Part II: Exploring System Abstractions

In the second part of the book we explore the abstractions of files, processes and systems. We start at the surface with the visible abstractions, and then explore the less visible abstractions underneath. As we go deeper we must remain aware of those higher-level abstractions to retain the context of the data at hand. In this part of the book, our main motivation to look under the hood is not so much to discover information, but to judge the trustworthiness of our observations.

In chapter 3, "File system basics", we present the principles and implementation strategies behind popular UNIX file systems, and learn to look at their properties from a forensic analysts' point of view.

Chapter 4, "File system analysis", builds on Chapter 3 and unravels an intrusion in great detail. We look at existing and deleted information, and correlate our observations in order to determine their consistency.

Chapter 5, "Systems and subversion", is about the environment in which user processes and operating systems execute. We look at subversion of observations, ranging from straightforward changes to system utilities to almost undetectable malicious kernel modules, and discuss the possibilities and impossibilities of detecting such subversion.

In Chapter 6, "Malware analysis basics", we present techniques to find out the purpose of a process or a program file that was left behind after an intrusion. In order to do so we must discuss safeguards to prevent malware from escaping, and the limitations of those safeguards.

This part of the book is not for the faint of heart. We expect familiarity with UNIX or UNIX-like file systems, and with general computer system architecture principles.