Word embedded metadata viewed PTK.

9. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.8 SMART file recovery process saves deleted files onto the examination system for further analysis using other tools.

10. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.9 FTK used to view ext2 file system in the file “honeynet.hda8.dd,” available from http://www.honeynet.org/challenge/. http://www.honeynet.org/challenge/

11. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.10 Lazarus from the Coroner’s Toolkit used to classify data on a disk and recover deleted data such as the partial image shown here.

12. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.11 The Sleuth Kit showing (A) /var/log directory with inode number 502952; (B) information relating to inode number 502952, including the associated block group 31, which can also be obtained using the istat command.

13. Figure 1.1 Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. FIGURE 18.12 A histogram of deleted inodes from a compromised machine showing a spike on November 8 as a result of an intruder’s activities.