File Systems
EXT 2,3,4, ReiserFS, XFS, JFS, Btrfs.
Logical Backup - doesn’t copy all, doesn’t copy slack, free space and deleted files. Imaging - bit-by-bit copy. Should not be used on a live system!
Live Acquisition
https://github.com/Dead-Simple-Scripts/AutoLLR Automatically collection live info. Quite a heavy footprint. But if we are not collecting RAM, not the biggest issue.
References
https://www.sans.org/presentations/long-live-linux-forensics/ https://www.sans.org/blog/getting-started-with-linux-memory-forensics/ https://www.sans.org/blog/digital-forensics-ps3-linux-file-system-analysis-and-network-forensics/ https://www.sans.org/blog/bring-me-my-pipe/