Digital Forensic ~ Basic Linux Forensic Tools

Here are some basic linux forensic tools that usually used by digital forensic analyzer to perform an analysis on disk images.

dd – a tool used to clone a file, disk partition, or even an entire disk content. This is a bit-by-bit cloning tools, so the cloned file or device is 100% identical to the original one as long as the cloned file or device is not modified.

sfdisk and fdisk – tools used to see the disk structure in the computer.

grep– used with the other linux command such as ls or more, the output of the command will only display the lines that match with the pattern given by this command.

looping device – allows us to mount an image without having to rewrite the image to a disk.

md5sum and sha1sum – creating a md5 or sha1 hash of a file. Used to authenticate that the evidence is valid to be used.

file – great tool to find out a specific file type. This command analyze the header information of a file, then match it with its own database.

xxd – a tool to view a file in hex mode.

If you want to know more about the tools above, just type “man [command]” in the terminal. And as I said before, these tools is the basic tools, so there are certainly stronger and smarter digital forensic tools out there. But still, we must know the basic first before using the advanced tools.