Linux forensic investigation tools

Introduction

Dealing with security incidents is typically not a happy exercise for the company that became a victim. But even with this bad news, it is forensics tools that help us make sense of why it could happen in the first place.

This tool category provides the tools that can be used on Linux systems to gather evidence and process the data artifacts. The tools are useful for those who are professional forensic specialists or beginners that want to learn the required skills.

Usage

Linux forensic investigation tools are typically used for digital forensics.

Users for these tools include forensic specialists, security professionals.

Tools

GRR Rapid Response (remote live forensics for incident response)

digital forensics, intrusion detection, threat hunting

The goal of the GRR tooling is to support digital forensics and investigations. By using a fast and scalable model, analysts can quickly perform their analysis. One of the main features is the ability to search for particular information or details. This process is called hunting.

MIG (real-time investigation tool)

digital forensics, intrusion detection

MIG provides a platform to perform investigative analysis on remote systems. By using the right queries, information can be obtained from these systems. This all happens in parallel, making intrusion detection, investigation, and follow-up easier.

The Sleuth Kit (toolkit for forensics)

criminal investigations, digital forensics, file system analysis

The Sleuth Kit is a forensics tool to analyze volume and file system data on disk images. With its modular design, it can be used to carve out the right data, find evidence, and use it for digital forensics.

Volatility (memory forensics framework)

digital forensics

Volatile memory framework used for forensics and analysis purposes. The framework is written in Python and runs on almost all platforms.

Missing a favorite tool in this list? Share a tool suggestion and we will review it.