Ubuntu-Forensic.zip

<html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta charset="utf-8"> <meta name="generator" content="pdf2htmlEX"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <link rel="stylesheet" href="https://static.pudn.com/base/css/base.min.css"> <link rel="stylesheet" href="https://static.pudn.com/base/css/fancy.min.css"> <link rel="stylesheet" href="https://static.pudn.com/prod/directory_preview_static/6250f1bd74bc5c01058800c7/raw.css"> <script src="https://static.pudn.com/base/js/compatibility.min.js"></script> <script src="https://static.pudn.com/base/js/pdf2htmlEX.min.js"></script> <script> try{ pdf2htmlEX.defaultViewer = new pdf2htmlEX.Viewer({}); }catch(e){} </script> <title></title> </head> <body> <div id="sidebar" style="display: none"> <div id="outline"> </div> </div> <div id="pf1" class="pf w0 h0" data-page-no="1"><div class="pc pc1 w0 h0"><img class="bi x0 y0 w1 h1" alt="" src="https://static.pudn.com/prod/directory_preview_static/6250f1bd74bc5c01058800c7/bg1.jpg"><div class="c x0 y1 w0 h2"><div class="t m0 x1 h3 y2 ff1 fs0 fc0 sc0 ls0 ws0">See discussions, stats, and author profiles for this public<span class="_ _0"></span>ation at: <span class="fc1">https://www.rese<span class="_ _0"></span>archgate.ne<span class="_ _0"></span>t/publication/312877113</span></div><div class="t m0 x1 h4 y3 ff2 fs1 fc0 sc0 ls0 ws0">Digital Forensic Analysis of Ubuntu File System</div><div class="t m0 x1 h5 y4 ff3 fs2 fc2 sc0 ls0 ws0">Article<span class="ff1 fc0">&#58980;&#58980;<span class="ff4 fc3">in</span>&#58980;&#58980;<span class="fc4">International Journal of Cyber<span class="_ _0"></span>-Security and Digital F<span class="_ _0"></span>orensics &#183; January 2016</span></span></div><div class="t m0 x1 h6 y5 ff1 fs3 fc5 sc0 ls0 ws0">DOI: 10.17781/P002213</div><div class="t m0 x1 h7 y6 ff1 fs4 fc4 sc0 ls0 ws0">CITA<span class="_ _0"></span>TIONS</div><div class="t m0 x1 h8 y7 ff1 fs5 fc0 sc0 ls0 ws0">3</div><div class="t m0 x2 h7 y6 ff1 fs4 fc4 sc0 ls0 ws0">READS</div><div class="t m0 x2 h8 y7 ff1 fs5 fc0 sc0 ls0 ws0">5,106</div><div class="t m0 x1 h9 y8 ff3 fs2 fc2 sc0 ls0 ws0">1 author:</div><div class="t m0 x1 h9 y9 ff3 fs2 fc2 sc0 ls0 ws0">Some of the authors of this publication are also w<span class="_ _0"></span>orking on these related projects:</div><div class="t m0 x3 h8 ya ff1 fs2 fc4 sc0 ls0 ws0">Digital For<span class="_ _0"></span>ensic<span class="fs5 fc0"> </span><span class="fc1">View project</span></div></div><div class="c x4 yb w2 ha"><div class="t m0 x0 h5 yc ff1 fs2 fc1 sc0 ls0 ws0">Dinesh P<span class="_ _0"></span>atil</div></div><div class="c x4 yd w2 ha"><div class="t m0 x0 h5 ye ff1 fs2 fc2 sc0 ls0 ws0">Veermata Jijab<span class="_ _0"></span>ai T<span class="_ _0"></span>echnologic<span class="_ _0"></span>al Institute, India, Mumbai</div></div><div class="c x0 y1 w0 h2"><div class="t m0 x4 h5 yf ff3 fs0 fc0 sc0 ls0 ws0">8<span class="ff1 fs2"> <span class="fs4 fc4">PUBLICATIONS</span>&#58980;&#58980;&#58980;</span>13<span class="ff1 fs2"> <span class="fs4 fc4">CIT<span class="_ _0"></span>A<span class="_ _0"></span>TIONS<span class="fs2 fc0">&#58980;&#58980;&#58980;</span></span></span></div><div class="t m0 x5 h7 y10 ff1 fs4 fc4 sc0 ls0 ws0">SEE PROFILE</div><div class="t m0 x6 h5 y11 ff1 fs2 fc0 sc0 ls0 ws0">All content f<span class="_ _0"></span>ollowing this page w<span class="_ _0"></span>as uploaded by <span class="fc1">Dinesh P<span class="_ _0"></span>atil<span class="fc0"> on 28 July 2017.</span></span></div><div class="t m0 x6 h7 y12 ff1 fs4 fc0 sc0 ls0 ws0">The user has requested enhancement of the downlo<span class="_ _0"></span>aded file.</div></div><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a><a class="l" rel='nofollow' onclick='return false;'><div class="d m1"></div></a></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div> </body> </html>

<div id="pf2" class="pf w3 hb" data-page-no="2"><div class="pc pc2 w3 hb"><img class="bi x0 y0 w1 hc" alt="" src="https://static.pudn.com/prod/directory_preview_static/6250f1bd74bc5c01058800c7/bg2.jpg"><div class="t m0 x7 hd y13 ff5 fs6 fc0 sc0 ls0 ws0"> Digital Forens<span class="_ _0"></span>ic Analysis of Ubuntu <span class="_ _0"></span>File System </div><div class="t m0 x8 he y14 ff6 fs7 fc0 sc0 ls0 ws0">Dinesh N. Patil, Bandu B. Meshram </div><div class="t m0 x9 he y15 ff6 fs7 fc0 sc0 ls0 ws0">Veermata Jijabai Technological Institute </div><div class="t m0 xa he y16 ff6 fs7 fc0 sc0 ls0 ws0">Matunga, Mumbai, India </div><div class="t m0 xb he y17 ff6 fs7 fc0 sc0 ls0 ws0">dinesh9371@gmail.com, bbmeshram@vjti.org.in </div><div class="t m0 x2 he y18 ff6 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 x2 he y19 ff6 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc he y1a ff6 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc hf y1b ff5 fs7 fc0 sc0 ls0 ws0">ABSTRACT </div><div class="t m0 xc hf y1c ff5 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc h10 y1d ff7 fs8 fc0 sc0 ls0 ws0">A <span class="_ _1"> </span>file <span class="_ _1"> </span>system <span class="_ _2"> </span>of <span class="_ _2"> </span>Ubuntu <span class="_ _2"> </span>operating <span class="_ _2"> </span>system <span class="_ _1"> </span>can </div><div class="t m0 xc h10 y1e ff7 fs8 fc0 sc0 ls0 ws0">conserve <span class="_ _3"> </span>and <span class="_ _3"> </span>manage <span class="_ _3"> </span>a <span class="_ _4"> </span>lot <span class="_ _3"> </span>of <span class="_ _3"> </span>configuration </div><div class="t m0 xc h10 y1f ff7 fs8 fc0 sc0 ls0 ws0">information <span class="_ _5"> </span>and <span class="_ _5"> </span>t<span class="_ _6"></span>he <span class="_ _5"> </span>information <span class="_ _5"> </span>with <span class="_ _7"> </span>forensic </div><div class="t m0 xc h10 y20 ff7 fs8 fc0 sc0 ls0 ws0">importance. <span class="_ _8"></span>Mining <span class="_ _8"></span>and <span class="_ _8"></span>analyzin<span class="_ _0"></span>g <span class="_ _8"> </span>the <span class="_ _8"> </span>useful <span class="_ _8"> </span>data <span class="_ _8"> </span>of </div><div class="t m0 xc h10 y21 ff7 fs8 fc0 sc0 ls0 ws0">the <span class="_ _9"> </span>Ubuntu <span class="_ _9"> </span>o<span class="_ _0"></span>perating <span class="_ _9"> </span>system <span class="_ _9"> </span>have <span class="_ _8"> </span>become <span class="_ _9"> </span>essential </div><div class="t m0 xc h10 y22 ff7 fs8 fc0 sc0 ls0 ws0">with <span class="_ _9"> </span>the <span class="_ _9"> </span>rise <span class="_ _9"> </span>of <span class="_ _a"> </span>the <span class="_ _9"> </span>attack <span class="_ _9"> </span>on <span class="_ _9"> </span>the <span class="_ _9"> </span>computer <span class="_ _9"> </span>system. </div><div class="t m0 xc h10 y23 ff7 fs8 fc0 sc0 ls0 ws0">Investigating <span class="_ _b"> </span>the <span class="_ _b"> </span>File <span class="_ _b"> </span>System <span class="_ _b"> </span>can <span class="_ _b"> </span>help <span class="_ _b"> </span>to <span class="_ _b"> </span>collect </div><div class="t m0 xc h10 y24 ff7 fs8 fc0 sc0 ls0 ws0">information <span class="_"> </span>relevant <span class="_ _c"> </span>to <span class="_"> </span>the <span class="_"> </span>case. <span class="_ _c"> </span>After <span class="_ _c"> </span>considering </div><div class="t m0 xc h10 y25 ff7 fs8 fc0 sc0 ls0 ws0">existing <span class="_ _d"></span>research <span class="_ _6"></span>and <span class="_ _d"></span>tools, <span class="_ _6"></span>this <span class="_ _d"></span>paper <span class="_ _6"></span>suggests <span class="_ _d"></span>a <span class="_ _d"></span>new </div><div class="t m0 xc h10 y26 ff7 fs8 fc0 sc0 ls0 ws0">evidence collection <span class="_ _6"></span>and <span class="_ _6"></span>analysis <span class="_ _6"></span>methodology a<span class="_ _6"></span>nd <span class="_ _6"></span>the </div><div class="t m0 xc h10 y27 ff7 fs8 fc0 sc0 ls0 ws0">UbuntuF<span class="_ _0"></span>orensic <span class="_ _9"> </span>tool <span class="_ _a"> </span>t<span class="_ _6"></span>o <span class="_ _9"> </span>aid <span class="_ _a"> </span>in <span class="_ _a"> </span>the <span class="_ _a"> </span>proce<span class="_ _0"></span>ss <span class="_ _9"> </span>of <span class="_ _a"> </span>digit<span class="_ _6"></span>al </div><div class="t m0 xc h10 y28 ff7 fs8 fc0 sc0 ls0 ws0">forensic investigation of<span class="_ _0"></span> Ubun<span class="_ _0"></span>tu File System<span class="ff6">.</span> </div><div class="t m0 xd h10 y29 ff7 fs8 fc0 sc0 ls0 ws0"> <span class="_ _e"></span> </div><div class="t m0 xd h10 y28 ff7 fs8 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc hf y2a ff5 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc hf y2b ff5 fs7 fc0 sc0 ls0 ws0">KEYWORDS </div><div class="t m0 xc h11 y2c ff5 fs8 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc h10 y2d ff7 fs8 fc0 sc0 ls0 ws0">File <span class="_ _c"> </span>System, <span class="_ _f"> </span>Digital <span class="_ _f"> </span>F<span class="_ _0"></span>oren<span class="_ _0"></span>sic, <span class="_ _f"> </span>Integrated <span class="_"> </span>A<span class="_ _6"></span>nalysis, </div><div class="t m0 xc h10 y2e ff7 fs8 fc0 sc0 ls0 ws0">Timeline Analysis,<span class="_ _0"></span> Digital Evidence<span class="_ _0"></span> </div><div class="t m0 xc h10 y2f ff7 fs8 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc hf y30 ff5 fs7 fc0 sc0 ls0 ws0">1<span class="fs8"> </span>INTRODUCTION </div><div class="t m0 xc h12 y31 ff7 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc h10 y32 ff7 fs8 fc0 sc0 ls0 ws0">The <span class="_ _5"> </span>Ubun<span class="_ _0"></span>tu <span class="_ _5"> </span>operating <span class="_ _5"> </span>sy<span class="_ _0"></span>stem <span class="_ _5"> </span>is <span class="_ _5"> </span>on<span class="_ _0"></span>e <span class="_ _5"> </span>of <span class="_ _5"> </span>t<span class="_ _0"></span>he </div><div class="t m0 xc h10 y33 ff7 fs8 fc0 sc0 ls0 ws0">distributions <span class="_ _8"></span>of <span class="_ _8"></span>the <span class="_ _8"> </span>Linux <span class="_ _8"></span>ope<span class="_ _0"></span>rating <span class="_ _8"> </span>system. <span class="_ _8"> </span>Most <span class="_ _8"> </span>of </div><div class="t m0 xc h10 y34 ff7 fs8 fc0 sc0 ls0 ws0">the <span class="_ _b"> </span>Ubun<span class="_ _0"></span>tu <span class="_ _b"> </span>kernels <span class="_ _b"> </span>are <span class="_ _b"> </span>the <span class="_ _b"> </span>default <span class="_ _b"> </span>Linux<span class="_ _0"></span> <span class="_ _b"> </span>kerne<span class="_ _0"></span>l<span class="_ _6"></span>. </div><div class="t m0 xc h10 y35 ff7 fs8 fc0 sc0 ls0 ws0">Ubuntu <span class="_ _9"> </span>use<span class="_ _0"></span>s <span class="_ _9"> </span>the <span class="_ _9"> </span>Linux <span class="_ _8"> </span>f<span class="_ _6"></span>ile <span class="_ _9"> </span>system <span class="_ _9"> </span>which <span class="_ _8"> </span>is <span class="_ _9"> </span>usually </div><div class="t m0 xc h10 y36 ff7 fs8 fc0 sc0 ls0 ws0">considered <span class="_ _d"></span>as <span class="_ _d"></span>a<span class="_ _6"></span> <span class="_ _d"></span>tree <span class="_ _d"></span>st<span class="_ _6"></span>ructure.<span class="_ _0"></span> <span class="_ _d"></span>Ubuntu <span class="_ _d"></span>is <span class="_ _10"></span>having <span class="_ _d"></span>Ext4 </div><div class="t m0 xc h10 y37 ff7 fs8 fc0 sc0 ls0 ws0">as <span class="_ _6"></span>its <span class="_ _6"></span>default file <span class="_ _6"></span>system. Ext4 <span class="_ _6"></span>is a<span class="_ _6"></span>n evolution of <span class="_ _6"></span>Ext3, </div><div class="t m0 xc h10 y38 ff7 fs8 fc0 sc0 ls0 ws0">which <span class="_ _1"> </span>was <span class="_ _11"> </span>the <span class="_ _1"> </span>default <span class="_ _1"> </span>file <span class="_ _11"> </span>sy<span class="_ _0"></span>stem <span class="_ _1"> </span>earlier. <span class="_ _1"> </span>The </div><div class="t m0 xc h10 y39 ff7 fs8 fc0 sc0 ls0 ws0">evolution <span class="_"> </span>of <span class="_"> </span>th<span class="_ _6"></span>e <span class="_"> </span>Ext <span class="_"> </span>f<span class="_ _6"></span>ile <span class="_"> </span>system <span class="_ _c"> </span>is <span class="_"> </span>summarized <span class="_"> </span>in </div><div class="t m0 xc h10 y3a ff7 fs8 fc0 sc0 ls0 ws0">table <span class="_ _c"> </span>1. <span class="_"> </span>L<span class="_ _6"></span>inux <span class="_"> </span>computers <span class="_"> </span>are <span class="_ _c"> </span>very <span class="_ _c"> </span>much <span class="_"> </span>prone <span class="_"> </span>to </div><div class="t m0 xc h10 y3b ff7 fs8 fc0 sc0 ls0 ws0">attack from the hackers. Lin<span class="_ _0"></span>ux boxes<span class="fc6"> </span>are often used as </div><div class="t m0 xc h10 y3c ff7 fs8 fc0 sc0 ls0 ws0">servers, <span class="_ _d"></span>essentially <span class="_ _d"></span>for <span class="_ _d"></span>a <span class="_ _6"></span>central <span class="_ _d"></span>control <span class="_ _d"></span>point. <span class="_ _6"></span>In <span class="_ _d"></span>f<span class="_ _6"></span>act, </div><div class="t m0 xc h10 y3d ff7 fs8 fc0 sc0 ls0 ws0">roughly <span class="_ _9"> </span>70% <span class="_ _9"> </span>of <span class="_ _9"> </span>malware <span class="_ _8"> </span>downloaded <span class="_ _9"> </span>by <span class="_ _9"> </span>hackers <span class="_ _9"> </span>to </div><div class="t m0 xc h10 y3e ff7 fs8 fc0 sc0 ls0 ws0">the honeypots is <span class="_ _0"></span>infected with Linu<span class="_ _0"></span>x/Rst-B [1]. Linux-</div><div class="t m0 xc h10 y3f ff7 fs8 fc0 sc0 ls0 ws0">based web servers are<span class="_ _0"></span> constantly un<span class="_ _0"></span>der attack. At </div><div class="t m0 xe h10 y40 ff7 fs8 fc0 sc0 ls0 ws0">SophosLabs,<span class="_ _0"></span> <span class="_"> </span>an <span class="_"> </span>a<span class="_ _6"></span>verage <span class="_"> </span>of <span class="_"> </span>16,000-24,000 <span class="_"> </span>websites </div><div class="t m0 xe h10 y41 ff7 fs8 fc0 sc0 ls0 ws0">were <span class="_ _12"> </span>compromised <span class="_ _12"> </span>in <span class="_ _12"> </span>a<span class="_ _6"></span> <span class="_ _12"> </span>da<span class="_ _6"></span>y <span class="_ _12"> </span>in <span class="_ _12"> </span>20<span class="_ _6"></span>13 <span class="_ _12"> </span>[2]. <span class="_ _13"> </span>Linux </div><div class="t m0 xe h10 y42 ff7 fs8 fc0 sc0 ls0 ws0">systems are inde<span class="_ _0"></span>ed attacked by m<span class="_ _0"></span>alware. </div><div class="t m0 xe h10 y43 ff7 fs8 fc0 sc0 ls0 ws0">The <span class="_ _13"> </span>M<span class="_ _0"></span>icrosoft's <span class="_ _13"> </span>op<span class="_ _0"></span>erating<span class="_ _0"></span> <span class="_ _13"> </span>system<span class="_ _0"></span> <span class="_ _12"> </span>d<span class="_ _6"></span>esign <span class="_ _12"> </span>includes </div><div class="t m0 xe h10 y44 ff7 fs8 fc0 sc0 ls0 ws0">some <span class="_"> </span>features <span class="_"> </span>that <span class="_"> </span>make <span class="_ _c"> </span>docume<span class="_ _0"></span>nts <span class="_"> </span>able <span class="_"> </span>to <span class="_ _c"> </span>install </div><div class="t m0 xe h10 y45 ff7 fs8 fc0 sc0 ls0 ws0">executable <span class="_ _1"> </span>payloads. <span class="_ _11"> </span>The<span class="_ _0"></span> <span class="_ _11"> </span>use <span class="_ _1"> </span>of <span class="_ _1"> </span>a<span class="_ _6"></span> <span class="_ _11"> </span>database <span class="_ _1"> </span>of </div><div class="t m0 xe h10 y46 ff7 fs8 fc0 sc0 ls0 ws0">software <span class="_ _f"> </span>hooks <span class="_ _f"> </span>and <span class="_ _f"> </span>code <span class="_ _f"> </span>stubs <span class="_ _f"> </span>(the <span class="_ _f"> </span>registry) <span class="_ _f"> </span>also </div><div class="t m0 xe h10 y47 ff7 fs8 fc0 sc0 ls0 ws0">simplified <span class="_ _10"></span>things <span class="_ _8"></span>[3]. <span class="_ _10"></span>Linux <span class="_ _10"></span>malware <span class="_ _8"></span>is <span class="_ _10"></span>quite <span class="_ _8"></span>distinct </div><div class="t m0 xe h10 y48 ff7 fs8 fc0 sc0 ls0 ws0">from <span class="_ _a"> </span>what <span class="_ _a"> </span>it <span class="_ _a"> </span>does <span class="_ _a"> </span>and <span class="_ _a"> </span>how <span class="_ _a"> </span>it <span class="_ _a"> </span>does <span class="_ _a"> </span>it, <span class="_ _a"> </span>compared <span class="_ _a"> </span>to </div><div class="t m0 xe h10 y49 ff7 fs8 fc0 sc0 ls0 ws0">Windows <span class="_ _10"></span>viruses, <span class="_ _8"></span>bu<span class="_ _0"></span>t <span class="_ _10"></span>it <span class="_ _8"></span>exists. <span class="_ _10"></span>The <span class="_ _8"></span>cru<span class="_ _0"></span>cial <span class="_ _10"></span>operating </div><div class="t m0 xe h10 y4a ff7 fs8 fc0 sc0 ls0 ws0">system <span class="_ _8"> </span>directories <span class="_ _8"> </span>mig<span class="_ _6"></span>ht <span class="_ _8"> </span>be <span class="_ _8"> </span>used <span class="_ _9"> </span>by <span class="_ _8"></span>the <span class="_ _8"> </span>malw<span class="_ _6"></span>are <span class="_ _8"> </span>to </div><div class="t m0 xe h10 y4b ff7 fs8 fc0 sc0 ls0 ws0">affect <span class="_ _9"> </span>the <span class="_ _9"> </span>computer <span class="_ _9"> </span>system <span class="_ _9"> </span>a<span class="_ _6"></span>s <span class="_ _9"> </span>a <span class="_ _9"> </span>whole. <span class="_ _a"> </span>In <span class="_ _9"> </span>addition, </div><div class="t m0 xe h10 y4c ff7 fs8 fc0 sc0 ls0 ws0">there <span class="_ _f"> </span>is <span class="_ _b"> </span>always <span class="_ _f"> </span>the <span class="_ _b"> </span>risk <span class="_ _f"> </span>of <span class="_ _b"> </span>the <span class="_ _f"> </span>malicious <span class="_ _f"> </span>insider. </div><div class="t m0 xe h10 y4d ff7 fs8 fc0 sc0 ls0 ws0">Attacks <span class="_ _f"> </span>directe<span class="_ _0"></span>d <span class="_ _f"> </span>at <span class="_ _c"> </span>Linux <span class="_ _f"> </span>systems <span class="_ _f"> </span>ten<span class="_ _0"></span>d <span class="_ _f"> </span>to <span class="_ _f"> </span>aim <span class="_ _c"> </span>at </div><div class="t m0 xe h10 y4e ff7 fs8 fc0 sc0 ls0 ws0">exploiting <span class="_ _13"> </span>bugs <span class="_ _13"> </span>in <span class="_ _13"> </span>syste<span class="_ _0"></span>m <span class="_ _13"> </span>services <span class="_ _13"> </span>such <span class="_ _13"> </span>as <span class="_ _13"> </span>we<span class="_ _0"></span>b </div><div class="t m0 xe h10 y4f ff7 fs8 fc0 sc0 ls0 ws0">browsers <span class="_ _a"> </span>or <span class="_"> </span>Ja<span class="_ _0"></span>va <span class="_ _14"> </span>containe<span class="_ _0"></span>rs. <span class="_ _14"> </span>These <span class="_ _a"> </span>don't <span class="_ _14"> </span>frequen<span class="_ _0"></span>tly </div><div class="t m0 xe h10 y50 ff7 fs8 fc0 sc0 ls0 ws0">run <span class="_ _a"> </span>with <span class="_ _a"> </span>elevated <span class="_ _a"> </span>privileges <span class="_ _a"> </span>either, <span class="_ _a"> </span>so <span class="_ _a"> </span>an <span class="_ _a"> </span>exploit <span class="_ _a"> </span>is </div><div class="t m0 xe h10 y51 ff7 fs8 fc0 sc0 ls0 ws0">typically <span class="_ _c"> </span>contained <span class="_ _c"> </span>to <span class="_ _f"> </span>altering <span class="_ _c"> </span>th<span class="_ _6"></span>e <span class="_ _c"> </span>behavior <span class="_ _c"> </span>of <span class="_ _f"> </span>the </div><div class="t m0 xe h10 y52 ff7 fs8 fc0 sc0 ls0 ws0">targeted <span class="_ _2"> </span>service <span class="_ _2"> </span>and, <span class="_ _1"> </span>possibly, <span class="_ _2"> </span>disabling <span class="_ _2"> </span>i<span class="_ _6"></span>t. <span class="_ _2"> </span>The </div><div class="t m0 xe h10 y53 ff7 fs8 fc0 sc0 ls0 ws0">malware <span class="_ _d"></span>uses <span class="_ _6"></span>t<span class="_ _6"></span>he <span class="_ _d"></span>various <span class="_ _d"></span>directories <span class="_ _d"></span>in <span class="_ _d"></span>the <span class="_ _d"></span>Linux <span class="_ _d"></span>file </div><div class="t m0 xe h10 y54 ff7 fs8 fc0 sc0 ls0 ws0">system <span class="_ _9"> </span>to <span class="_ _a"> </span>plant <span class="_ _9"> </span>it <span class="_ _9"> </span>t<span class="_ _6"></span>o <span class="_ _9"> </span>r<span class="_ _6"></span>un <span class="_ _9"> </span>as <span class="_ _9"> </span>a <span class="_ _a"> </span>service <span class="_ _9"> </span>and <span class="_ _9"> </span>harm <span class="_ _a"> </span>the </div><div class="t m0 xe h10 y55 ff7 fs8 fc0 sc0 ls0 ws0">Computer. <span class="_ _10"></span>Also, <span class="_ _8"></span>the <span class="_ _10"></span>activity <span class="_ _10"></span>of <span class="_ _8"></span>the <span class="_ _10"></span>malicious <span class="_ _10"></span>insider </div><div class="t m0 xe h10 y56 ff7 fs8 fc0 sc0 ls0 ws0">also gets stored in the file system. This raises the n<span class="_ _0"></span>eed </div><div class="t m0 xe h10 y57 ff7 fs8 fc0 sc0 ls0 ws0">to <span class="_ _a"> </span>do <span class="_ _a"> </span>t<span class="_ _6"></span>he <span class="_ _a"> </span>forensic <span class="_ _a"> </span>investigation <span class="_ _a"> </span>of <span class="_ _a"> </span>directories <span class="_ _a"> </span>under </div><div class="t m0 xe h10 y58 ff7 fs8 fc0 sc0 ls0 ws0">the <span class="_ _8"> </span>Li<span class="_ _6"></span>nux <span class="_ _8"></span>file <span class="_ _8"> </span>system <span class="_ _8"> </span>to <span class="_ _9"> </span>fin<span class="_ _0"></span>d <span class="_ _8"> </span>th<span class="_ _6"></span>e <span class="_ _8"> </span>traces <span class="_ _8"> </span>of <span class="_ _9"> </span>malicious </div><div class="t m0 xe h10 y59 ff7 fs8 fc0 sc0 ls0 ws0">activities on the<span class="_ _0"></span> system. </div><div class="t m0 xe h10 y5a ff7 fs8 fc0 sc0 ls0 ws0">The paper i<span class="_ _6"></span>s organized as <span class="_ _6"></span>follows: Section 2 <span class="_ _6"></span>discusses </div><div class="t m0 xe h10 y5b ff7 fs8 fc0 sc0 ls0 ws0">the <span class="_ _8"></span>related <span class="_ _8"></span>work <span class="_ _10"></span>and <span class="_ _8"> </span>the <span class="_ _8"> </span>existing <span class="_ _8"></span>tools <span class="_ _10"></span>on <span class="_ _8"> </span>the <span class="_ _8"></span>Linux </div><div class="t m0 xe h10 y5c ff7 fs8 fc0 sc0 ls0 ws0">file <span class="_ _14"> </span>system <span class="_ _a"> </span>forensics. <span class="_ _14"> </span>The <span class="_ _a"> </span>potential <span class="_ _a"> </span>locations <span class="_ _14"> </span>of <span class="_ _a"> </span>the </div><div class="t m0 xe h10 y5d ff7 fs8 fc0 sc0 ls0 ws0">digital <span class="_ _b"> </span>e<span class="_ _0"></span>vidences <span class="_ _f"> </span>in <span class="_ _b"> </span>the <span class="_ _f"> </span>directory <span class="_ _b"> </span>s<span class="_ _0"></span>tructure <span class="_ _b"> </span>of <span class="_ _f"> </span>the </div><div class="t m0 xe h10 y5e ff7 fs8 fc0 sc0 ls0 ws0">Ubun<span class="_ _0"></span>tu <span class="_ _2"> </span>F<span class="_ _0"></span>ile <span class="_ _13"> </span>System <span class="_ _13"> </span>a<span class="_ _6"></span>re <span class="_ _13"> </span>discussed <span class="_ _15"> </span>in <span class="_ _13"> </span>section <span class="_ _15"> </span>3. </div><div class="t m0 xe h10 y5f ff7 fs8 fc0 sc0 ls0 ws0">Section <span class="_ _f"> </span>4 <span class="_ _b"> </span>cove<span class="_ _0"></span>rs <span class="_ _b"> </span>the <span class="_ _f"> </span>forensic <span class="_ _f"> </span>i<span class="_ _6"></span>nvestigation <span class="_ _f"> </span>of <span class="_ _b"> </span>the </div><div class="t m0 xe h10 y60 ff7 fs8 fc0 sc0 ls0 ws0">various <span class="_ _8"> </span>user <span class="_ _8"> </span>activities <span class="_ _8"> </span>on <span class="_ _8"> </span>t<span class="_ _6"></span>he <span class="_ _8"> </span>Linux <span class="_ _8"></span>file <span class="_ _8"> </span>system. <span class="_ _8"> </span>The </div><div class="t m0 xe h10 y61 ff7 fs8 fc0 sc0 ls0 ws0">propose<span class="_ _0"></span>d <span class="_ _d"></span>U<span class="_ _6"></span>buntuForensic <span class="_ _d"></span>tool <span class="_ _d"></span>i<span class="_ _6"></span>s <span class="_ _d"></span>d<span class="_ _6"></span>iscussed <span class="_ _d"></span>in <span class="_ _d"></span>section </div><div class="t m0 xe h10 y62 ff7 fs8 fc0 sc0 ls0 ws0">5. <span class="_ _b"> </span>Compa<span class="_ _0"></span>rative <span class="_ _f"> </span>study <span class="_ _b"> </span>betw<span class="_ _0"></span>een <span class="_ _f"> </span>th<span class="_ _6"></span>e <span class="_ _f"> </span>existing <span class="_ _b"> </span>Linu<span class="_ _0"></span>x </div><div class="t m0 xe h10 y63 ff7 fs8 fc0 sc0 ls0 ws0">tools <span class="_ _16"> </span>and <span class="_ _16"> </span>the <span class="_ _16"> </span>p<span class="_ _0"></span>roposed <span class="_ _16"> </span>tool <span class="_ _16"> </span>is <span class="_ _16"> </span>performed <span class="_ _16"> </span>i<span class="_ _0"></span>n </div><div class="t m0 xf h13 y64 ff8 fs9 fc0 sc0 ls0 ws0">International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186</div><div class="t m0 x10 h13 y65 ff8 fs9 fc0 sc0 ls0 ws0">175</div><div class="t m0 x11 h13 y66 ff9 fs9 fc0 sc0 ls0 ws0">The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)</div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>

<div id="pf3" class="pf w3 hb" data-page-no="3"><div class="pc pc3 w3 hb"><img class="bi x0 y0 w1 hc" alt="" src="https://static.pudn.com/prod/directory_preview_static/6250f1bd74bc5c01058800c7/bg3.jpg"><div class="t m0 x12 he y67 ff7 fsa fc0 sc0 ls0 ws0">Table 1. <span class="_ _6"></span>EXT Family f<span class="_ _6"></span>eatures and limitation<span class="_ _6"></span><span class="ff6 fs7"> </span></div><div class="t m0 x13 h14 y68 ff7 fsa fc0 sc0 ls0 ws0">Linux<span class="_ _6"></span> <span class="_ _17"> </span>File </div><div class="t m0 x3 h14 y69 ff7 fsa fc0 sc0 ls0 ws0">Linux<span class="_ _6"></span> <span class="_ _17"> </span>File <span class="_ _18"></span>Linux<span class="_ _6"></span> <span class="_ _17"> </span>File </div><div class="t m0 x3 h14 y68 ff7 fsa fc0 sc0 ls0 ws0">Linux<span class="_ _6"></span> <span class="_ _17"> </span>File </div><div class="t m0 x13 h14 y6a ff7 fsa fc0 sc0 ls0 ws0">System</div><div class="t m0 x3 h14 y6b ff7 fsa fc0 sc0 ls0 ws0">System<span class="_ _19"></span>System</div><div class="t m0 x3 h14 y6a ff7 fsa fc0 sc0 ls0 ws0">System<span class="_ _6"></span> </div><div class="t m0 x14 h14 y6b ff7 fsa fc0 sc0 ls0 ws0"> <span class="_ _1a"></span> </div><div class="t m0 x14 h14 y6a ff7 fsa fc0 sc0 ls0 ws0"> </div><div class="t m0 x15 h14 y68 ff7 fsa fc0 sc0 ls0 ws0">Year <span class="_ _1b"> </span>of </div><div class="t m0 x15 h14 y69 ff7 fsa fc0 sc0 ls0 ws0">Year <span class="_ _1b"> </span>of <span class="_ _1c"></span>Year <span class="_ _1b"> </span>of </div><div class="t m0 x15 h14 y68 ff7 fsa fc0 sc0 ls0 ws0">Year <span class="_ _1b"> </span>of </div><div class="t m0 x15 h14 y6a ff7 fsa fc0 sc0 ls0 ws0">Intro<span class="_ _6"></span>duction</div><div class="t m0 x15 h14 y6b ff7 fsa fc0 sc0 ls0 ws0">Intro<span class="_ _6"></span>duction<span class="_ _1d"></span>Intro<span class="_ _6"></span>duction</div><div class="t m0 x15 h14 y6a ff7 fsa fc0 sc0 ls0 ws0">Intro<span class="_ _6"></span>duction<span class="_ _6"></span> </div><div class="t m0 x16 h14 y6b ff7 fsa fc0 sc0 ls0 ws0"> <span class="_ _1a"></span> </div><div class="t m0 x16 h14 y6a ff7 fsa fc0 sc0 ls0 ws0"> </div><div class="t m0 x17 h14 y68 ff7 fsa fc0 sc0 ls0 ws0">Features</div><div class="t m0 x17 h14 y69 ff7 fsa fc0 sc0 ls0 ws0">Features<span class="_ _1e"></span>Features</div><div class="t m0 x17 h14 y68 ff7 fsa fc0 sc0 ls0 ws0">Features<span class="_ _d"></span> </div><div class="t m0 x18 h14 y69 ff7 fsa fc0 sc0 ls0 ws0"> <span class="_ _1a"></span> </div><div class="t m0 x18 h14 y68 ff7 fsa fc0 sc0 ls0 ws0"> <span class="_ _1f"> </span>Limitat<span class="_ _6"></span>ion</div><div class="t m0 x19 h14 y69 ff7 fsa fc0 sc0 ls0 ws0">Limitat<span class="_ _6"></span>ion<span class="_ _20"></span>Limitat<span class="_ _6"></span>ion</div><div class="t m0 x19 h14 y68 ff7 fsa fc0 sc0 ls0 ws0">Limitat<span class="_ _6"></span>ion<span class="_ _6"></span> </div><div class="t m0 x1a h14 y69 ff7 fsa fc0 sc0 ls0 ws0"> <span class="_ _1a"></span> </div><div class="t m0 x1a h14 y68 ff7 fsa fc0 sc0 ls0 ws0"> </div><div class="t m0 x3 h14 y6c ff7 fsa fc0 sc0 ls0 ws0">EXT <span class="_ _21"> </span>1992 <span class="_ _22"> </span>Virtual File system <span class="_ _6"></span>concept <span class="_ _6"></span>used <span class="_ _23"> </span>No <span class="_ _a"> </span>support <span class="_ _a"> </span>for <span class="_"> </span>s<span class="_ _0"></span>eparate <span class="_ _a"> </span>tim<span class="_ _6"></span>estamp </div><div class="t m0 x19 h14 y6d ff7 fsa fc0 sc0 ls0 ws0">for fi<span class="_ _6"></span>le access </div><div class="t m0 x3 h14 y6e ff7 fsa fc0 sc0 ls0 ws0">EXT2 <span class="_ _24"> </span>1993 <span class="_ _22"> </span>File Compression <span class="_ _6"></span>added <span class="_ _25"> </span>No journ<span class="_ _6"></span>aling feature </div><div class="t m0 x3 h14 y6f ff7 fsa fc0 sc0 ls0 ws0">EXT3 <span class="_ _24"> </span>1999 <span class="_ _22"> </span>Journaling <span class="_ _5"> </span>added, <span class="_ _5"> </span>online<span class="_ _6"></span> <span class="_ _16"> </span>f<span class="_ _6"></span>ile <span class="_ _5"> </span>system </div><div class="t m0 x17 h14 y70 ff7 fsa fc0 sc0 ls0 ws0">growth </div><div class="t m0 x19 h14 y6f ff7 fsa fc0 sc0 ls0 ws0">Lack <span class="_ _5"> </span>f<span class="_ _6"></span>eature <span class="_ _7"> </span>such <span class="_ _7"> </span>as <span class="_ _7"> </span>e<span class="_ _6"></span>xtents, </div><div class="t m0 x19 h14 y70 ff7 fsa fc0 sc0 ls0 ws0">dynamic <span class="_ _b"> </span>allocation <span class="_ _b"> </span>of <span class="_ _f"> </span>inod<span class="_ _6"></span>es <span class="_ _f"> </span>and<span class="_ _6"></span> </div><div class="t m0 x19 h14 y71 ff7 fsa fc0 sc0 ls0 ws0">block suballocat<span class="_ _6"></span>ion </div><div class="t m0 x3 h14 y72 ff7 fsa fc0 sc0 ls0 ws0">EXT4 <span class="_ _24"> </span>2006 <span class="_ _22"> </span>Extent-based <span class="_ _26"> </span>storage, <span class="_ _26"> </span>backward </div><div class="t m0 x17 h14 y73 ff7 fsa fc0 sc0 ls0 ws0">compatibility <span class="_ _6"></span>with <span class="_ _6"></span>EXT2 an<span class="_ _6"></span>d EXT<span class="_ _6"></span>3,Online </div><div class="t m0 x17 h14 y74 ff7 fsa fc0 sc0 ls0 ws0">defragmentation </div><div class="t m0 x19 h14 y72 ff7 fsa fc0 sc0 ls0 ws0">Do <span class="_ _1"> </span>n<span class="_ _6"></span>ot <span class="_ _1"> </span>overwrite <span class="_ _1"> </span>the <span class="_ _1"> </span>fi<span class="_ _6"></span>le <span class="_ _1"> </span>after </div><div class="t m0 x19 h14 y73 ff7 fsa fc0 sc0 ls0 ws0">deletion causin<span class="_ _6"></span>g security p<span class="_ _6"></span>roblem </div><div class="t m0 xc he y75 ff6 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc h12 y76 ff7 fs7 fc0 sc0 ls0 ws0">section <span class="_ _8"> </span>6.<span class="_ _6"></span> <span class="_ _8"> </span>The <span class="_ _9"> </span>findings <span class="_ _8"> </span>are <span class="_ _9"> </span>concluded <span class="_ _8"></span>in <span class="_ _9"> </span>section </div><div class="t m0 xc h12 y77 ff7 fs7 fc0 sc0 ls0 ws0">7. </div><div class="t m0 xc hf y78 ff5 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc hf y79 ff5 fs7 fc0 sc0 ls0 ws0">2 RELATED RESEARCH </div><div class="t m0 xc hf y7a ff5 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc h12 y7b ff7 fs7 fc0 sc0 ls0 ws0">This <span class="_ _9"> </span>section <span class="_ _9"> </span>deta<span class="_ _0"></span>ils <span class="_ _9"> </span>out <span class="_ _9"> </span>the <span class="_ _9"> </span>existing <span class="_ _9"> </span>research <span class="_ _8"> </span>on<span class="_ _6"></span> </div><div class="t m0 xc h12 y7c ff7 fs7 fc0 sc0 ls0 ws0">the <span class="_ _6"></span> <span class="_ _d"></span> <span class="_ _6"></span>Linux <span class="_ _6"></span> <span class="_ _d"></span> <span class="_ _d"></span>file <span class="_ _6"></span>system <span class="_ _d"></span> <span class="_ _6"></span> <span class="_ _d"></span>forensic <span class="_ _d"></span> <span class="_ _d"></span>and <span class="_ _6"></span> <span class="_ _6"></span> <span class="_ _d"></span>the <span class="_ _6"></span>to<span class="_ _6"></span>ol </div><div class="t m0 xc h12 y7d ff7 fs7 fc0 sc0 ls0 ws0">developed <span class="_ _8"></span>to <span class="_ _8"></span>carry <span class="_ _8"></span>out <span class="_ _8"></span>the <span class="_ _8"> </span>forensic <span class="_ _8"></span>investigation </div><div class="t m0 xc h12 y7e ff7 fs7 fc0 sc0 ls0 ws0">of it. </div><div class="t m0 xc hf y7f ff5 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc hf y80 ff5 fs7 fc0 sc0 ls0 ws0">2.1 Existing Research </div><div class="t m0 xc h12 y81 ff7 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xc h12 y82 ff7 fs7 fc0 sc0 ls0 ws0">The <span class="_ _27"> </span>logging <span class="_ _27"> </span>system <span class="_ _27"> </span>is <span class="_ _27"> </span>the <span class="_ _27"> </span>most <span class="_ _27"> </span>important </div><div class="t m0 xc h12 y83 ff7 fs7 fc0 sc0 ls0 ws0">mechanism <span class="_ _3"> </span>for <span class="_ _3"> </span>Computer <span class="_ _3"> </span>forensics <span class="_ _3"> </span>o<span class="_ _6"></span>n <span class="_ _3"> </span>an </div><div class="t m0 xc h12 y84 ff7 fs7 fc0 sc0 ls0 ws0">Operating <span class="_ _28"> </span>System. <span class="_ _28"> </span>The <span class="_ _28"> </span>various <span class="_ _28"> </span>logging </div><div class="t m0 xc h12 y85 ff7 fs7 fc0 sc0 ls0 ws0">mechanism <span class="_ _2"> </span>in <span class="_ _2"> </span>Linux <span class="_ _1"> </span>system <span class="_ _2"> </span>that <span class="_ _2"> </span>can <span class="_ _2"> </span>be <span class="_ _2"> </span>of </div><div class="t m0 xc h12 y86 ff7 fs7 fc0 sc0 ls0 ws0">forensic <span class="_ _27"> </span>importance <span class="_ _27"> </span>is<span class="_ _6"></span> <span class="_ _27"> </span>discussed <span class="_ _27"> </span>i<span class="_ _6"></span>n <span class="_ _27"> </span>[4]. <span class="_ _27"> </span>A </div><div class="t m0 xc h12 y87 ff7 fs7 fc0 sc0 ls0 ws0">comparative <span class="_ _8"> </span>study <span class="_ _9"> </span>of <span class="_ _8"> </span>th<span class="_ _6"></span>e <span class="_ _8"></span>various <span class="_ _9"> </span>file <span class="_ _8"></span>systems <span class="_ _9"> </span>in </div><div class="t m0 xc h12 y88 ff7 fs7 fc0 sc0 ls0 ws0">Ubuntu <span class="_ _d"></span>Linux <span class="_ _d"></span>and <span class="_ _d"></span>Free <span class="_ _10"></span>BSD <span class="_ _10"></span>is <span class="_ _d"></span>performed <span class="_ _d"></span>in <span class="_ _d"></span>[5]. </div><div class="t m0 xc h12 y89 ff7 fs7 fc0 sc0 ls0 ws0">In <span class="_ _a"> </span>order <span class="_ _9"> </span>to <span class="_ _a"> </span>meet <span class="_ _a"> </span>the <span class="_ _a"> </span>Linux <span class="_ _9"> </span>fi<span class="_ _6"></span>le <span class="_ _a"> </span>system <span class="_ _9"> </span>a<span class="_ _6"></span>nalysis </div><div class="t m0 xc h12 y8a ff7 fs7 fc0 sc0 ls0 ws0">applications <span class="_ _14"> </span>demand <span class="_ _14"> </span>fo<span class="_ _6"></span>r <span class="_ _14"> </span>computer <span class="_ _14"> </span>forensics,<span class="_ _6"></span> <span class="_ _14"> </span>an </div><div class="t m0 xc h12 y8b ff7 fs7 fc0 sc0 ls0 ws0">object-oriented <span class="_ _f"> </span>m<span class="_ _0"></span>ethod <span class="_ _f"> </span>of <span class="_"> </span>analyzing <span class="_ _f"> </span>Linux <span class="_"> </span>file<span class="_ _6"></span> </div><div class="t m0 xc h12 y8c ff7 fs7 fc0 sc0 ls0 ws0">system <span class="_ _11"> </span>is <span class="_ _29"> </span>proposed <span class="_ _11"> </span>i<span class="_ _6"></span>n <span class="_ _11"> </span>[<span class="_ _6"></span>6]. <span class="_ _11"> </span>The<span class="_ _6"></span> <span class="_ _2a"> </span>paper <span class="_ _11"> </span>als<span class="_ _6"></span>o </div><div class="t m0 xc h12 y8d ff7 fs7 fc0 sc0 ls0 ws0">analyzed <span class="_ _a"> </span>diff<span class="_ _6"></span>erent <span class="_ _a"> </span>d<span class="_ _6"></span>ata <span class="_ _14"> </span>sources <span class="_ _a"> </span>deeply <span class="_ _14"> </span>wi<span class="_ _6"></span>th <span class="_ _14"> </span>the </div><div class="t m0 xc h12 y8e ff7 fs7 fc0 sc0 ls0 ws0">inheritance <span class="_ _8"> </span>rel<span class="_ _6"></span>ationship <span class="_ _9"> </span>between <span class="_ _9"> </span>classes <span class="_ _8"></span>and <span class="_ _9"> </span>the </div><div class="t m0 xc h12 y8f ff7 fs7 fc0 sc0 ls0 ws0">encapsulation <span class="_ _d"></span>of <span class="_ _6"></span>cla<span class="_ _6"></span>ss <span class="_ _6"></span>and <span class="_ _d"></span>showed <span class="_ _d"></span>information <span class="_ _d"></span>of </div><div class="t m0 xc h12 y90 ff7 fs7 fc0 sc0 ls0 ws0">Linux <span class="_ _6"></span>file <span class="_ _d"></span>to <span class="_ _6"></span>the <span class="_ _d"></span>users <span class="_ _6"></span>i<span class="_ _6"></span>n <span class="_ _6"></span>a <span class="_ _d"></span>friendly <span class="_ _6"></span>int<span class="_ _6"></span>erface. <span class="_ _6"></span>The </div><div class="t m0 xc h12 y91 ff7 fs7 fc0 sc0 ls0 ws0">Linux <span class="_ _6"></span>operating sy<span class="_ _6"></span>stem <span class="_ _6"></span>has <span class="_ _6"></span>been <span class="_ _6"></span>used <span class="_ _6"></span>as <span class="_ _6"></span>a <span class="_ _6"></span>server </div><div class="t m0 xc h12 y92 ff7 fs7 fc0 sc0 ls0 ws0">system <span class="_ _d"></span>in <span class="_ _10"></span>plenty <span class="_ _d"></span>of <span class="_ _10"></span>business <span class="_ _d"></span>services <span class="_ _10"></span>worldwide. </div><div class="t m0 xc h12 y93 ff7 fs7 fc0 sc0 ls0 ws0">Unauthorized i<span class="_ _6"></span>ntru<span class="_ _0"></span>sions on a <span class="_ _6"></span>server<span class="_ _0"></span> are </div><div class="t m0 xe h12 y94 ff7 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xe h12 y95 ff7 fs7 fc0 sc0 ls0 ws0">constantly <span class="_ _2b"> </span>increasing <span class="_ _2c"> </span>with <span class="_ _2b"> </span>a <span class="_ _2c"> </span>geometric </div><div class="t m0 xe h12 y96 ff7 fs7 fc0 sc0 ls0 ws0">progression. <span class="_ _16"> </span>Conversely, <span class="_ _5"> </span>the <span class="_ _16"> </span>protection <span class="_ _16"> </span>and </div><div class="t m0 xe h12 y21 ff7 fs7 fc0 sc0 ls0 ws0">prevention <span class="_ _d"></span>techniques <span class="_ _10"></span>against <span class="_ _d"></span>intrusion <span class="_ _d"></span>accide<span class="_ _6"></span>nts </div><div class="t m0 xe h12 y97 ff7 fs7 fc0 sc0 ls0 ws0">are <span class="_ _6"></span> <span class="_ _d"></span> <span class="_ _d"></span>certainly <span class="_ _6"></span> <span class="_ _d"></span> <span class="_ _d"></span>i<span class="_ _6"></span>nsufficient. <span class="_ _6"></span>A <span class="_ _10"></span>new <span class="_ _6"></span>framework <span class="_ _d"></span>to </div><div class="t m0 xe h12 y98 ff7 fs7 fc0 sc0 ls0 ws0">deal <span class="_ _12"> </span>with <span class="_ _b"> </span>a <span class="_ _13"> </span>compromised <span class="_ _b"> </span>Li<span class="_ _6"></span>nux <span class="_ _b"> </span>s<span class="_ _6"></span>ystem <span class="_ _12"> </span>in <span class="_ _12"> </span>a </div><div class="t m0 xe h12 y99 ff7 fs7 fc0 sc0 ls0 ws0">digital <span class="_ _b"> </span>forensic <span class="_ _b"> </span>investig<span class="_ _6"></span>ation <span class="_ _b"> </span>is <span class="_ _b"> </span>developed <span class="_ _12"> </span>and </div><div class="t m0 xe h12 y9a ff7 fs7 fc0 sc0 ls0 ws0">implemented in [7]. Issues pertaining to the </div><div class="t m0 xe h12 y9b ff7 fs7 fc0 sc0 ls0 ws0">Linux <span class="_ _6"></span>Forensics <span class="_ _6"></span>and <span class="_ _6"></span>the <span class="_ _6"></span>various fo<span class="_ _6"></span>rensic <span class="_ _6"></span>tools f<span class="_ _6"></span>or </div><div class="t m0 xe h12 y9c ff7 fs7 fc0 sc0 ls0 ws0">the <span class="_ _f"> </span>forensic <span class="_"> </span>i<span class="_ _6"></span>nvestigation <span class="_ _f"> </span>of <span class="_ _c"> </span>the <span class="_ _f"> </span>Linux <span class="_ _f"> </span>system </div><div class="t m0 xe h12 y9d ff7 fs7 fc0 sc0 ls0 ws0">have been discussed in [8]. </div><div class="t m0 xe hf y9e ff5 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xe hf y9f ff5 fs7 fc0 sc0 ls0 ws0">2.2 Existing Tools </div><div class="t m0 xe hf ya0 ff5 fs7 fc0 sc0 ls0 ws0"> </div><div class="t m0 xe h12 ya1 ff7 fs7 fc0 sc0 ls0 ws0">The <span class="_ _9"> </span>S<span class="_ _6"></span>leuth <span class="_ _9"> </span>kit(TS<span class="_ _6"></span>K)</div><div class="t m0 xe h12 ya2 ff7 fs7 fc0 sc0 ls0 ws0">The <span class="_ _9"> </span>S<span class="_ _6"></span>leuth <span class="_ _9"> </span>kit(TS<span class="_ _6"></span>K)<span class="_ _2d"></span>The <span class="_ _9"> </span>S<span class="_ _6"></span>leuth <span class="_ _9"> </span>kit(TS<span class="_ _6"></span>K)</div><div class="t m0 xe h12 ya1 ff7 fs7 fc0 sc0 ls0 ws0">The <span class="_ _9"> </span>S<span class="_ _6"></span>leuth <span class="_ _9"> </span>kit(TS<span class="_ _6"></span>K). <span class="_ _a"> </span>It <span class="_ _9"> </span>is <span class="_ _a"> </span>a <span class="_ _a"> </span>collection <span class="_ _9"> </span>of <span class="_ _9"> </span>Unix-</div><div class="t m0 xe h12 ya3 ff7 fs7 fc0 sc0 ls0 ws0">based <span class="_ _b"> </span>c<span class="_ _6"></span>ommand <span class="_ _b"> </span>li<span class="_ _6"></span>ne <span class="_ _12"> </span>analysis <span class="_ _12"> </span>tools. <span class="_ _12"> </span>TSK <span class="_ _12"> </span>can </div><div class="t m0 xe h12 ya4 ff7 fs7 fc0 sc0 ls0 ws0">analyze <span class="_ _2a"> </span>FAT, <span class="_ _29"> </span>NTFS, <span class="_ _29"> </span>E<span class="_ _6"></span>xt2/3, <span class="_ _2a"> </span>and <span class="_ _2a"> </span>UFS<span class="_ _6"></span> <span class="_ _29"> </span>file </div><div class="t m0 xe h12 ya5 ff7 fs7 fc0 sc0 ls0 ws0">systems <span class="_ _d"></span>and <span class="_ _d"></span>can <span class="_ _d"></span>list <span class="_ _d"></span>files <span class="_ _d"></span>and <span class="_ _d"></span>directories, <span class="_ _d"></span>recove<span class="_ _6"></span>r </div><div class="t m0 xe h12 ya6 ff7 fs7 fc0 sc0 ls0 ws0">deleted <span class="_ _13"> </span>f<span class="_ _6"></span>iles, <span class="_ _15"> </span>make <span class="_ _15"> </span>timelines <span class="_ _2"> </span>of <span class="_ _15"> </span>file <span class="_ _13"> </span>acti<span class="_ _6"></span>vity, </div><div class="t m0 xe h12 ya7 ff7 fs7 fc0 sc0 ls0 ws0">perform <span class="_ _17"> </span>keyword <span class="_ _4"> </span>sea<span class="_ _6"></span>rches, <span class="_ _17"> </span>and <span class="_ _4"> </span>use <span class="_ _17"> </span>hash </div><div class="t m0 xe h12 ya8 ff7 fs7 fc0 sc0 ls0 ws0">databases. </div><div class="t m0 xe h12 ya9 ff7 fs7 fc0 sc0 ls0 ws0">Autopsy.</div><div class="t m0 xe h12 yaa ff7 fs7 fc0 sc0 ls0 ws0">Autopsy.<span class="_ _2e"></span>Autopsy.</div><div class="t m0 xe h12 ya9 ff7 fs7 fc0 sc0 ls0 ws0">Autopsy. <span class="_ _8"></span>This <span class="_ _d"></span>t<span class="_ _6"></span>ool <span class="_ _10"></span>is <span class="_ _8"></span>a <span class="_ _10"></span>graphical <span class="_ _10"></span>interf<span class="_ _6"></span>ace <span class="_ _10"></span>to <span class="_ _10"></span>th<span class="_ _6"></span>e </div><div class="t m0 xe h12 yab ff7 fs7 fc0 sc0 ls0 ws0">TSK. <span class="_ _14"> </span>It <span class="_ _a"> </span>also <span class="_ _14"> </span>analyzes <span class="_ _14"> </span>FAT, <span class="_ _a"> </span>NTFS<span class="_ _6"></span>, <span class="_ _a"> </span>Ext2<span class="_ _6"></span>/3, <span class="_ _a"> </span>and </div><div class="t m0 xe h12 yac ff7 fs7 fc0 sc0 ls0 ws0">UFS file systems and can list files and directories, </div><div class="t m0 xe h12 yad ff7 fs7 fc0 sc0 ls0 ws0">recover <span class="_ _2"> </span>deleted <span class="_ _1"> </span>files, <span class="_ _1"> </span>make <span class="_ _1"> </span>timelines <span class="_ _1"> </span>of <span class="_ _1"> </span>file </div><div class="t m0 xe h12 yae ff7 fs7 fc0 sc0 ls0 ws0">activity, <span class="_ _6"></span>perform <span class="_ _6"></span>k<span class="_ _6"></span>eyword <span class="_ _6"></span>searches, <span class="_ _d"></span>and <span class="_ _6"></span>use <span class="_ _6"></span>hash </div><div class="t m0 xe h12 yaf ff7 fs7 fc0 sc0 ls0 ws0">databases. </div><div class="t m0 xe h12 yb0 ff7 fs7 fc0 sc0 ls0 ws0">Scalpel.</div><div class="t m0 xe h12 yb1 ff7 fs7 fc0 sc0 ls0 ws0">Scalpel.<span class="_ _2f"></span>Scalpel.</div><div class="t m0 xe h12 yb0 ff7 fs7 fc0 sc0 ls0 ws0">Scalpel. <span class="_ _b"> </span>Scalpel <span class="_ _f"> </span>i<span class="_ _6"></span>s <span class="_ _f"> </span>an <span class="_ _b"> </span>open <span class="_ _f"> </span>s<span class="_ _6"></span>ource <span class="_ _f"> </span>file <span class="_ _b"> </span>carver </div><div class="t m0 xe h12 yb2 ff7 fs7 fc0 sc0 ls0 ws0">which <span class="_ _6"></span>is <span class="_ _d"></span>also <span class="_ _6"></span>available <span class="_ _6"></span>f<span class="_ _6"></span>or <span class="_ _6"></span>Linux. <span class="_ _d"></span>File <span class="_ _6"></span>carvers <span class="_ _d"></span>are </div><div class="t m0 xe h12 yb3 ff7 fs7 fc0 sc0 ls0 ws0">used <span class="_ _a"> </span>to <span class="_ _14"> </span>recover <span class="_ _a"> </span>data <span class="_ _14"> </span>from <span class="_ _a"> </span>disks <span class="_ _a"> </span>and <span class="_ _14"> </span>to <span class="_ _14"> </span>retrieve </div><div class="t m0 xf h13 y64 ff8 fs9 fc0 sc0 ls0 ws0">International Journal of Cyber-Security and Digital Forensics (IJCSDF) 5(4): 175-186</div><div class="t m0 x10 h13 y65 ff8 fs9 fc0 sc0 ls0 ws0">176</div><div class="t m0 x11 h13 y66 ff9 fs9 fc0 sc0 ls0 ws0">The Society of Digital Information and Wireless Communications, 2016 (ISSN: 2305-0012)</div></div><div class="pi" data-data='{"ctm":[1.611639,0.000000,0.000000,1.611639,0.000000,0.000000]}'></div></div>