You will quickly discover that most of the major forensics tools meant to examine Windows machines, although they will work on a Linux disk image, will provide far less information. For this reason it may be necessary to examine the image directly. Now, I am not suggesting that you simply start poking around on a live Linux machine. You still need to create a forensic image of the machine, and verify that image using an appropriate hashing algorithm. But once you have such an image, you might find that the forensics tools you have used don’t provide much information. At that point, the next step would be to mount that image as if it were a virtual machine.

You cannot simply mount an image file as if it were a virtual machine; that just won’t work. You will need some tool to do that for you. There are various instructions on the Internet on how to convert a forensic image into a virtual machine for use with VMWare Workstation, Oracle Virtual Box, or other similar products. However, some of these methods are somewhat tedious, and not all work in all situations.

The forensic tool ForensicExplorer (http://www.forensicexplorer.com) will allow you to mount any forensic image as a virtual machine. Then you log on to the machine and interact with it as you would a live machine, with one major exception: This is a read-only forensic image. Now you can navigate to the folders and logs we mentioned earlier in this chapter. You can also execute shell commands and gather information on the target system. This will frequently be the best approach to forensically examining a Linux machine.