why Investigating Linux Forensics is important

Why do we need to learn Linux Forensics? Well, nowadays when you look at the number of tools available on different penetration testing systems running Linux, you should stop and ask yourself a basic question "are these tools and systems, always gonna be used for ethical purposes?".

The answer is definitely, NO! Another reason to consider Linux forensics, is you arrive to the crime scene and you find out that your suspect’s desktop is a Linux operating system! If you don’t have the proper skillset, you will be shocked and start to question your knowledge, ability, and skillset. What should I do?

Do I have the skills required to collect data from this system? Where should I look for data and artifacts? What do these artifacts even look like? How can we identify and track user activity? etc.

Training Delivery Details

Instructor Led Training

Live Training: Instructor ( Two Days - 10 hours ) | Certification of Attendance

The course material includes full access to our

Sessions starts from 9 AM to 2 PM (Eastern Time) or scheduled upon a mutual agreement

Pricing Options

Please make sure you select the enrollment schedule that works best for you. If none of these work and you are still interested in our training, please contact us.


    June, TBD
    Two Days - 10 hours


    Buy Now

    5 Seats - Private Class


    Buy Now


At the completion of this two day live training, you will possess the necessary know-how to effectively and efficiently investigate a compromised Linux system, learn where to find system and application artifacts, and recover deleted data.

    Introduction to Linux

  • Introduction to Linux Forensics
  • Understanding the Linux FHS
  • Understanding and Investigating Core Linux Components

  • Essential Tools and Techniques

  • Linux Boot Process
  • Linux System and Service Managers
  • Acquisition
  • Searching and Navigation Linux Systems

  • System Analysis

  • Searching and Navigation Linux Systems
  • Network Services & Network Connections
  • Searching Devices & Volumes
  • Variables, Shells, Profiles, Cronjobs, etc
  • Users & Groups
  • Processes & Applications

    File Systems and Log Analysis

  • Intro. to Linux EXT4 File System
  • Analysis Using The Sleuth Kit (TSK)
  • Analysis Using DebugFS
  • Analyzing Linux Logs
  • The ProcFS & TmpFS File Systems

    GUI & USB Forensics

  • Investigating Linux GUI
  • Investingating Linux Desktop Environments
  • Linux USB Forensics

    Writing Forensics Reports

  • What Is The Forensics Report?
  • The Importance of Forensics Report
  • Forensics Report Sections
  • Reporting Standards And Guidelines
  • Conclusions And Recommendation

  • Hands-on Labs

  • Case #1 - Investigating a Compromised Web Server
  • Case #2 - Investigating Suspicious Processes
  • Case #3 - Investigating a Kali Linux Systems
  • Case #4 - Investigating a Compromised Cluster
  • Case #5 - Traffic Acquisition and Analysis
  • Case #6 - Investigating Linux Desktop Environments
  • Case #7 - Investigating a Compromised Web Server #2
  • Case #8 - Timeline Analysis


Ali Hadi is a highly accomplished and experienced Senior Cybersecurity Specialist with 14+ years of professional experience in Information Technology. He is currently working as a full-time professor and researcher at the Computer and Digital Forensics and Cybersecurity Departments of Champlain College, USA. Ali is a Co-Founder and the Chief Technology Officer of Cyber 5W. He holds a PhD and MSc degree in Computer Information Systems, as well as a BSc degree in Computer Science. Throughout his professional career, Ali has earned more than 20 professional certifications. Ali is a sought-after consultant in the field of cybersecurity, offering expertise in areas such as digital forensics, incident response, adversary simulation, offensive security, and malware analysis. He is also an established author, speaker, and freelance instructor, having provided technical training to government and private firms as well as other organizations. Ali continues to be an influential figure in the digital forensics community and is dedicated to promoting forensics education and research. More details could be found here or contact him directly through twitter here.

Investigating Linux Systems Certificate of Attendence

What will you earn at the end of the course?

  • Certificate of Attendance

    These two days count as 10 hours of Continuing Education Unit (CEU) Credits which could be used for your professional development.

  • Experiential Learning

    This training includes more than 10 hands-on labs that cover what you need to get started and dive into investigating Linux systems.

  • Trusted Training

    A partial version of this training has been covered in our Linux Forensics workshops at different conferences and events.

Learning Objectives

After completing this training, will be capable of:

  • Searching through the FHS

  • Working with volumes and mounting forensic case images

  • Search in log files

  • Using TSK to list forensic image info and work with EXT4 file systems

  • Use debugfs and EXT4 journals to recover deleted files

  • Tracking running processes

  • Using the ProcFS to the benefit of your IR

  • Extracting processes from memory

  • Generating and filtering a super timeline


what should you know before taking the course

This course assumes no previous knowledge in Linux operating systems, however basic knowledge in digital forensics is highly recommended.

Who is this Training For?

why should you take this training

Anyone who wants to perform Linux investigations, SOC team members, incident response handlers, red team members, malware analysts, and anyone who is curious to know about Linux digital forensics and wants to learn something new.

System Requirements:

what you need to for the course

  • Computer or laptop with a Linux (Tsurugi Linux is recommended) and a Windows or Mac Operating System
  • Capability of running virtualization software such as VMWare or VirtualBox
  • More than 100 GB of disk space for the Virtual Machines and Forensic Images used
  • Eric Zimmerman's Timeline Explorer

Cancellation Policy:

Info you need to know to get a refund

Full refunds will be provided up to 14 days before the course start date. You are allowed to change the course schedule up to 10 days before the course starts.