News

-Version 4.30 released: 10 Sept 2017
-Version 3.78 released: 8 Dec 2008
-Version 3.65 released: 3 Sept 2008
-Version 3.21 released: 12 Dec 2007
-Version 3.20 released: 22 Oct 2007
-Linux LEO Goes Live: 22 Oct 2007

Documents

The Beginner's Guide v4.30 (PDF)
Readme File (txt)
Change log (txt)

Supplemental Files

GPT Partition Image (gptimage.raw.gz)
Fat File System Image (fat_fs.raw)
"Able2" Ext2 Disk Image (able2.tar.gz)
"Able3" Ext4 Disk Image (able_3.tar.gz)
Practice Log Archive (logs.v3.tar.gz)
Carve Image (image_carve_2017.raw)
NTFS Image (ntfs_Pract_2017_E01.tar.gz)
SHA1 Checksums (sha1.txt)

Community Resources

Linux Forensics (Yahoo Group)
Sleuthkit (Mail list)
LinuxQuestions.org (Linux Forums)
Forensic Focus (Forum)

Slackware Information

The Slackbook (slackbook.org)
LinuxQuestions.org (Slackware Forum)
Robby Workman's Pages (rlworkman.net)
Slackbuilds Software (slackbuilds.org)

Feedback

E-mail me: here

Welcome to Linux LEO

You have reached the home of the Law Enforcement and Forensic Examiner's Introduction to Linux, a Comprehensive Beginner's guide to Linux as a Computer Forensic Platform.

Recent News (September 2017)

Well, here we are. After almost 10 years, the LinuxLeo guide has been updated. We've gone from around 190 pages to up over 300. Much has changed in the past 10 years, but I've almost continuously received requests for a guide that is better matched to current software releases. In the intervening years since the previous version was released in 2008, we have seen a massive growth in the availablility of Linux software for forensics. Or, more precisely, open source software. Many of these new utilities now run on Windows and Mac as well, forcing us to re-address the usefulness of Linux as a forensic platfrom. This new 2017 version of the guide expands the exercises and content to cover some of these new tools. But more importantly it provides more of a "platform" approach to Linux, providing some introduction into the configuration and maintenance of Linux. This new version of the guide still concentrates on tools, but also tries to impart the idea that Linux is a platform that forenisc examiners need to know and maintain to use effectively and safely.

As always, I'm open to comments and suggestions. At over 300 pages, the guide will likely have some typos and errors. I don't have an Editor, just a few kindly souls that volunteer their time to help find my mistakes. We all miss some along the way - don't be shy!

New YouTube Channel

Videos will be periodically produced and put up on YouTube. Some will be on basic installation and configuration of Linux, with emphasis (where applicable) on forensic deployment. Others will be basic demonstrations of the material and exercises covered in the guide for those that want some visual "walk through" assistance. Sparse for now, more content will be added. Subscribe to be notified!

You can reach the YouTube Channel through this link --> LinuxLEO YouTube. Or use the button below to subscribe.

The Purpose of this Site

This site is intended to be a simple on line repository for the guide document I've written to assist members of the computer forensic community learn more about Linux and its potential as a forensic tool. This is NOT meant to be another "community portal" with forums and articles, etc. There's already plenty of those around (see "Resources" on the left). Feel free to e-mail me at any time with any questions, comments or flames. Feedback is exceedingly important to me. Positive or negative...

The Guide

The Law Enfocement and Forensic Examiner's Introduction to Linux is my repayment to the community. When I first started to learn how to use Linux as a forensic tool, I had help from plenty of people. I look at this guide as my way of continuing that spirit of sharing knowledge. The first version of the guide was written for a class I was asked to assist with in late 1999. This is now the fourth major revision.

About the Author

I am a Senior Criminal Investigator (Special Agent) with a Federal Agency of the US Government. I first started using Linux around 1993.

This Web site and the documents found here are my own work and do not reflect the views of or constitute official policy of any Federal Agency. This Web site is not approved or endorsed by the US Government.