0345 4506120

Certified Linux Forensic Investigation

This 2 day Linux Forensic Investigation training course is designed to equip you with the knowledge and skills to navigate, identify, capture and examine data from Linux based systems. 

The course will provide you with a practical understanding from a forensic perspective of how to deal with a Linux system, and requires no previous Linux knowledge. You will develop a core understanding of the file system data structures and key files so that they can be confident capturing potential digital evidence.  Throughout the course, you will apply this knowledge in hands-on exercises to demonstrate and reinforce their understanding, using both a Linux environment and Windows based forensic software.

Target Audience:

This course is ideally suited to those who are looking to extend their knowledge of this increasingly popular operating system, including:

  • Incident response team members
  • Law enforcement officers & agents
  • Digital investigators
  • IT security officers
  • System/Network Administrators/Engineers
  • eDiscovery consultants.

Learning Objectives

Upon completion of the course, participants will have used a Linux System to:

  • Familiarise themselves with both Linux GUI and command line environments.
  • Demonstrate how Linux can be used for forensic imaging.
  • Capture RAM and basic volatile data from a live Linux system. (Note: This is not network identification or network traffic capture)

and forensic software and an image of a Linux system to:

  • Examine ext3 and ext4 file system structures
  • Identify core system information
  • Explore system log files for artefacts including; boots, logins and device connection
  • Examine user artefacts including; recent activity, thumbnails and printing.


An understanding of digital forensic principles and practices e.g. prior attendance on 7Safe's Certified Forensic Investigation Practitioner (CFIP) course. This course assumes no Linux experience and will equip delegates with the knowledge and skills to capture data from and examine Linux based systems.

Course Content

  • What is Linux? Overview of flavours (distributions)
  • Key differences between Linux and Windows forensics
  • Linux concepts, privileges and permissions
  • Linux disk layouts and key directories
  • Navigating a Linux system and commonly used command line utilities
  • Understanding devices and disk mounting
  • Data collection from and using Linux systems
  • Capturing volatile data including RAM
  • Built-in forensic applications i.e dd for imaging and disk wiping
  • Overview of file system compatibility, ext2, 3 and 4
  • Ext file systems How disks are mapped and data stored
  • Problems associated with recovering data from ext file systems
  • System information from a forensic image
  • Log files, where to find them and nature of content
  • Devices connected and disks mounted
  • User accounts – identification, passwords and permissions
  • Introduction to memory analysis
  • User system navigation, execution and printing
  • Linux in Business - FTP servers, databases, mail, web-servers
  • Capturing and process for log file examination using Linux

Privacy Notice

In order to provide you with the service requested we will need to retain and use your contact information in accordance with our Privacy Notice. If you choose to provide us with this information you explicitly consent to us using the information as necessary to provide the request service to you. If you do not agree please do not proceed to request the service from us.

Marketing Permissions

Would you like to receive our newsletter and other information on products and services which we think will be of interest to you by email. We will always treat your information with care and in accordance with our Privacy Notice. You are free to withdraw this permission at any time.


Our Customers Include