Practical Linux Forensics
A Guide for Digital Investigators
Bruce Nikkel's reference for forensic analysts working post-mortem on Linux images: filesystems, journaling, logs, persistence locations, and the chain of custody discipline around them.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Bruce Nikkel
- Published
- 2021
- Publisher
- No Starch Press
- Pages
- 400
- Language
- English
Read this if
Incident responders and forensic analysts working modern Linux systems. Nikkel covers ext4 / XFS / Btrfs internals, systemd journaling, persistence locations, and the chain-of-custody discipline that distinguishes evidence from notes. The post-systemd reference the field needed.
Skip this if
Windows-only forensic analysts, or beginners without IR experience. The book assumes filesystem fluency and command-line forensics comfort.
Key takeaways
- Modern Linux forensics is not just "parse syslog"; systemd, journald, and the move to overlay-based containers each created new artifact classes.
- The book's chapter on persistence enumeration is the cleanest in print; cron, systemd timers, init.d, profile files, all named.
- Most cloud workloads are Linux, which means most cloud-incident forensics is Linux forensics; the book is the right starting reference.
Notes
Pair with Practical Packet Analysis (Sanders) for the network side and with Practice of Network Security Monitoring (Bejtlich) for the program-level frame. Nikkel's earlier book Practical Forensic Imaging is the natural prerequisite if you don't already know acquisition. Required reading for any IR analyst handling cloud or container investigations.
What to read before
What to read before Practical Linux Forensics →Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
What to read next
What to read after Practical Linux Forensics →Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.
Advanced · 2020
Building Secure and Reliable Systems
Google's site-reliability and security teams jointly write down what it actually takes to build systems that are both safe and dependable, from threat models and design reviews to rollback culture and crisis response.
Explore similar books
Alternatives to Practical Linux Forensics →Intermediate · 2014
Incident Response and Computer Forensics
Luttgens, Pepe, and Mandia's working playbook for running an enterprise IR engagement: pre-engagement readiness, evidence acquisition, network and host forensics, and the project-management discipline that separates a controlled response from a panic.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.
Intermediate · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.