Posted on

Linux Related Sites

This resources page contains a list of many authoritative Linux related sites and tools.

Please note that MacForensicsLab is not necessarily affiliated with any of the sites listed below. Opinions and facts posted on these sites are the responsibility of the respective site owner. We have posted these links as a service to the forensics, eDiscovery, and law enforcement communities and receive no revenue for their placement.

International Journal of Digital Evidence

The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.

The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.

The volume system (media management) tools allow you to examine the layout of disks and other media. The Sleuth Kit supports DOS partitions, BSD partitions (disk labels), Mac partitions, Sun slices (Volume Table of Contents), and GPT disks. With these tools, you can identify where partitions are located and extract them so that they can be analyzed with file system analysis tools.

When performing a complete analysis of a system, we all know that command line tools can become tedious. The Autopsy Forensic Browser is a graphical interface to the tools in The Sleuth Kit, which allows you to more easily conduct an investigation. Autopsy provides case management, image integrity, keyword searching, and other automated operations.


International Journal of Digital Evidence

ASR Data has been recognized as a leading authority in the field of computer investigations by the United States Department of Justice.

Quoted from the ASR website

In 1984 , ASR Data began providing custom software solutions to companies that needed vertical market software tailored to their specific requirements.

In 1992, ASR Data was asked to develop a software tool and methodology to support the unique requirements of the law enforcement community. At that time, conducting a computer investigation was a tedious, time consuming process which required the use of several single-purpose DOS command line utilities. Investigators were forced to image original media to tape or a disk, then restore the image to another disk. Searching the evidence was limited to one search term at a time and recovering deleted files was accomplished by using off-the-shelf software which was never designed to support the forensic process. Often times, the process changed data and analysts had to restore the image several times.

We sat down with leading authorities from the legal and law enforcement communities and took a close look at the forensic process and what was needed. One of the greatest challenges was the fact that there was no precedent for what we were trying to create. Nobody had done it before, there was no pattern to follow, no giants shoulders to stand on and no failures to learn from. As it turns out, this was also the greatest factor which enabled us to innovate and create something completely new. was first launched in 1996 by a handful of Open Source enthusiasts and security experts who recognized a void in the availability of accurate and insightful news relating to open source security issues. Led by Dave Wreski, who currently serves as chief executive officer of Guardian Digital, this group has grown into a global network of collaborators who devote their time to gathering and publicizing the latest security news, advisories and reports relevant to the Linux community. Headquartered in Guardian Digital’s offices in Allendale, New Jersey,’s editorial and web development staff also creates feature articles, commentaries and surveys designed to keep readers informed of the latest Linux advancements and to promote the general growth of Linux around the world.

The Coroners Toolkit

The Coroners Toolkit – a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in. The software was presented first in a Computer Forensics Analysis class in August 1999.

According to the site,development of the Coroner’s Toolkit was stopped years ago. It is updated only for for bug fixes which are very rare, and after Wietse discovers that the programs no longer work on a new machine. Users of The Coroners Toolkit are encourage to use Brian Carrier’s Sleuthkit. It is the official successor of TCT. – Their main goal is to inform the public about every company, project and group that uses the Linux operating system and to report on the hard work of countless developers, programmers and individuals who strive everyday to improve on the Linux offerings in the marketplace.

Linux Journal

Linux Journal – Their mission is to serve the Linux community and to promote the use of Linux worldwide. As more and more people see Linux as a viable alternative to traditional OSes, Linux is increasingly being used as a primary operating system. Linux Journal focuses specifically on Linux and other open-source OSes, allowing the content to be a highly specialized source of information for open-source enthusiasts. is always evolving. Their goal is to give you all of the resources and information you need to make your experience with Linux a success.

Security-Enhanced Linux

Security-Enhanced Linux – As part of its Information Assurance mission, the National Security Agency has long been involved with the computer security research community in investigating a wide range of computer security topics including operating system security. Recognizing the critical role of operating system security mechanisms in supporting security at higher levels, researchers from NSA’s Information Assurance Research Group have been investigating an architecture that can provide the necessary security functionality in a manner that can meet the security needs of a wide range of computing environments.