1 First Steps

INFORMATION IN THIS CHAPTER:

What is forensics?

Types of forensics

Why Linux forensics?

General principles

Phases of investigation

High-level process Building a toolkit

WHAT IS FORENSICS?

A natural question to ask yourself if you are reading a book on Linux forensics is: What is forensics anyway? If you ask different forensic examiners you are likely to receive slightly different answers to this question. According to a recent version of the Merriam-Webster dictionary: “Forensic (n) belonging to, used in, or suitable to courts of judicature or to public discussion and debate.” Using this definition of the word forensic my definition of forensic science is as follows:

Forensic science or forensics is the scientific collection of evidence of sufficient quality that it is suitable for use in court.

The key point to keep in mind is that we should be collecting evidence of sufficient quality that we can use it in court, even if we never intend to go to court with our findings. It is always easier to relax our standards than to tighten them later. We should also act like scientists, doing everything in a methodical and technically sound manner.