Linux as an Investigative Tool, part 2

Title: Linux as an Investigative Tool, part 2
Duration: 1 Week

Course Aim

This is the second part of a two-part course encompassing a Basic Linux component and a Linux Forensic Application component.

The aim of this course is to build on the skills acquired in Linux Part One. This second part will concentrate on the forensic application of Linux and is designed to equip forensic examiners with the in-depth knowledge necessary to recover and produce evidence from seized computers using the Linux operating system. This will also enable them to better assemble evidence for the court that is clear and supportive of evidential needs. Training will encompass latest best practice, technologies and techniques available to Law Enforcement Specialists.


Students are expected to have successfully participated in basic training for High Tech Crime Investigators. They will have normally completed the ECTEG Introductory IT Forensics and Network Investigations Course.

It is also highly recommended that students have also completed the ECTEG Linux as an Investigative Tool – Part One. Prior to commencement of the course, they should ensure that they are familiar with the following:

  • Basic Linux shell knowledge – commands such as cd, ls, man etc
  • Installing applications on Linux from tar files (.tar, .tar.gz, .tgz) using make command
  • Installing applications on Linux using package files

Students will need to be able to understand and communicate in English.

Small list of agenda / topics / main points

  • Forensic File Formats
  • String Search
  • Information Gathering & Acquisition Tools
  • Evidence Acquisition Tools; Keyword Search
  • Use of the File System; Undelete Files
  • Timeline, File Headers, Finding Pictures, Finding Metadata
  • Script Basics,
  • …/… undisclosed topics

If you are interested in applying for this course please read the following page