README.TXT September 2008 The Law Enforcement and Forensic Examiner's Introduction to Linux, A Practitioner's Guide. This guide is targeted at computer forensic investigators interested in learning more about the GNU/Linux operating system. It assumes no prior experience with Linux. This guide does not aim to be a "how-to" for conducting forensic examinations. It is designed to introduce the tools available for investigators using Linux. The tools are introduced through a series of practical exercises, allowing for a "hands on" approach. Many new Linux users will install the OS and then wonder what to do next. This guide was written to address that by providing a guided path that allows investigators to focus their Linux learning experience on what is of interest to them - Linux as a forensic tool. The guide has been updated to recent versions of Linux (specifically Slackware). And has several more hands on exercises than the previous versions. Many of these were added as a result of experiences in classrooms - where the same questions kept popping up. More and more exercises are added as requests are made for more info and hands on stuff. Future versions of the guide will have a comprehensive approach, with more realistic exercises targeted and a complete examination. The following files are part of the Introduction to Linux for Law Enforcement and Forensic Examiners: 1) linuxintro-LEFE-3.65.pdf: The guide itself in PDF format. 2) practical.floppy.dd: A dd image of a 1.44Mb floppy disk for the initial exercises. Disk created with a Win9x system. 3) image_carve.raw: A "raw" chunk of data used in a dd carving exercise. 4) logs.v3.tar.gz: A gzip compressed tar archive containing a set of messages logs from a Unix system for use with a command line exercise for data parsing and organization. 5) able2.tar.gz: A gzip compressed tar archive containing a forensic (dd) image of a 330Mb Linux system that was compromised. The archive contains the dd image along with a collection log and md5sums of the original disk and the image. 6) ntfs_pract.dd.gz: A gzip compressed image of an NTFS disk with several deleted files and images for use in forensic exercises. 7) ntfs_pract.E01: An Expert Witness format forensic image of the same disk as #6 for use in forensic exercises. Any questions, comments or critique are welcome. Barry J. Grundy bgrundy@LinuxLEO.com