Textbook The Law Enforcement and Forensic Examiner S Introduction To Linux A Comprehensive Beginner S Guide To Linux As A Digital Forensic Platform Barry J Grundy Ebook All Chapter PDF

The Law Enforcement and Forensic
Examiner s Introduction to Linux A

Comprehensive Beginner s Guide to
Linux as a Digital Forensic Platform
Barry J. Grundy
Visit to download the full and correct content document:
https://textbookfull.com/product/the-law-enforcement-and-forensic-examiner-s-introdu
ction-to-linux-a-comprehensive-beginner-s-guide-to-linux-as-a-digital-forensic-platfor
m-barry-j-grundy/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Linux Administration a Beginner s Guide Wale Soyinka
https://textbookfull.com/product/linux-administration-a-beginner-
s-guide-wale-soyinka/
Practical Forensic Imaging Securing Digital Evidence

with Linux Tools 1st Edition Bruce Nikkel
https://textbookfull.com/product/practical-forensic-imaging-
securing-digital-evidence-with-linux-tools-1st-edition-bruce-
nikkel/
Forensic Anthropology: A Comprehensive Introduction,

Second Edition Natalie R. Langley
https://textbookfull.com/product/forensic-anthropology-a-
comprehensive-introduction-second-edition-natalie-r-langley/
WordPress fundamentals A comprehensive beginner s guide

to WordPress 3rd Edition Kathleen Peterson
https://textbookfull.com/product/wordpress-fundamentals-a-
comprehensive-beginner-s-guide-to-wordpress-3rd-edition-kathleen-
peterson/
Scala Programming A comprehensive beginner s guide to
Scala 2nd Edition Claudia Alves
https://textbookfull.com/product/scala-programming-a-
comprehensive-beginner-s-guide-to-scala-2nd-edition-claudia-
alves/
Digital Forensic Art Techniques A Professionals Guide

to Corel Painter First Edition Natalie Murry
https://textbookfull.com/product/digital-forensic-art-techniques-
a-professionals-guide-to-corel-painter-first-edition-natalie-
murry/
Forex Trading A Comprehensive beginner s guide to learn

the realms of Forex trading from A Z Oliver Morrison
https://textbookfull.com/product/forex-trading-a-comprehensive-
beginner-s-guide-to-learn-the-realms-of-forex-trading-from-a-z-
oliver-morrison/
Alcohol, Drugs, and Impaired Driving-Forensic Science

and Law Enforcement Issues 1st Edition A. Wayne Jones
(Editor)
https://textbookfull.com/product/alcohol-drugs-and-impaired-
driving-forensic-science-and-law-enforcement-issues-1st-edition-
a-wayne-jones-editor/
Mastering Linux Shell Scripting a practical guide to

Linux command line Bash scripting and Shell programming
Ebrahim
https://textbookfull.com/product/mastering-linux-shell-scripting-
a-practical-guide-to-linux-command-line-bash-scripting-and-shell-
programming-ebrahim/
The Law Enforc m nt and For nsic Examin r’s
Introduction to Linux
A Compr h nsiv B ginn r’s Guid to Linux as a Digital For nsic

Platform
V rsion 4.33
Jun 2018
Barry J. Grundy
[email protected]
v.4.33 A Comprehensive Beginner’s Guide to Linux as a Digital Forensic Platform
LEGALITIES................................................................................................................................ 5
ACKNOWLEDGMENTS..................................................................................................................... 5
FOREWORD............................................................................................................................... 6
A WORD ABOUT THE “GNU” IN GNU/LINUX.......................................................................................7
WHY LEARN LINUX?.................................................................................................................... 7
WHERE’S ALL THE GUI TOOLS?....................................................................................................... 9
THE EXERCISES – NEW AND OLD..................................................................................................... 9
LINUXLEO YOUTUBE CHANNEL..................................................................................................... 10
CONVENTIONS USED IN THIS DOCUMENT............................................................................................ 10
I. INSTALLATION..............................................................................................................12
DISTRIBUTIONS......................................................................................................................... 12
SLACKWARE AND USING THIS GUIDE...........................................................................................14
INSTALLATION METHODS............................................................................................................... 15
SLACKWARE INSTALLATION NOTES.................................................................................................... 15
SYSTEM USERS......................................................................................................................... 17
ADDING A NORMAL USER........................................................................................................ 17
THE SUPER USER................................................................................................................. 18
DESKTOP ENVIRONMENT............................................................................................................... 19
THE LINUX KERNEL.................................................................................................................... 20
KERNEL AND HARDWARE INTERACTION...............................................................................................20
HARDWARE CONFIGURATION..................................................................................................... 21
KERNEL MODULES................................................................................................................ 22
HOTPLUG DEVICES AND UDEV................................................................................................... 24
HOT PLUGGING DEVICES AND DESKTOPS......................................................................................25
II. LINUX DISKS, PARTITIONS AND THE FILE SYSTEM........................................27
DISKS................................................................................................................................... 27
DEVICE NODE ASSIGNMENT – LOOKING CLOSER....................................................................................30
THE FILE SYSTEM...................................................................................................................... 32
MOUNTING EXTERNAL FILE SYSTEMS................................................................................................ 33
THE MOUNT COMMAND.......................................................................................................... 34
THE FILE SYSTEM TABLE (/ETC/FSTAB)........................................................................................37
DESKTOP MOUNTING............................................................................................................. 38
III. THE LINUX BOOT SEQUENCE (SIMPLIFIED).....................................................41
BOOTING THE KERNEL.................................................................................................................. 41
SYSTEM INITIALIZATION................................................................................................................ 42
RUNLEVEL............................................................................................................................... 42
GLOBAL STARTUP SCRIPTS............................................................................................................ 43
SERVICE STARTUP SCRIPTS........................................................................................................... 44
BASH.................................................................................................................................... 44
IV. BASIC LINUX COMMANDS......................................................................................46
LINUX AT THE TERMINAL............................................................................................................... 46
ADDITIONAL USEFUL COMMANDS...................................................................................................... 48
COMMAND LINE MATH................................................................................................................ 50
BC – THE BASIC CALCULATOR..................................................................................................... 50
BASH SHELL ARITHMETIC EXPANSION........................................................................................... 52
FILE PERMISSIONS...................................................................................................................... 53
PIPES AND REDIRECTION.............................................................................................................. 54
2
FILE ATTRIBUTES....................................................................................................................... 57
METACHARACTERS..................................................................................................................... 59
COMMAND HINTS...................................................................................................................... 59
V. EDITING WITH VI........................................................................................................60
THE JOY OF VI......................................................................................................................... 60
VI COMMAND SUMMARY................................................................................................................ 61
VI. CONFIGURING A FORENSIC WORKSTATION...................................................62
SECURING THE WORKSTATION........................................................................................................ 62
CONFIGURING “RC” (STARTUP) SERVICES......................................................................................63
HOST BASED ACCESS CONTROL................................................................................................ 66
HOST BASED FIREWALL WITH IPTABLES......................................................................................... 71
UPDATING THE OPERATING SYSTEM.................................................................................................. 75
USING SLACKPKG.................................................................................................................. 76
INSTALLING AND UPDATING “EXTERNAL” SOFTWARE...............................................................................78
COMPILING FROM SOURCE....................................................................................................... 78
USING DISTRIBUTION PACKAGES................................................................................................80
BUILDING PACKAGES – SLACKBUILDS..........................................................................................81
USING THE AUTOMATED PACKAGE TOOL SBOTOOLS...........................................................................85
VII. LINUX AND FORENSICS.........................................................................................91
EVIDENCE ACQUISITION................................................................................................................ 91
ANALYSIS ORGANIZATION........................................................................................................ 91
WRITE BLOCKING................................................................................................................. 93
EXAMINING THE PHYSICAL MEDIA INFORMATION...............................................................................94
HASHING MEDIA.................................................................................................................. 99
COLLECTING A FORENSIC IMAGE WITH DD....................................................................................100
DD AND SPLITTING IMAGES..................................................................................................... 102
ALTERNATIVE IMAGING TOOLS................................................................................................. 105
DC3DD........................................................................................................................... 106
LIBEWF AND EWFACQUIRE....................................................................................................... 113
MEDIA ERRORS - DDRESCUE................................................................................................... 123
IMAGING OVER THE WIRE...................................................................................................... 132
OVER THE WIRE - DD.......................................................................................................... 135
OVER THE WIRE - DC3DD..................................................................................................... 136
OVER THE WIRE - EWFACQUIRESTREAM.......................................................................................138
OVER THE WIRE – OTHER OPTIONS.........................................................................................140
PREPARING A DISK FOR THE SUSPECT IMAGE................................................................................145
FINAL WORDS ON IMAGING.................................................................................................... 147
MOUNTING EVIDENCE................................................................................................................ 148
STRUCTURE OF THE IMAGE..................................................................................................... 148
IDENTIFYING FILE SYSTEMS.................................................................................................... 150
THE LOOP DEVICE.............................................................................................................. 151
LOOP OPTION TO THE MOUNT COMMAND......................................................................................151
LOSETUP.......................................................................................................................... 152
MOUNTING FULL DISK IMAGES WITH LOSETUP...............................................................................154
MOUNTING MULTI PARTITION IMAGES WITH KPARTX.........................................................................157
MOUNTING SPLIT IMAGE FILES WITH AFFUSE.................................................................................160
MOUNTING EWF FILES WITH EWFMOUNT....................................................................................164
ANTI-VIRUS – SCANNING THE EVIDENCE FILE SYSTEM WITH CLAMAV........................................................166
BASIC DATA REVIEW ON THE COMMAND LINE....................................................................................170
3
FILE LISTING.................................................................................................................... 175

MAKING A LIST OF FILE TYPES................................................................................................ 177
VIEWING FILES.................................................................................................................. 178
SEARCHING ALL AREAS OF THE FORENSIC IMAGE FOR TEXT...............................................................181
VIII. ADVANCED (BEGINNER) FORENSICS.............................................................186
THE COMMAND LINE ON STEROIDS................................................................................................ 186
FUN WITH DD....................................................................................................................... 193
DATA CARVING WITH DD..................................................................................................... 194
CARVING PARTITIONS WITH DD...............................................................................................197
RECONSTRUCTING THE SUBJECT FILE SYSTEM STRUCTURE (LINUX).......................................................201
IX. ADVANCED ANALYSIS TOOLS..............................................................................205
THE LAYER STRATEGY FOR APPROACHING ANALYSIS.............................................................................206
SLEUTH KIT.......................................................................................................................... 208
SLEUTH KIT INSTALLATION..................................................................................................... 210
SLEUTH KIT EXERCISES........................................................................................................ 211
SLEUTH KIT EXERCISE #1A – DELETED FILE IDENTIFICATION AND RECOVERY (EXT2).................................212
SLEUTH KIT EXERCISE #1B – DELETED FILE IDENTIFICATION AND RECOVERY (EXT4).................................222
SLEUTH KIT EXERCISE #2A – PHYSICAL STRING SEARCH & ALLOCATION STATUS (EXT2)...........................226
SLEUTH KIT EXERCISE #2B – PHYSICAL STRING SEARCH & ALLOCATION STATUS (EXT4)...........................233
SLEUTH KIT EXERCISE #3 – UNALLOCATED EXTRACTION & EXAMINATION..............................................236
SLEUTH KIT EXERCISE #4 – NTFS EXAMINATION: FILE ANALYSIS......................................................242
SLEUTH KIT EXERCISE #5 – NTFS EXAMINATION: ADS................................................................247
SLEUTH KIT EXERCISE #6 – PHYSICAL STRING SEARCH & ALLOCATION STATUS (NTFS)...........................251
BULK EXTRACTOR – COMPREHENSIVE SEARCHING................................................................................257
PHYSICAL CARVING.................................................................................................................. 265
SCALPEL......................................................................................................................... 266
PHOTOREC........................................................................................................................ 274
COMPARING AND DE-DUPLICATING CARVE OUTPUT.........................................................................282
APPLICATION ANALYSIS.............................................................................................................. 285
REGISTRY PARSING #1 - USERASSIST......................................................................................286
REGISTRY PARSING #2 – SAM AND ACCOUNTS...........................................................................293
APPLICATION ANALYSIS – PREFETCH...........................................................................................297
X. INTEGRATING LINUX WITH YOUR WORK......................................................301
XI. CONCLUSION............................................................................................................306
XII. LINUX SUPPORT.....................................................................................................307

PLACES TO GO FOR SUPPORT:....................................................................................................... 307
4
Legalities
All trad marks ar th prop rty of th ir r sp ctiv own rs.
© 1998-2017 Barry J. Grundy ([email protected]): Theis docum nt may b r distribut d,

in its ntir ty, including th whol of this copyright notic , without additional cons nt if th
r distributor r c iv s no r mun ration and if th r distributor us s th s mat rials to assist
and/or train m mb rs of Law Enforc m nt or S curity / Incid nt R spons prof ssionals.
Oth rwis , th s mat rials may not b r distribut d without th xpr ss writte n cons nt of th
author, Barry J. Grundy.
Acknowledgments
As always, th r is no possibl way I can thank v ryon that d s rv s it. Ov r th y ars I

hav l arn d so much from so many. A blog post h r , a r turn d mail th r . H lp on IRC,
onlin forums, and coll agu s in th officc . The contributions I r c iv from oth rs in th fie ld
that tak tim out of th ir own busy days to assist m in growing as an inv stigator and
for nsic xamin r, ar simply too num rous to catalog. My h artf lt thanks to all.
The list of coll agu s that hav contribut d ov r th many y ars has grown. I r main grat ful
to all that hav giv n th ir tim in r vi wing and providing valuabl f dback, and in som
cas s, simpl ncourag m nt to all v rsions of this guid ov r th y ars. My continu d thanks
to Cory Alth id , Brian Carri r, Christoph r Coop r, Nick Furn aux, John Garris, Rob rt-Jan
Mora, and J ss Kornblum for h lping m lay th foundation for this guid . And for mor
r c nt assistanc , I’d lik to thank Jacqu s Bouch r, Tobin Craig, Simson Garfienk l, Andr as
Guldstrand, Bill Norton, Paul St ph ns, Danny W rb, and as always, Robby Workman.
My continu d thanks to th Linux K rn l, various distribution, and softwwar d v lopm nt

t ams for th ir hard work in providing us with an op rating syst m and utiliti s that ar robust
and controllabl . What horrors would I b living without th ir d dication?
The LinuxLEO logo was d sign d by Laura Ette r ([email protected]).
Finally, I cannot go without thanking my wif Jo and my sons Patrick and Tommy for th
s mingly ndl ss pati nc as th work was und rway.
5
Foreword
It’s b n n arly t n y ars sinc this guid has b n officcially updat d, and ov r fieftw n
y ars sinc its initial public r l as . In that tim , w ’v s n signifiecant chang s to th for nsic
industry, and a massiv growth in th d v lopm nt of softwwar and t chniqu s us d to uncov r
vid nc from an v r xpanding univ rs of d vic s. The purpos of this docum nt, how v r,
r mains unchang d. I am looking to provid an asy to follow and acc ssibl guid for for nsic
xamin rs across th full sp ctrum of this for nsic disciplin ; law nforc m nt officc rs,
incid nt r spond rs, and all comput r sp cialists r sponsibl for th inv stigation of digital
vid nc . Theis guid continu s to provid an introductory ov rvi w of th GNU/Linux (Linux)
op rating syst m as a for nsic platform for digital inv stigators and for nsic xamin rs.
Abov all, this r mains a b ginn r’s guid . An introduction. It is not m ant to b a full
cours on conducting for nsic xaminations. Theis docum nt is about th tools and th
conc pts us d to mploy th m. Introducing th m, providing simpl guidanc on using th m,
and som id as on how th y can b int grat d into a mod rn digital for nsics laboratory or
inv stigativ proc ss. Theis is also a hands on guid . It’s th b st way to l arn and w ’ll cov r
both basic GNU/Linux utiliti s and sp cializ d softwwar through short x rcis s.
The cont nt is m ant to b “b ginn r” l v l, but as th comput r for nsic community

volv s and th subj ct matte r wid ns and b com s mor mainstr am, th d fienition of
“b ginn r” l v l mat rial starts to blur. Theis guid mak s an ffoort to k p th mat rial as basic
as possibl without omitteing thos subj cts s n as fundam ntal to th prop r und rstanding of
Linux and its pot ntial as a digital for nsic platform. If you’v b n doing for nsic
xaminations for fiev or t n y ars, but n v r d lv d into Linux, th n this is for you. If you’r a
stud nt at Univ rsity and you ar int r st d in how for nsic tools ar mploy d, but cannot
affoord thousands of dollars in lic ns sNth n this is for you.
How v r, this is by no m ans m ant to b th d fienitiv “how-to” on for nsic m thods

using Linux. Rath r, it is a (som what xt nd d) starting point for thos who ar int r st d
in pursuing th s lf- ducation n d d to b com profieci nt in th us of Linux as an
inv stigativ tool. Not all of th commands offo r d h r will work in all situations, but by
d scribing th basic commands availabl to an inv stigator I hop to “start th ball rolling”. I
will pr s nt th commands, th r ad r n ds to follow-up on th mor advanc d options and
us s. Knowing how th s commands work is v ry bit as important as knowing what to typ
at th prompt. If you ar v n an int rm diat Linux us r, th n much of what is contain d in
th s pag s will b r vi w. Still, I hop you fiend som of it us ful.
GNU/Linux is a constantly volving op rating syst m. Distributions com and go, and
th r ar now a numb r of “stand out” Linux flaavors that ar commonly us d. In addition to
balancing th b ginn r natur of th cont nt of this guid with th advancing standards in
for nsic ducation, I also fiend mys lf trying to balanc th l v l of d tail r quir d to actually
t ach us ful tasks with th distribution sp cifiec natur of many of th commands and
confiegurations us d.
6
As w will discuss in furth r d tail lat r in this guid , many of th d tails ar sp cifiec to
on flaavor of Linux. In most cas s, th commands ar quit portabl and will work on most
any syst m. In oth r cas s (packag manag m nt and confieguration diting, tc.) you may fiend
that you n d to do som r s arch to d t rmin what n ds to b don on your platform of
choic . The d t rmination to provid sp cifiec d tails on actually confieguring a sp cifiec syst m
cam about through ov rwh lming r qu st for guidanc . The d cision to us my Linux
distribution of choic for for nsics as an xampl is p rsonal.
Ov r th y ars I hav r p at dly h ard from coll agu s that hav tri d Linux by
installing it, and th n proc d d to sit back and wond r “what n xt?” I hav also nt rtain d a
numb r of r qu sts and sugg stions for a mor xpansiv xploration of tools and utiliti s
availabl to Linux for for nsic analysis at th application l v l as w ll as num rous r qu sts for
prop r confieguration guid lin s for a bas lin Linux workstation. You hav a copy of this
introduction. Now download th x rcis s and driv on. Theis is only th start of your r ading.
Utiliz d corr ctly, this guid should prompt many mor qu stions and kick start your l arning.
In th y ars sinc this docum nt was fierst r l as d a numb r of xc ll nt books with far mor
d tail hav cropp d up cov ring op n sourc tools and Linux for nsics. I still lik to think this
guid will b us ful for som .
As always, I am op n to sugg stions and critiqu . My contact information is on th

front pag . If you hav id as, qu stions, or comm nts, pl as don’t h sitat to mail m . Any
f dback is w lcom .
Theis docum nt is occasionally (infr qu ntly, actually) updat d. Ch ck for n w r

v rsions (numb r d on th front pag ) at th officcial sit :
http://www.LinuxLEO.com
A word about the “GNU” in GNU/Linux
Wh n w talk about th “Linux” op rating syst m, w ar actually talking about th

GNU/Linux op rating syst m (OS). Linux its lf is not an OS. It is just a k rn l. The OS is
actually a combination of th Linux k rn l and th GNU utiliti s that allow us (mor
sp cifiecally our hardwar ) to int ract with th k rn l. Which is why th prop r nam for th
OS is “GNU/Linux”. W (incorr ctly) call it “Linux” for conv ni nc .
Why Learn Linux?
On of th qu stions h ard most oftw n is: “why should I us Linux wh n I alr ady hav
[insert Windows GUI forensic tool here]?” The r ar many r asons why Linux is quickly gaining
ground as a for nsic platform. I’m hoping this docum nt will illustrat som of thos
atteribut s.
7
 Control – not just ov r your for nsic softwwar , but th whol OS and
atteach d hardwar .
 Fl xibility – boot from a CD (to a compl t OS), fiel syst m support,
platform support, tc.
 Pow r – A Linux distribution is (or can b ) a for nsic tool.
Anoth r point to b mad is that simply knowing how Linux works is b coming mor and
mor important. Whil many of th Windows bas d for nsic packag s in us today ar fully
capabl of xamining Linux syst ms, th sam cannot b said for th xamin rs.
As Linux b com s mor and mor popular, both in th comm rcial world and with d sktop
us rs, th chanc that an xamin r will ncount r a Linux syst m in a cas b com s mor
lik ly ( sp cially in n twork inv stigations). Ev n if you l ct to utiliz a Windows for nsic
tool to conduct your analysis, you must at l ast b familiar with th OS you ar xamining. If
you do not know what is normal, th n how do you know what do s not b long? Theis is tru
on so many l v ls, from th actual cont nts of various dir ctori s to strang ntri s in
confieguration fiel s, all th way down to how fiel s ar stor d. Whil this docum nt is mor
about Linux as a for nsic tool rath r than analysis of Linux, you can still l arn a lot about how
th OS works by actually using it.
The r is also th issu of cross-v rifiecation. A working knowl dg of Linux and its for nsic
utility can provid an xamin r with alternative tools on an alternative platform to us as a
m thod to v rify th fiendings of oth r tools on oth r op rating syst ms. Many xamin rs hav
sp nt countl ss hours l arning and using common industry standard Microsoftw Windows
for nsic tools. It would b unr alistic to think that r ading this guid will giv an xamin r th
sam l v l of confied nc , som tim s built through y ars of xp ri nc , as th y hav with th ir
traditional tools of choic . What I can hop is that this guid will provid nough information
to giv th xamin r “anoth r tool for th toolbox”, wh th r it's imaging, r cov ring, or
xamining. Linux as an alt rnativ for nsic platform provid s a p rf ct way to cross ch ck
your work and v rify your r sults, v n if it is not your primary choic .
W also n d to consid r th us fuln ss of Linux in acad mic and r s arch applications.

The op n natur of Linux and th pl thora of us ful utiliti s includ d in a bas syst m mak it
an almost tailor mad platform for basic digital for nsics. Theis is sp cially tru in an acad mic
nvironm nt wh r w fiend Linux provid s a low cost solution to nabl acc ss to imaging
tools and fiel xamination utiliti s that can b us d to cov r th foundations of digital
inv stigations using tools in an nvironm nt that supports multipl formats and data typ s.
For xampl , w can us th dd program for simpl imaging and carving; grep and xxd to
locat and xamin fiel syst m structur s and t xt string artifacts, and th file command
again with xxd for signatur id ntifiecation and analysis. Theis provid s us with much th sam
s t of simpl tools n d d to pr s nt th v ry basics of digital for nsics whil still t aching
Linux command lin familiarity. Linux as a for nsic platform can asily provid a primary
m ans for digital inv stigations ducation. And in fact, prior v rsions of this guid hav b n
r f r nc d in many advanc d d gr and law nforc m nt programs that t ach basic digital
for nsics.
8
Where’s all the GUI tools?
As much as possibl , th tools r pr s nt d in this guid ar callabl from and r quir

us r int raction through th command lin nvironm nt. Theis is not simpl sadism. It’s a
matte r of actually l arning Linux (and in som ways UNIX as a by-product). Theis point will b
mad throughout this docum nt, but th goal h r is to introduc tools and how to int ract
through th command lin . R lianc on GUI tools is und rstandabl and is not b ing wholly
disparag d h r . If you ar making th ffoort to r ad and follow along with this guid , th n an
assumption is b ing mad that you want to l arn Linux and th pow r th command lin
brings. The r ar two main points that w can focus on h r :
The fierst is that Linux (and UNIX) fiend th ir foundation at th command lin . Mod rn
Linux and UNIX impl m ntations ar still, at th ir h arts, driv n by syst m that is most
acc ssibl from a command lin int rfac . For this r ason, knowing how to int ract with th
command lin provid s xamin rs th wid st rang of capabiliti s r gardl ss of th distribution
or confieguration of Linux ncount r d. Y s, this is about for nsic tools and utiliti s, but it’s
also about b coming comfortabl with Linux. It is for this r ason that w continu to l arn a
command lin ditor lik vi and simpl bit l v l copying tools lik dd. The r ’s a v ry high
probability that any Linux/UNIX syst m you com across will hav th s tools.
S cond is that knowing and und rstanding th command lin is, in and of its lf, a v ry
pow rful tool. Onc you r aliz th pow r of command pip s and flaow control (using loops
dir ctly on th command lin ), you will fiend yours lf abl to pow r through probl ms far fast r
than you pr viously thought. L arning th prop r us and pow r of utiliti s lik awk, sed, and
grep will op n som pow rful t chniqu s for parsing structur d logs and oth r data sourc s.
Theis guid should provid som basic und rstanding of how thos can b us d. Onc you
und rstand and start to l v rag this pow r, you will fiend yours lf pining for a command lin
and its utiliti s wh n on is not availabl .
K p th s points in mind as you go through th x rcis s h r . Und rstand why and

how th tools work. Don’t just m moriz th commands th ms lv s. Theat would miss th
point.
Thee Exercises – New and Old
The r ar updat s across th board in this v rsion of th guid . Wh r old (and still
us ful) x rcis s r main from pr vious v rsions, th output and tool usag has b n r fr sh d
to r fla ct th curr nt v rsions of th tools us d. Whil som what aging, th s x rcis s and
th fiel s us d to pr s nt th m r main us ful and hav not b n r mov d.
N w x rcis s hav also b n add d to allow for additional cont nt cov ring application
lay r analysis tools and oth r r c nt additions to th Linux for nsics ars nal. K p in mind
that whil this docum nt do s cov r som for nsic strat gi s and basic fundam ntals, it is
r ally about th tools w us and th conc pts b hind mploying th m. As such som of th
9
old r x rcis fiel s may s m a bit dat d but th y still s rv th purpos of providing a probl m
s t on which w can l arn commands r gardl ss of th targ t.
Theis v rsion of th guid is NOT a s qu l. It’s an updat – but with som n w mat rial.
LinuxLEO YouTube Channel
You can fiend d monstrations and simpl vid o xampl s of som of th following
chapt rs on th LinuxLEO YouTub chann l at 1:
htteps://www.youtub .com/chann l/UCRyk5g_LoiYtEGy3dlkAsvQ
The r is littel cont nt th r now, but mor will b add d as tim go s on. Subscrib and
you will b notifie d as vid os ar upload d.
Conventions Used in this Document
Wh n illustrating a command and it's output, you will s som thing lik th following:
root@forensic1:~# command
output
Theis is ss ntially a command lin (t rminal) s ssion wh r N
root@forensic1:~#
...is th command prompt, follow d by th command typ d by th us r and th n th

command's output. The command will b shown in bold t xt to furth r diffo r ntiat it from th
r sulting output (as it may span multipl lin s).
In Linux, th command prompt can tak diffo r nt forms, d p nding on th nvironm nt

s tteings (th d fault diffo rs among distributions). In th xampl abov , th format is
user@hostname:[present working directory]#
m aning that w ar th us r “root” working on th comput r nam d “forensic1”

curr ntly working in th dir ctory root (th root us r's hom dir ctory – in this cas , th
“hom dir ctory” is symboliz d by th shorthand r pr s ntation of th tild ~). Not that for a
root login th command prompt's trailing charact r is #. If w log in as a r gular us r, th
d fault prompt charact r chang s to a $, as in th following xampl :
1
I knowNnot a pr ttey URL, but I n d subscrib rs for that!
10
barry@forensic1:~$
Theis is an important diffo r nc . The root us r is th syst m “sup rus r” or

administrator. W will cov r th diffo r nc s b tw n us r logins lat r in this docum nt.
Wh r you s llips s (“...”), it indicat s r mov d output for th sak of br vity or

clarity:
root@forensic1:~# command
... <--- removed output for brevity
output
... <--- removed output for brevity
11
I. Installation
Much has chang d in th past f w y ars with r sp ct to th robustn ss and f atur s t of
th curr nt Linux k rn ls. Hardwar d t ction and confieguration us d to pr s nt som uniqu
chall ng s for Linux novic s. Whil issu s can still occasionally aris , th fact is that s tteing
up a Linux machin as a simpl workstation is no long r th nail biting x rcis in frustration
that it onc was. K rn l d t ction of hardwar has b com th norm, and most distributions of
Linux can b install d with a minimum of fuss on all but th most cutteing dg hardwar (and
usually v n th n).
For th vast majority of comput rs out th r , th d fault k rn l driv rs and s tteings will
work “out of th box” for both old and n w syst ms. The rang of onlin h lp availabl for any
giv n distribution is far wid r now than it was v n t n y ars ago, and most probl ms can b
solv d with a targ t d Int rn t s arch. For the most part, solutions that ar ffo ctiv on on
distribution will b ffo ctiv across th board. Theis may not always b th cas , but if you ar
familiar with your syst m, you can oftw n int rpr t solutions and apply th m to your particular
platform.
If your Linux machin is to b a dual boot syst m with Windows, you can us th
Windows D vic Manag r to r cord all your install d hardwar and th s tteings us d by
Windows. Hardwar compatibility and d t ction hav b n greatly improv d ov r th past
coupl of y ars. Most of th r c nt v rsions of Linux distributions hav xtraordinary
hardwar d t ction. But it still h lps to hav a good id a of th hardwar you ar using so if
probl ms do aris your support qu ri s can b targ t d.
At a minimum, you ar going to want to know and plan for:
• Hard driv partitioning sch m

◦ Siz and partition layout
• N twork confieguration
◦ DHCP or static?
◦ Gat way
◦ DNS, tc.
Most distributions hav a pl thora of docum ntation, including onlin h lp and

docum nts in downloadabl form. Do a W b s arch and you ar lik ly to fiend a numb r of
answ rs to any qu stion you might hav about hardwar compatibility issu s in Linux. A list
of us ful Linux ducational r sourc s is provid d at th nd of this guid . Us th m. And
always r m mb r to r s arch fierst b for jumping into a forum and asking qu stions.
Distributions
Linux com s in a numb r of diffo r nt “flaavors”. The s ar most oftw n r f rr d to as a

“Linux distribution” or “distro”. D fault k rn l confieguration, tools that ar includ d (syst m
12
manag m nt archit ctur and confieguration, tc.) and th packag format (th softwwar install
and upgrad path) most commonly diffo r ntiat th various Linux distros.
It is common to h ar us rs complain that d vic X works und r on distribution, but

not on anoth r, tc. Or that d vic Y did not work und r on v rsion of a distribution, but a
chang to anoth r “fiex d it”. Most oftw n, th diffo r nc is in th v rsion of th Linux kernel
b ing us d and th r for th updat d driv rs, or th patch s appli d by th distribution v ndor,
not th v rsion of th distribution (or th distribution its lf).
Pr vious v rsions of this guid provid d a short list of distros and a summary
d scription of ach. Theat has b n r mov d h r for a mor d scriptiv xplanation of why w
hav so many distributions, and how you can choos from among th m. Ev ryon has an
opinion on th s , and th y all hav th ir str ngths and appar nt w akn ss s.
On thing w ’v s n mor and mor of lat ly ar som what specialized distros, or in

som cas s, distros that ar p rc iv d as sp cializ d. The r ar still your “g n ral workstation”
flaavors of Linux – op nSUSE, C ntOS, D bian, Ubuntu, Slackwar , G ntoo, tc., but w also
hav sp cialization now - full distributions d sign d and distribut d sp cifiecally for a targ t
audi nc lik p n-t st rs, nt rpris admins, tc.
Som xampl s of sp cializ d distributions that may b of int r st to r ad rs of this

docum nt:
▪ Thee Parrot Project – A S curity distribution that “includ s a full portabl

laboratory” for s curity and digital for nsic xp rts.
▪ Thee SANS SIFT Workstation – An advanc d incid nt r spons and digital

for nsics distribution that is wid ly support d, fr qu ntly updat d, and w ll
stock d with all th tools you’ll n d to conduct digital triag , incid nt r spons ,
and digital for nsic xaminations.
▪ BlackArch Linux – A n w r proj ct, bas d on Arch Linux, that provid s anoth r
alt rnativ “out of th box” s curity focus d distribution.
▪ Kali Linux – An advanc d p n-t sting and s curity distribution bas d on

D bian. Theis is on of my favorit bootabl Linux distributions, and can also b
install d on a comput r for us as a workstation.
The r ar many oth rs, along with s l ctions for s curity focus d bootabl distros,
“lightw ight” distros, and many oth rs. Don’t l t th options confus you, though. Find a
mainstr am distribution, install it and l arn it.
Our pr viously m ntion d “g n ral workstation” Linux distros ar all p rf ctly suitabl
for us as a for nsic platform. A majority of p opl n w to Linux ar gravitating toward
Ubuntu as th ir platform of choic . The support community is hug , and a majority of wid ly
13
availabl softwwar for Linux for nsics is sp cifiecally built for and support d on Ubuntu (though
not xclusiv ly in most cas s). On a p rsonal not , I fiend Ubuntu l ss than id al for l arning
Linux. Theis is NOT to say that Ubuntu or its variations don’t mak xc ll nt for nsic
platforms. But this guid is focus d on learning, and part of that journ y includ s starting with
a cl an slat and und rstanding how th op rating syst m works and is mad to suit your
nvironm nt. For that w focus on a mor Unix lik distribution.
If you ar unsur wh r to start, will b using this guid as your primary r f r nc , and
ar int r st d mainly in for nsic applications of Linux, th n I would sugg st Slackwar . The
original comm rcial distribution, Slackwar has b n around for y ars and provid s a good
standard Linux that r mains tru to th Unix philosophy. Not ov r- ncumb r d by GUI
confieguration tools, Slackwar aims to produc th most “UNIX-lik ” Linux distribution
availabl . On of my p rsonal favorit s, and in my humbl opinion, curr ntly on of th b st
choic s for a for nsic platform. (http://www.slackware.com/). Theis guid is tailor d for us
with a Slackwar Linux installation.
On thing to k p in mind: As I m ntion d arli r, if you ar going to us Linux in a

for nsic capacity, th n try not to r ly on GUI tools too much. Almost all s tteings and
confiegurations in Linux ar maintain d in t xt fiel s (usually in ith r your hom dir ctory, or in
/etc). By l arning to dit th fiel s yours lf, you avoid probl ms wh n ith r th X window
syst m is not availabl , or wh n th sp cifiec GUI tool you r ly on is not on a syst m you might
com across. In addition, knowl dg of th t xt confieguration fiel s will giv you insight into
what is “normal”, and what might hav b n chang d wh n you xamin a subj ct Linux
syst m (though that is not th focus of this docum nt). L arning to int rpr t Linux
confieguration fiel s is all part of th xp ri nc .
SLACKWARE and Using this Guide
B caus of diffo r nc s in archit ctur , th Linux distribution of your choic can caus
diffo r nt r sults in commands' output and diffo r nt b havior ov rall. Additionally, som
s ctions of this docum nt d scribing confieguration fiel s, startup scripts or softwwar installation,
for xampl , might app ar vastly diffo r nt d p nding on th distro you s l ct.
If you ar s l cting a Linux distribution for th sol purpos of l arning through

following along with this docum nt, th n again, I would sugg st Slackware. Slackwar is
stabl and do s not atte mpt to nrich th us r's xp ri nc with cutteing dg fiel syst m hacks
or automatic confiegurations that might hamp r for nsic work. D tail d s ctions of this guid
on th inn r workings of Linux will b writte n toward a basic Slackwar 14.2 64 bit installation
(curr nt as of this writing).
By d fault, Slackwar 's curr nt installation routin l av s initial disk partitioning up to

th us r. The r ar no d fault sch m s that r sult in surprising “volum groups” or oth r
compl x disk manag m nt t chniqu s. The r sulting fiel syst m tabl (also known as fstab) is
standard and do s not r quir diting to provid for a for nsically sound nvironm nt.
14
Slackwar Linux is stabl , consist nt, and simpl . As always, Linux is Linux. Any
distribution can b chang d to function lik any oth r (in th ory). How v r, my philosophy has
always b n to start with an optimal syst m, rath r than atte mpt to “roll back” a syst m
h avily modifie d and optimiz d for th d sktop rath r than a for nsic workstation.
If you ar comfortabl with anoth r distribution, th n by all m ans, continu to us and

l arn it. Just b awar that th r may b customization and modifiecations mad to th
standard k rn l and fiel syst m s tups that might not b id al for for nsic us . The s can
always b r m di d, but I pr f r to start as clos to optimal as possibl .
Installation Methods
Download th n d d bootabl m dia fiel s, burn th m to a DVD or r movabl driv and

boot th m dia. Theis is th most common m thod of installing Linux. Most distros can b
download d for fr via httep, ftwp, or torr nt. Slackwar is availabl at
http://www.slackware.com. Hav a look at http://distrowatch.com/ for information on
downloading and installing oth r Linux distributions.
During a standard installation, much of th work is don for you, and r lativ ly saf
d faults ar provid d. As m ntion d arli r, hardwar d t ction has gon through som gr at
improv m nts in r c nt y ars. I strongly b li v that many (if not most) Linux distros ar far
asi r and fast r to install than oth r “mainstr am” op rating syst ms. Typical Linux
installation is w ll docum nt d onlin (ch ck your sp cifiec distribution’s w bsit for mor
information). The r ar num rous books availabl on th subj ct, and most of th s ar
suppli d with a Linux distribution r ady for install.
Familiariz yours lf with Linux disk and partition naming conv ntions (cov r d in Chapt r
II of this docum nt) and you should b r ady to start.
Slackware Installation Notes
If you do d cid to giv Slackwar a shot, h r ar som simpl guid lin s. The
docum ntation provid d on Slackwar 's sit is compl t and asy to follow. R ad th r
fierstNpl as .
D cid on standalon Linux or dual boot. Install Windows fierst in a dual boot syst m.
D t rmin how you want th Linux syst m to b partition d. A singl root partition and a
singl swap partition ar fien . You might fiend it asi r wh n fierst starting out to install Linux
in a virtual machin (VM), ith r through VirtualBox or VMwar for xampl . Theis will allow
you to snapshot along th way and r cov r from any rrors. It also provid s you with acc ss
to community support via th host whil installing your Linux syst m in a VM. Using Linux in
a virtual machin is a p rf ctly acc ptabl way to follow this guid , and probably th asi st if
you ar an absolut b ginn r.
15
READ through th installation docum ntation before you start th proc ss. Don't b in
a hurry. If you want to l arn Linux, you hav to b willing to r ad. For Slackwar , hav a look
through th installation chapt rs of th updat d “Slack Book” locat d at
http://www.slackbook.org/beta. The r ar detailed instructions th r if you n d st p by
st p h lp, including partitioning, tc. For a basic und rstanding of how Slackwar works and
how to us it, th Slack Book should b your fierst stop. Som of it may b a bit outdat d, but
th majority of it still appli s.
H r ’s som installation advic . R ad this, th n r ad th Installation s ction in th Slack Book

link d abov . As a v ry g n ral ov rvi w:
1) Boot th Linux m dia.

• R ad ach scr n car fully.
• Acc pting most d faults works.
• Your hardwar will b d t ct d and confiegur d und r most circumstanc s.
Onlin support is xt nsiv if you hav probl ms.
• K p in mind that if a pi c of hardwar caus s probl ms during an install, or is
not d t ct d during installation, this do s not m an that it will not work. Install
th op rating syst m and sp nd som tim troubl shooting. Wh n l arning
Linux, Googl is v ry oftw n your b st fri nd.
• The Slackwar install m dia for th curr nt v rsion will boot by d fault using a k rn l
call d huge.s. It includ s support for most hardwar by d fault. Hit th “F2” k y at th
initial “boot:” prompt for mor info.
• Onc th syst m is boot d, you ar pr s nt d with th k yboard map prompt follow d
by th “slackwar login:” prompt. READ THE ENTIRE SCREEN as instruct d. Login as
root, and continu with your install routin .
2) Partition and format for Linux
• You will partition your Slackwar Linux syst m using fdisk or gdisk (if you pr f r a
GPT layout).
• Theis st p is normally part of th installation proc ss, or is cov r d in th distribution's
docum ntation. You can partition how v r you lik . I lik to hav , at th l ast, two
partitions
• Root ( / ) as typ “Linux Nativ ”.
• Swap as typ “Linux Swap” (us 2x your syst m m mory as a starting point for
swap siz ). The us of a swap partition is larg ly optional for machin s with
larg amounts of RAM (>3GB). I still opt to us it.
• You will h ar a lot about using multipl partitions for diffo r nt dir ctori s. Don’t l t
that confus you. The r ar argum nts both for and against using multipl partitions
for a Linux fiel syst m. If you ar just starting out, us on larg root (/) partition, and
on swap partition as d scrib d abov .
3) Packag installation (syst m)
• The main install routin for Slackwar is start d with th command setup. You will
n d to nsur that you hav your disk prop rly partition d before you nt r th s tup
program.
• Tak th tim to r ad ach scr n compl t ly as it com s up.
16
• Wh n ask d to format th root partition, I would sugg st s l cting th xt4 fiel syst m.
• Wh n ask d which packag s to s l ct for installation, it is usually saf for a b ginn r to
s l ct “ v rything” or “full”. Theis allows you to try all th packag s, along with
multipl X Window d sktop nvironm nts. Theis can tak as much as 8GB to 12GB on
som of th n w r distributions (7GB on Slackwar , d p nding on options), how v r it
includ s all th softwwar you ar lik ly to n d for a long tim (including many “officc ”
typ applications, Int rn t, -mail, tc.). For a l arning box it will giv you th most
xposur to availabl softwwar for xp rim ntation and additionally nsur s that you
don’t omit librari s that may b n d d for softwwar compilation lat r.
4) Installation Confieguration
• Boot M thod (th Boot load rNs l cts th OS to boot)
• B mindful of EFI vs. l gacy BIOS options. Wh r possibl , s t th BIOS to l gacy
mod .
• LILO or GRUB.
• LILO is th d fault for Slackwar . Som fiend GRUB mor fla xibl and s cur . GRUB
can b install d lat r, if you lik . P rsonally, I pr f r LILO.
• Usually s l ct th option to install LILO to th mast r boot r cord (MBR). The
pr s nc of oth r boot load rs (as provid d by oth r op rating syst ms)
d t rmin s wh r to install LILO or GRUB.
• If you must us EFI, skip this and install lilo or GRUB manually. You should
read README_UEFI.TXT on th install m dia’s root dir ctory b for
b ginning th installation proc ss.
• The boot load r contains th cod that points to th k rn l to b boot d.
• Cr at a us r nam for yours lf – avoid using root xclusiv ly.
• For mor information, ch ck th fiel CHANGES_AND_HINTS.TXT on th install m dia. Theis
fiel is load d with us ful hints and chang s of int r st from on r l as to anoth r.
System Users
Linux is a multi-us r syst m. It is d sign d for us on n tworks (r m mb r, it is bas d

on Unix). The root us r is th syst m administrator, and is cr at d by d fault during
installation. Exclusiv us of th root login is DANGEROUS. Linux assum s that root knows
what h or sh is doing and allows “root” to do anything h or sh wants, including d stroy th
syst m. Don’t log in as root unl ss you must. Having said this, som of th work don for
for nsic analysis will b don as root to allow acc ss to raw d vic s and syst m commands.
Adding a Normal User
For nsic analysis, most notably acquisitions, and basic syst m administration will
normally r quir root p rmissions. But simply logging in as root and conducting your analysis,
particularly from an X Window s ssion, is not advisabl . W n d to add a normal us r
account. From th r you can us su to log in as root t mporarily (cov r d in th n xt s ction).
17
Slackwar com s with a conv ni nt script, adduser, to handl th d tails of s tteing up

our additional account. Som of th it ms s t by this script includ :
• Login Nam
• UID (us r ID)
• Initial Group and Group m mb rship
• Hom Dir ctory
• Sh ll
• Account Expiration Dat
• Account G n ral Info (nam , addr ss, tc.)
• Password
For th most part, th d faults ar acc ptabl ( v n th d fault groups – b car ful not
to skip this part). You invok th script with th command adduser (run as root, obviously)
and th program will prompt you for th r quir d information. Wh n it asks you for
additional groups, b sur to us th up arrow on your k yboard to display availabl groups.
Acc pting th d fault is fien for our purpos s.
Onc compl t , you can log out compl t ly using th xit command and log back in as a
normal us r.
Thee Super User
So, w 'v stablish d that w n d to run our syst m as a normal us r. If Linux giv s
you an rror m ssag "Permission denied", th n in all lik lihood you n d to b root to x cut
th command or dit th fiel , tc. You don't hav to log out and th n log back in as root to do
this. Just us th su command to giv yours lf root p rmissions (assuming you know root’s
password). Ent r th password wh n prompt d. You now hav root privil g s (th syst m
prompt will r fla ct this). Wh n you ar fienish d using your su login, r turn to your original
login by typing exit. H r is a sampl su s ssion:
root@forensic1:~# barry@slackforensics:~$ whoami

barry
barry@forensic1:~$ /sbin/fdisk -l /dev/sda

fdisk: cannot open /dev/sda: Permission denied
barry@forensic1:~$ su -
Password:
root@forensic1:~# whoami
root
root@forensic1:~# /sbin/fdisk -l /dev/sda

Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
18
Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 3CE209F7-E9A0-4D18-91C4-E96EC4383054
Device Start End Sectors Size Type

/dev/sda1 2048 41943006 41940959 20G BIOS boot
root@forensic1:~# exit
logout
barry@forensics1:~$
Not that th "-" aftw r su allows Linux to apply root's nvironm nt (including root’s
path) to your su login. So you don't hav to nt r th full path of a command. Actually, su is a
“switch us r” command, and can allow you to b com any us r (if you know th password),
not just root. Notic that aftw r w typ exit as root, our prompt indicat s that w ar back to
our normal us r.
A word of caution: B VERY judicious in your us of th root login. It can b

d structiv . For simpl tasks that r quir root p rmission, us su and us it sparingly. Som
distributions (Ubuntu, for xampl ) hav d cid d that logging in as th root us r is so
dang rous that th account is “disabl d”. All commands that r quir root p rmissions on
Ubuntu must utiliz th sudo command to giv acc ss. sudo is similar to su, but is us d on a
p r-command basis, so you n v r actually log in as root.
Desktop Environment
Wh n talking about for nsic suitability, your choic of d sktop syst m can mak a
diffo r nc . First of all, th t rm “d sktop nvironm nt” and “window manag r” ar NOT
int rchang abl . L t's bri flay clarify th compon nts of a common Linux GUI.
• X Window – Theis is th basic GUI nvironm nt us d in Linux. Commonly r f rr d to as

“X”, it is th application that provid s th GUI fram work, and is NOT part of th OS.
X is a cli nt / s rv r program with compl t n twork transpar ncy.
• Window Manager – Theis is a program that controls th app aranc of windows in th X
Window syst m, along with c rtain GUI b haviors (window focus, tc.). Exampl s ar
Kwin, M tacity, XFWM, Enlight nm nt, tc.
• Desktop Environment – A combination of Window Manag r and a consist nt int rfac
that provid s th ov rall d sktop xp ri nc . Exampl s ar XFCE, GNOME, KDE, tc.
➢ The d fault Window Manag r for KDE is Kwin.
➢ The d fault Window Manag r for XFCE is XFWM.
The s d faults can b chang d to allow for pr f r nc s in sp d and r sourc
19
manag m nt ov r th d sir for “ y -candy”, tc. You can also l ct to run a Window Manag r
without a d sktop nvironm nt. For xampl , th Enlight nm nt Window Manag r is known
for it's y -candy and can b run standalon , with or without KDE or GNOME, tc.
Slackwar no long r com s with GNOME as an option, though it can b install d lik
any oth r application. During th bas Slackwar installation, you will b giv n a choic of
KDE, XFCE, and som oth rs. I would lik to sugg st XFCE. It provid s a cl an r int rfac for
a b ginn r to l arn on. It is l an r and th r for l ss r sourc int nsiv . You still hav acc ss
to many KDE utiliti s, if you l ct d to install KDE during packag s l ction. You can install
mor than on d sktop and switch b tw n th m, if you lik . The asi st way to switch is with
th xwmconfig command.
Thee Linux Kernel
The Linux k rn l is th “brain” of th syst m. It is th bas compon nt of th Op rating

Syst m that allows th hardwar to int ract with and manag oth r softwwar and syst m
r sourc s.
As with all for nsic tools, w n d to hav a cl ar vi w of how any k rn l v rsion will
int ract with our for nsic platforms and subj ct hardwar . Almost all curr nt distributions of
Linux alr ady com with a v rsion 4 k rn l install d by d fault, including Slackwar (4.4).
You can d t rmin your curr nt k rn l v rsion with th uname command:
root@forensic1:~# uname -a
Linux forensic1 4.4.14 #2 SMP Fri Jun 24 13:38:27 CDT 2016 x86_64 Intel(R)
Core(TM) i5-3550 CPU @ 3.30GHz GenuineIntel GNU/Linux
The k y to th saf for nsic us (from an vid ntiary standpoint) of ANY op rating
syst m is knowl dg of your nvironm nt and prop r t sting. Pl as k p that in mind. You
MUST und rstand how your hardwar and softwwar int ract with any giv n op rating syst m
b for using it in a “production” for nsic analysis. If for som r ason you f l th n d to
upgrad your k rn l to a n w r v rsion ( ith r through automat d updat s or manually), mak
sur you r ad th docum ntation and th chang log so you hav an und rstanding of any
signifiecant archit ctural chang s that may impact th for nsic nvironm nt.
On of th gr at st str ngths Linux provid s is th conc pt of “total control”. Theis

r quir s thorough t sting and und rstanding. Don't los sight of this in pursuit of an “ asy”
d sktop xp ri nc .
Kernel and Hardware Interaction
In this s ction, w will focus on th minimum confieguration knowl dg for bas lin
und rstanding of a sound for nsic nvironm nt und r curr nt Linux distributions. W will
20
bri flay discuss hardwar confieguration and inv ntory, d vic nod manag m nt (Udev) and th
d sktop nvironm nt.
Hardware Configguration
It’s always us ful to know xactly what hardwar is on your syst m. The r will b
tim s wh n you might n d to chang or s l ct diffo r nt k rn l driv rs or modules to mak a
pi c of hardwar run corr ctly. B caus th r ar so many diffo r nt hardwar confiegurations
out th r , sp cifiecally confieguring driv rs for your syst m will r main outsid th scop of this
guid . K rn l d t ction and confieguration of d vic s (n twork int rfac s, graphics controll rs,
sound, tc.) is automatic in most cas s. If you hav any issu s, mak not of your hardwar
(s b low) and do som s arching. Googl is your fri nd, and th r is a list of h lpful starting
plac s for assistanc at th nd of this guid .
The r ar a numb r of ways to d t rmin what sp cifiec hardwar you ar running on

your syst m. You can us lspci to g t mor d tail d information on sp cifiec d vic s atteach d
to your syst m. lspci (list PCI d vic s), is for thos d vic s sp cifiecally atteach d to th PCI
bus. If you hav hardwar issu s and you s arch for som thing lik “n twork card not
d t ct d in linux”, and you follow a link to a support forum, you will almost always fiend th
r qu st to “post th output of lspci”. It’s on of th fierst diagnostic st ps for d t rmining
many hardwar issu s in Linux. Theis command’s output can g t incr asingly d tail d (or
“v rbos ”) by adding th options -v, -vv, or -vvv. Not that you can run lspci from th
installation disk prior to running th s tup program
Sampl summary output for lspci:
root@forensic1:~# lspci
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core
processor DRAM Controller (rev 09)
00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core
processor PCI Express Root Port (rev 09)
00:02.0 VGA compatible controller: Intel Corporation Xeon E3-1200 v2/3rd
Gen Core processor Graphics Controller (rev 09)
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB xHCI Host Controller (rev 04)
00:16.0 Communication controller: Intel Corporation 7 Series/C210 Series
Chipset Family MEI Controller #1 (rev 04)
00:19.0 Ethernet controller: Intel Corporation 82579V Gigabit Network
Connection (rev 04)
00:1a.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB Enhanced Host Controller #2 (rev 04)
00:1b.0 Audio device: Intel Corporation 7 Series/C210 Series Chipset Family
High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 7 Series/C210 Series Chipset Family
PCI Express Root Port 1 (rev c4)
21

00:1c.4 PCI bridge: Intel Corporation 82801 PCI Bridge (rev c4)
00:1d.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family
USB Enhanced Host Controller #1 (rev 04)
00:1f.0 ISA bridge: Intel Corporation Z77 Express Chipset LPC Controller
(rev 04)
00:1f.2 SATA controller: Intel Corporation 7 Series/C210 Series Chipset
Family 6-port SATA Controller [AHCI mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 7 Series/C210 Series Chipset Family SMBus
Controller (rev 04)
30:00.0 USB controller: ASMedia Technology Inc. ASM1042 SuperSpeed USB Host
Controller
31:00.0 SATA controller: ASMedia Technology Inc. ASM1062 Serial ATA
Controller (rev 01)
32:00.0 PCI bridge: ASMedia Technology Inc. ASM1083/1085 PCIe to PCI Bridge
(rev 03)
R ading through this output you can s things lik th fact that th n twork int rfac
in this syst m is an Int l 825579V chips t. Theis is us ful information if you ar having issu s
with g tteing th int rfac to work and you want to s arch for support. You ar far mor lik ly
to g t us ful h lp if you s arch for “Linux Int l 825579v not working” rath r than “Linux
n twork card not working”.
Theis brings us to th subj ct of k rn l modul s.
Kernel Modules
As m ntion d pr viously, th k rn l provid s th most basic int rfac b tw n

hardwar and th syst m softwwar and r sourc manag m nt. Theis includ s driv rs and oth r
compon nts that ar actually small s parat pi c s of cod that can ith r b compil d as
modules (load d or unload d dynamically) or compil d dir ctly in th k rn l imag .
The r may com a tim wh n you fiend that th k rn l is loading a l ss than id al

modul for a sp cifiec pi c of hardwar , p rhaps causing it to ith r fail to work, or in som
cas s work at l ss than optimal p rformanc . Wir l ss n twork cards can b a common
xampl .
On on laptop, for xampl , th output (abbr viat d) for th n twork int rfac s, using
lspci, might look lik this:
root@forensic1:~# lspci | less

...
22
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101/2/6E PCI

Express Fast/Gigabit Ethernet controller (rev 05)
02:00.0 Network controller: Intel Corporation Centrino Wireless-N 2230 (rev
c4)
...
Theis shows both a wir d Eth rn t port and a wir l ss adapt r. If I want d to s xactly
which modul is b ing us d to driv th s d vic s, I can us th -k option to lspci:
root@forensic1:~# lspci -k | less

...
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8101/2/6E PCI
Express Fast/Gigabit Ethernet controller (rev 05)
Subsystem: Lenovo RTL8101E/RTL8102E PCI Express Fast Ethernet
controller
Kernel driver in use: r8169
Kernel modules: r8169
02:00.0 Network controller: Intel Corporation Centrino Wireless-N 2230 (rev
c4)
Subsystem: Intel Corporation Centrino Wireless-N 2230 BGN
Kernel driver in use: iwlwifi
Kernel modules: iwlwifi
...
Theis tim th output provid s som additional information, including which modul s
ar load d wh n th d vic is d t ct d. Theis can b an important pi c of information if I’m
trying to troubl shoot a misb having d vic . Onlin h lp might sugg st using a diffo r nt
driv r altog th r. If that is th cas , th n you may n d to “blacklist” th curr ntly load d
modul in ord r to pr v nt it from loading and hind ring th corr ct driv (that you may n d
to sp cify). Blacklisting is normally don in /etc/modules.d/ by ith r cr ating a
blacklist-[modulename].conf fiel or making an ntry in blacklist.conf, d p nding on
your distribution. In Slackwar , you can r ad th README fiel in /etc/modules.d and th man
pag for modules.d for mor information. Sinc th st ps for this vary wildly d p nding on
th driv r, it’s d p nd nci s, and th xist nc of comp ting modul s, w won’t cov r this in
any mor d pth. Sp cifiec h lp for individual driv r issu s can b found onlin . Theis simply
introduc s you to pot ntial sourc s of information.
Not that if you ar using a laptop or d sktop with a USB wir l ss adapt r, it lik ly won’t show
up in lspci. For that you’ll hav to us lsusb (list USB – th r ’s a patte rn h r , s ?). In th
following output, lsusb r v als info about a wir l ss n twork adapt r. Us th -v option for
mor v rbos output (bold for mphasis):
root@forensic1:~# lsusb
...
Bus 001 Device 054: ID 2109:2812 VIA Labs, Inc. VL812 Hub
23
Bus 001 Device 004: ID 174c:2074 ASMedia Technology Inc. ASM1074 High-Speed
hub
Bus 001 Device 079: ID 1b1c:1a06 Corsair
Bus 001 Device 003: ID 046d:c077 Logitech, Inc. M105 Optical Mouse
Bus 001 Device 007: ID 11b0:6598 ATECH FLASH TECHNOLOGY
Bus 001 Device 120: ID 148f:5372 Ralink Technology, Corp. RT5372 Wireless
Adapter
Bus 001 Device 005: ID 174c:2074 ASMedia Technology Inc. ASM1074 High-Speed
hub
Bus 001 Device 050: ID 046d:c31c Logitech, Inc. Keyboard K120
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
...
Or us th script usb-devices, which organiz s th information from

/sys/bus/usb/devices/usb into a (mortal) human r adabl format. Not that it also r turns
th k rn l modul in us , much lik lspci -k do s for PCI bus d vic s (bold for mphasis).
W us th pip ( | ) to th less command to pag th output for r ading:
root@forensic1:~# usb-devices | less

...
T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=05 Dev#=120 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=148f ProdID=5372 Rev=01.01
S: Manufacturer=Ralink
S: Product=802.11 n WLAN
C: #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=450mA
I: If#= 0 Alt= 0 #EPs= 7 Cls=ff(vend.) Sub=ff Prot=ff Driver=rt2800usb
...
Not that th commands cov r d h r ar larg ly portabl across distributions, but th

locations of fiel s and m thods for managing modul s may diffo r. The proc ss of id ntifying
modul s and hardwar should mostly b th sam . Man (manual) pag s and distribution
docum ntation should always b r li d on for primary probl m solving.
K p in mind that th s sam commands can b run against a subj ct comput r by

using Linux bas d for nsic boot m dia. If you hav th tim , it’s a gr at way to inv ntory a
subj ct comput r ith r prior to s izur or if you cannot s iz th comput r (only imag it for
what v r r ason), but still wish to hav a full hardwar inv ntory.
Hotplug devices and Udev
Starting with k rn l v rsion 2.6.13, Linux d vic manag m nt was hand d ov r to a

n w syst m call d Udev. Traditionally, th d vic nod s (fiel s r pr s nting th d vic s,
locat d in th /dev dir ctory) us d in pr vious k rn l v rsions w r static, that is th y xist d
24
at all tim s, wh th r in us or not. For xampl , on a syst m with static d vic nod s w may
hav a primary SATA hard driv that is d t ct d by th k rn l as /dev/sda. Sinc w hav no
IDE driv s, no driv is d t ct d as /dev/hda. But wh n w look in th /dev dir ctory w s
static nod s for all th possibl disk and partition nam s for /dev/hda. The d vic nod s xist
wh th r or not th d vic is d t ct d.
In mod rn Linux syst ms, Ud v cr at s d vic nod s “on th flay”. The nod s ar cr at d
as th k rn l d t cts th d vic and th /dev dir ctory is populat d in r al tim . In addition to
b ing mor fficci nt, Ud v also runs in us r spac . On of th b n fiets of Ud v is that it
provid s for “p rsist nt naming”. In oth r words, you can writ a s t of rul s that will allow
Ud v to r cogniz a d vic bas d on individual charact ristics (s rial numb r, manufactur r,
mod l, tc.). The rul can b writte n to cr at a us r-d fien d link in th /dev dir ctory, so that
for xampl , my thumb driv can always b acc ss d through an arbitrary d vic nod nam of
my choic , lik /dev/my-thumb, if I so choos . Theis m ans that I don't hav to s arch through
USB d vic nod s to fiend th corr ct d vic nam if I hav mor than on xt rnal storag
d vic conn ct d. I can conn ct 4 USB d vic s and inst ad of s arching through /dev/sdc,
sdd, sde, and sdf – I can just go to /dev/my-thumb. For a nic , if som what outdat d,
xplanation of Ud v rul s, s : httep://r activat d.n t/writing_Ud v_rul s.html.
On Slackwar , Ud v runs as a da mon from th startup script /etc/rc.d/rc.udev.

W will discuss th s startup scripts in mor d tail lat r in this docum nt. W will not do any
sp cifiec confieguration for Ud v on our for nsic comput rs at this tim . W discuss it h r
simply b caus it plays a major part in d vic handling and as such is of int r st to for nsic
xamin rs that want to know what th ir syst m is doing. Ud v do s NOT involv its lf in auto
mounting or oth rwis int racting with applications. It simply provid s a hardwar to k rn l
int rfac .
Hot Plugging Devices and Desktops
On of th consid rations wh n discussing D sktop Environm nts is wh th r or not

th syst m will allow for d sktop auto-mounting of r movabl m dia. KDE and GNOME ar
d sign d for a simpl us r xp ri nc and xamin rs n d to b awar of how to control any
und sir d b havior in a for nsic nvironm nt. Onc you’v install d your syst m of choic ,
mak sur you t st what happ ns wh n you “hot plug” a USB or oth r r movabl m dia d vic .
For xampl , som distributions might l ct to auto-mount d vic s on th GUI d sktop
imm diat ly upon ins rtion.
XFCE is a light r w ight (r ad: light r on r sourc s) d sktop. And although XFCE is
also capabl of automatically handling hot plugg d d vic s, it allows for asi r control of
r movabl m dia on th d sktop. As an xampl , consid r th following snapshot of an XFCE
s tteings dialog for r movabl m dia. By d fault, on Slackwar 14.2, d vic s ar NOT auto
mount d in th XFCE nvironm nt. Not all distributions might b confiegur d this way,
how v r. B sur to ch ck and t st for yours lf. As a for nsic xamin r, you do NOT want
your syst m automatically mounting d vic s simply b caus you plugg d th m into th
syst m.
25
Illustration 1: XFCE Removable Media Handling

Configguration
26
II. Linux Disks, Partitions and the File System

As you go through the following pages, please pay atteention to your userid<you’ll need to be root
for most of this.
Disks
Linux tr ats its d vic s as fiel s. Theis is an important conc pt for for nsic xamin rs. It
m ans, as w will s lat r on, that many of th commands w can us on r gular fiel s, w can
also us on disks “fiel s”. W can list th m, hash th m and s arch th m in much th sam way
w do fiel s in any standard us r dir ctory. The sp cial dir ctory wh r th s d vic "fiel s" ar
maintain d is /dev. Old r IDE disks would b d t ct d and assign d hd* nam s. W rar ly
s thos anymor .
As w saw arli r, with th adoption of Ud v, disks ar now assign d d vic nod

nam s dynamically, m aning that th nam s do not xist until th d vic (a thumb driv , for
xampl ) is conn ct d to th syst m. Of cours wh n you boot a normally confiegur d
comput r, you usually hav at l ast on “boot” driv alr ady conn ct d. Und r most
circumstanc s, this will b nam d sda. The s d vic nod s ar populat d und r th /dev
dir ctory. The partitions (primary) ar simply numb r d.
Wh n r f rring to th ntir disk, w us /dev/sda. Wh n r f rring to a partition on

that disk, w us th disk nam and th numb r of th partition, /dev/sda1 for xampl .
DEVICE: FILE NAME:

1st disk (SATA, USB, tc.) /dev/sda
 1st Primary partition /dev/sda1
 2nd partition /dev/sda2, tc.
2nd disk (SATA, USB, tc.) /dev/sdb
 1st Primary partition /dev/sdb1
 2nd partition /dev/sdb2, tc.
CDROM Driv /dev/sr0
The patte rn d scrib d abov is fairly asy to follow. If you ar using a standard SATA
disk, it will b r f rr d to as sdx wh r th x is r plac d with an a for th fierst d t ct d driv
and b for th s cond, tc. In th sam way, th CDROM or DVD driv s conn ct d via th
SATA bus will b d t ct d as /dev/sr0 and th n /dev/sr1, tc.
Not that th /dev/sdx d vic nod s will includ USB and Fir wir d vic s. For
xampl , a primary SATA disk will b assign d sda. If you atteach a USB disk or a thumb driv
it will normally b d t ct d as sdb, and so on.
A simpl way to s th disks and partitions that ar atteach d to your syst m is to us

th lsblk command:
27
root@forensic1:~# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
|-sda1 8:1 0 256M 0 part /boot
|-sda2 8:2 0 32G 0 part [SWAP]
`-sda3 8:3 0 899.3G 0 part /
sdb 8:16 0 238.5G 0 disk
sdc 8:32 0 931.5G 0 disk
`-sdc1 8:33 0 931.5G 0 part
sdi 8:128 0 931.5G 0 disk
`-sdi1 8:129 0 931.5G 0 part /run/media/barry/Evid
sdj 8:144 1 29.3G 0 disk
`-sdj1 8:145 1 29.3G 0 part /run/media/barry/Kingston
sr0 11:0 1 2.6G 0 rom
You can s from th output that disks and partitions ar list d, and if any of th
partitions ar mount d, lsblk will also giv us th curr nt mount point. In this cas w s
/dev/sda1 is mount d on /boot, /dev/sda2 is our swap partition, /dev/sda3 is our root
partition, and w hav /dev/sdi1 mount d as /run/media/barry/Evid and /dev/sdj1
mount d as /run/media/barry/Kingston. The last two volum s ar from xt rnal d vic s,
plugg d in and mount d via th d sktop.
Anoth r som what mor us ful command that is lsscsi. I pr f r lsscsi b caus although it
do s not show partitions, it do s giv a b tte r id a of what th volum s ar
root@forensic1:~# lsscsi
[1:0:0:0] disk ATA ST1000DM003-1ER1 CC45 /dev/sda
[2:0:0:0] cd/dvd HL-DT-ST BD-RE WH16NS40 1.00 /dev/sr0
[11:0:0:0] disk ATA SAMSUNG MZHPV256 500Q /dev/sdb
[23:0:0:0] disk EXS3 CF Kiosk Reader 0575 /dev/sdd
[23:0:0:1] disk EXS3 SD Kiosk Reader 0575 /dev/sde
[23:0:0:2] disk EXS3 MS Kiosk Reader 0575 /dev/sdf
[23:0:0:3] disk EXS3 MSD Kiosk Reader 0575 /dev/sdg
[23:0:0:4] disk EXS3 XD Kiosk Reader 0575 /dev/sdh
[28:0:0:0] disk ST1000DM 003-1ER162 6207 /dev/sdc
[28:0:0:1] disk ST1000DM 003-1ER162 6207 /dev/sdi
[32:0:0:0] disk Kingston DataTraveler 3.0 PMAP /dev/sdj
You can s in th output abov that this particular syst m has a numb r of USB
d vic s and xt rnal m dia atteach d. Theis is a us ful way of fiending out what storag m dia
ar atteach d to a syst m. You’ll also notic that th r ar “disks” id ntifie d by lsscsi that ar
not list d by lsblk. Theis is b caus lsscsi is actually looking what is atteach d to th
int rfac , not th actual m dia. So lsscsi is id ntifying m dia r ad rs that hav no m dia
ins rt d. lsscsi do s not com on most platforms by d fault (although it do s on Slackwar ).
28
If your syst m do s not hav it by d fault, ch ck your distribution’s packag manag r and
install it.
The r ar oth r nam s, using links, that can acc ss th s d vic nod s. If you xplor
th /dev/disk dir ctory you will s links that provid acc ss to th disk d vic s through
volum lab ls, disk UUID, k rn l path, tc. The s nam s ar us ful to us b caus th y can b
us d to acc ss a particular disk in a r p atabl mann r without having to know what d vic
nod (/dev/sdc or /dev/sdd for xampl ) a disk will b assign d. For now, just b awar that
you can acc ss a disk by a nam oth r than th simpl sdx assign d nod . Also not that som
of th assign d nod s might not y t hav m dia atteach d. In many cas s m dia r ad rs can b
d t ct d and assign d nod s b for m dia is ins rt d. In that cas , th following st ps will
simply display No medium found.
Now that w hav an id a of what our disks ar nam d, w can look at th partitions
and volum s. The fdisk program can b us d to cr at or list partitions on a support d d vic .
Theis is an xampl of th output of fdisk on a Linux workstation using th “list” option ( -l
[dash “ l”]):
root@forensic1:~# fdisk -l /dev/sda

Disk /dev/sda: 111.8 GiB, 120034123776 bytes, 234441648 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 6FB0E42E-B5CF-4C8F-A974-28A65DADC779
Device Start End Sectors Size Type

/dev/sda1 2048 206847 204800 100M Linux filesystem
/dev/sda2 206848 8595455 8388608 4G Linux swap
/dev/sda3 8595456 234441614 225846159 107.7G Linux filesystem
fdisk –l /dev/sdx giv s you a list of all th partitions availabl on a particular driv .
Each partition is id ntifie d by its Linux nam . The b ginning and nding s ctors for ach
partition is giv n. The numb r of s ctors p r partition is display d. Finally, th partition typ
is display d.
Not that th output of fdisk will chang d p nding on th Disklabel type of th m dia
b ing qu ri d. The abov output shows a disk with a GPT lab l. If you hav a standard DOS
styl MBR, th output will show slightly diffo r nt fie lds. For nativ handling of GPT partition
lab ls, you can us gdisk
Do not confus Linux fdisk with th old r DOS fdisk (for thos of us old nough to
r m mb r such things). The y ar v ry diffo r nt. The Linux v rsion of fdisk provid s for
much gr at r control ov r partitioning.
29
Another random document with
no related content on Scribd:
and a moderate amount of health may be good. A gummy
intracranial or spinal growth, giving rise to alarming symptoms, may
vanish as by magic upon prompt treatment. The symptoms of these
frank, specific growths are, as a general thing, characteristic and
widely different from those of the more insidious destructive lesions.
“An intracranial gumma often heralds itself by sharp, localized

headache, gradually deepening paralysis, aphasia, epilepsy, and
optic neuritis, while destructive lesions are more apt to have diffuse,
dull headache, stationary or lessening paralysis or aphasia, rarely
epilepsy or optic neuritis. Intraspinal gummata give rise to a painful
paraplegia, while an inflammatory or destructive change gives rise to
various and atypical sensory and motor manifestations.
“As to the pathology of these cases, I can say but little, as such
discussion opens the whole subject of the pathology of syphilis. This
I will say, that, so far as can be told without autopsies, no permanent
pathological condition was present in these cases which might not
have been brought about by other etiological factors which were
often present. The periencephalitis might be caused by alcohol,
mental strain, or excesses; the arterial occlusion might be due to
previous disease not specific.”
46 Medical News, vol. xlviii. No. 3, Jan. 16, 1886, p. 64.
TREATMENT.—The surgical treatment of tumors of the brain has

recently received a great stimulus from the report of a case which
occurred in the practice of A. Hughes-Bennett of London, and which
was operated on by Rickman J. Godlee. The case has been included
in the table (Case 24), where the symptoms and details of treatment
may be read. This case has served to bring into sharp outline many
of the difficulties and dangers of such an operation on the one hand,
and the few possible and exceptional advantages of it on the other. It
must be apparent, in the present state of knowledge and with the
additional light of this interesting case, that success must largely
depend upon the following conditions: The tumor must be
exceptionally localized—i.e. not very large—and non-multiple; it must
be cortical, or at least not very deep-seated; it is also quite essential
that it be in the motor zone, in order to admit of accurate diagnosis. It
would seriously impair the usefulness of the operation and the
prognosis if the case were of long standing with much necrosis of
brain-tissue, or if the growth were malignant and recurring. The
secondary complications, as inflammation and sepsis, are of course
possible in all surgical cases, and may be guarded against, as well in
cerebral as in other surgery. If such a criticism narrows the field for
the operation into almost hopeless limits, it may be reflected that one
or two successful cases are better than a hundred experimental
failures; that cases do occur in which the tumor is just so localized,
single, and superficial; that the urgency of distressing symptoms, as
pain and convulsions, urge the operation for palliation as well as
cure; and that these cases, without relief, are necessarily fatal, and
hence justify large risks.
By exclusion and a careful study of the symptoms we believe it may

become possible hereafter in some cases to localize in two other
accessible regions brain tumors with sufficient accuracy for purposes
of operation: these are the antero-frontal region and the postero-
parietal region.
The case of Bennett and Godlee was a most successful test of

diagnosis, and as a surgical endeavor might have been more
successful, as the operator himself suggests, if more careful
antiseptic precautions had been used. In the discussion of this case
before the Royal Medical and Chirurgical Society47 it was stated by
Hughlings-Jackson that three indications were of special importance
for this diagnosis: (1) local persisting paralysis; (2) epileptiform
convulsions, those beginning locally; (3) double optic neuritis, which
is diagnostic of tumor as distinguished from a sclerotic patch. It is
probable that permanent palsy would be left after a successful
operation in which the cortical tissue were destroyed, but as this is
compatible with life and comfort, it is not likely that, as an alternative,
it would be rejected by the patient. McEwen's case, also given in the
table (Case 25), is not as accurately reported48 as Bennett's, but was
partially successful. At the opening over the Rolandic region false
membrane was removed, and an incision made which let out
grumous red-colored fluid: this was followed by a decrease in the
paralysis and improvement in other brain symptoms. It is difficult to
understand why the opening was made in the occipital region. The
necessity for antiseptic measures is to be especially considered in
cerebral surgery. In a recent operation for a case of traumatic
epilepsy, under the care of Mills and White, in the Philadelphia
Hospital, in which quite extensive injury was done to the membranes
in removing fragments of bone, rigid antisepsis was employed; and it
is not too much to assume that the risks of the operation were much
diminished by it and its success ensured in an old and crowded
hospital building.
47 Brit. Med. Journ., May 16, 1885, p. 988.
48 Glasg. Med. Journ., xxi., 1884, p. 142.
In the medication of tumors of the brain we can unfortunately do but

little more than treat the symptoms and ameliorate the various
conditions as they arise. There is no specific for these growths,
unless the syphilomata be an exception; and experience shows that
specific treatment is usually disappointing even when applied to a
syphilitic brain tumor. The dietetic and hygienic rules laid down by
some are only such as are invariably recommended as routine
practice in all kinds of disease; and it almost seems a mockery to
offer them to a patient with an intracranial tumor with the same
gravity and detail as we suggest them in a curable fever or a hopeful
surgical case. It is possible that local depletion and revulsives, by
controlling irritation and hyperæmia, may be beneficial, though we
should hesitate to add to the sorrows of the patient the action of
tartarized antimony, even, with Obernier, in special cases. Hot or
cold effusions and the ether spray are worthy of mention. Local
applications of the galvanic current might be tried for its catalytic
action, but the observations are too few and the theory too
inapplicable to allow us to attach much importance to the suggestion.
The use of electricity to the limbs for paralytic symptoms certainly
does not promise much in the case of an obstinate neoplasm in the
brain.
Morphia and bromide of potassium are the two drugs which offer the
most promise in these fatal cases. They can often control the most
urgent and frightful symptoms. The headache, the obstinate
vomiting, the epileptic seizures, are all more or less amenable to one
or other of these remedies or a combination of them. Although the
vomiting is of centric origin, it is possible that remedies addressed to
the stomach might occasionally afford relief, just as we apply
medicines to that viscus in reflex irritation, in pregnancy, and in
debilitating diseases. The remedies which suggest themselves are
the salts of bismuth and cerium, the more stimulating wines, as
champagne, in small frequent doses, and cracked ice.
While morphia and bromide of potassium are, on the whole, the most
useful remedies for the relief of pain and irritating symptoms of brain
tumor, other remedies can often be used with great advantage as
adjuvants. Ergot in the form of the solid or fluid extract has a
beneficial influence in relieving the congestive symptoms. Cannabis
indica in the form of the fluid extract in doses of five to ten minims, or
the tincture in doses of fifteen to thirty minims, may be
advantageously combined with morphia and a bromide, or
sometimes may be tried alone. Hyoscyamus, either the fluid extract
or tincture, in somewhat larger doses may also be tried. The great
severity of the headache and the imperative demand, however, will
usually compel the physician to fall back at last upon morphia in
large dose by the mouth or hypodermically.
Leeches to the temples or behind the ears or to the mucous

membrane of the nose, either wet or dry cupping to the back of the
neck, and bladders or compresses of ice, or very hot water, may be
used to the head.
The various serious complications which so often accompany

intracranial tumors should be most carefully managed. Among the
most important of these are such affections as the conjunctivitis and
trophic corneitis, with anæsthesia, present in a few cases, usually
when the trigeminal is directly or indirectly involved. Cystitis and
pyelitis must be appropriately treated, and patients must be carefully
watched in order to prevent injurious consequences of over-
distension of the bladder or enormous fecal accumulations.
TABLE OF ONE HUNDRED CASES OF BRAIN TUMOR.

Sex
Pathology and
No. and Clinical History. Remarks.
Location.
Age.
Superior Antero-frontal Region.
1 M. 35. Syphilis and traumatism. Fibroma. C. K. Mills,
Philada. Med.
Headache; vertigo; mental slowness; Anterior superior Times, Jan. 18,
loss of attention; hysterical. Nystagmus. half of second 1879 and Arch. of
Tonic spasm of neck and forearm. frontal and anterior Med., vol. viii. No.
Movements weak and uncertain. superior and inner 1, Aug., 1882.
Explosive speech. Gradual blindness; half of first frontal;
choked discs. Conjunctivitis and anterior segment of
corneitis of left eye. Anæsthesia of gyrus fornicatus,
conjunctiva. Polyphagia. Constipation and anterior half
alternating with involuntary evacuations inch of corp.
and urination. Temperature 97°-101°. callosum.
Head-temperature above normal;
highest at frontal station; average, 96.5.
2 M. 50. Headache, dizziness, and slight right Fibroma. C. K. Mills. Not
facial paralysis. Dimness of vision. Day before published.
before death had an attack of One and a half
unconsciousness, from which he inches in diameter
emerged in half an hour. In two hours in the left antero-
had another attack; became comatose; frontal lobe, located
Cheyne-Stokes respiration; temperature so as to involve the
102.3°; pulse 150. Reflexes completely middle portions of
abolished. the first and second
frontal convolutions
and white
substance beneath
them almost to the
orbital surfaces.
White matter
softened posterior
to tumor. Adherent
to pia mater.
3 M. 16. Frontal headache, vertigo, staggering Glioma. Petrina.
gait toward right. Later, paresis of Vierteljahrschr. f.
sphincter of bladder. Some muscles of Frontal convolutions die Prakt. Heilk.,
right face paretic. Some weakness of flattened; brain- 1 Bd., 1877, p.
mind: emotional. Choreic movements of substance doughy; 126.
right arm, increased with mental cortex gray-red;
excitement. No deafness, loss of taste, medullary
or of tactile or heat sense. Slight traces substance reddish-
of sugar. Blurring of papilla and white. Corpus
hyperæmia of retina. Later, vomiting. callosum arched
Urine sp. gr. 1031. Irritability of mind, upward; lateral
with erotic conduct. Reduction of pulse ventricles enlarged
—54. Progressive emaciation and in posterior horns.
mental failure. Tremor in both arms, and Tumor in medullary
in right arm automatic movement. Boil substance of both
on left hand. Scaphoid abdomen. Later, frontal lobes,
temperature below normal; also pulse springing from
and respiration. Right facial paralysis septum and
unchanged. Still later, contracture of radiating toward
both elbows. Pupils react tardily. parietal lobes,
Apathetic. Very late, small quantity almost filling both
albumen, no sugar. anterior lobes, and
also adhering to
walls (apparently) of
ventricles. At base
extended backward
full extent of frontal
lobe.
4 M. 36. History of injury to the head. Frontal and Endothelioma. Philipson,
occipital headache. Vomiting and Medical Times
giddiness. Memory much affected. In right frontal lobe and Gazette, vol.
Double internal strabismus with unequal anterior portion. ii., for 1882, Sept.
pupils. Double optic neuritis. Hearing Three inches in 16, 1882, p. 355.
unaffected; sense of smell lost. Lies on diameter.
back. Stumbles on trying to walk. Surrounded by soft
Answers questions with difficulty; diffluent cerebral
speech slow and hesitating. Pain in tissue. Right frontal
head, apparently increased by bone had on its
percussion to right frontal region. internal surface a
much greater
concavity than the
left, and at its upper
and outer part was
rough, deeper in
color, and thin. Dura
mater adherent.
5 F. 32. History of chancre with secondary and Gumma. H. Knapp, Arch.
tertiary lesions of syphilis. Frontal node. of Ophthalmology
Constant headache. Epileptiform From dura mater and Otology, vol.
convulsions. Marked exophthalmus, into the brain- iv. p. 245.
with impairment of sight in both eyes. substance at the
Improved under iodide of potassium. anterior portion of
Grew worse again. Dimness of vision; the anterior lobe of
pain in head constant, and worse at the left hemisphere.
night. Ophthalmoscope revealed neuro- Brain-substance
retinitis with commencing atrophy of softened around
optic nerves. tumor. Left ventricle
dilated, and filled
with fluid.
Inferior Antero-frontal or Orbital Region.
6 M. 27. Loss of sight, increasing to total Fibro-sarcoma. L. Howe, Buffalo
blindness. Gradually increasing loss of Med. and Surg.
hearing, of smell, and of taste, in order Involving inferior Journ., xxi. p.
named. No anæsthesia. No paralysis portion of right 299.
mentioned. anterior lobe. The
first and second
pair of nerves were
involved, but no
other nerves.
7 F. 33. Paralysis and wasting of right leg since Cholesteatoma. Petrina, op. cit.,
childhood. Sudden severe general p. 126.
convulsions with loss of consciousness, Growing from pia
followed by paresis of right upper mater at the base
extremity. No facial or ocular paralysis. between both
Special and general sensibility normal. frontal lobes,
Recurrent convulsions, both tonic and extending to
clonic. Severe frontal headache; anterior margin of
continued paresis of right arm. corpus callosum
Apathetic. Right face partially paretic, and to optic chiasm.
and right oculo-motor weakened.
8 F. 20. Vomiting. Loss of sight and hearing; Under left anterior E. Williams, Med.
inability to speak. Somnolence. Pupils lobe and extending Record, 1868, pp.
widely dilated. Later, all special senses from falx cerebri, to 29-31.
involved. Tongue protrudes to right. which it was
Pulse irregular. Right face anæsthetic. adherent, over the
Neuro-retinitis in both eyes, worse in cribriform plate of
right; left eye retained some vision. the ethmoid,
Hearing and taste perfect; smell involving left
impaired. No paralysis. Pain constant olfactory nerve,
over eyes. No convulsions. backward and
diagonally across
the sella turcica to
right petrous bone,
where the end of it
pressed on fifth
nerve of right side
at its point of exit.
Pressed upon optic
chiasm.
9 M. 49. Vertigo. Always excessively stupid, Tumor the size of a Obernier, Virch.
allowing himself to be made a fool of. large walnut to the Arch., vol. xxxvi.
Violent bleeding from the mouth and right of the middle p. 155, and
nose ten years before death, followed line, external to the Ziemssen's Cycl.
by nasal discharge. Frontal headache, dura mater at a Pract. of
especially on left side. Failure of sight. point corresponding Medicine, Am.
Small tumor in inner upper angle of left to position of right ed., vol. xii. p.
orbit, which dislocates left eye outward; olfactory bulb. 268.
right eye also deviated outward without Vitreous table of the
any apparent mechanical reason. Pupils frontal bone and
dilated and sluggish. Sight much crista galli of the
diminished. Mouth slightly drawn to one ethmoid completely
side. Speech slow, but not hesitating. destroyed. On the
Gave replies to questions slowly, and inner side of dura
did not usually keep to the point, but mater another
clothed his answers in general remarks. tumor fills the right
A certain amount of self-esteem anterior fossa and a
pervaded his conversation. Continuous large portion of the
headache. Very late, had convulsions left.
which began on the left side and
extended to the right.
10 M. —. Diminution of vision. At first much Sarcomata. Saemisch, Klin.
reduced, without any ophthalmoscopic Monatsblätter,
changes. Slight headache; loss of Two tumors: one 1865, p. 51,
appetite; restless sleep; rapid pulse. about the size of a quoted by
Vision sank rapidly until completely pigeon's egg Obernier,
extinguished. Remained thus for between the optic Ziemssen's Cycl.
nineteen days; then sight began to trunks in front of the of the Pract. of
return, first in the right eye, and then in chiasm, surrounded Medicine, Am. tr.,
the left. Increased, so that an by the optic nerve in vol. xii. p. 269.
examination of the eccentric fields could a forked manner,
be undertaken; this showed absence of the nerve-fibres
the external halves of the fields of vision being parted by it. A
—hemianopsia. “The transition of the second tumor
existing portions of the fields of vision to situated beneath
the lost portions was effected by a the pons, raising
region which, by a low light, should be the dura mater. It
reckoned to the latter, so that then the had probably
boundary-line of the defect fell originated in
somewhat to the outside of the fixation- cavernous sinus.
point running in the right eye in a
vertical direction, and in the left
diagonally from the inside and above
downward and outward. Within the next
four weeks the central vision increased
in the right to V = 1/2, and in the left to V
= 1/20, while the defect in the eccentric
vision continued in the way described.”
Patient died of symptoms of acute

meningitis.
Rolandic Region—Motor Cortex.
11 F. 38. History of syphilis. Blows on the head. Gumma. C. K. Mills, Arch.
Headache, with agonizing paroxysms. Med., vol. viii. No.
Top and right side of head sensitive to Attached to the 1, August, 1882.
percussion and headache severest in fused membranes
these regions. Vomiting; vertigo. Great of the right
mental irritability. Severe left-sided convexity. Involved
spasms, beginning with twitchings in left the upper fourth of
toes and foot. Partial paralysis of right the ascending
leg and arm, most marked in leg. frontal and a
Hyperæsthesia. Impaired sight. Choked smaller segment of
discs. Head-temperature taken once: the ascending
right parietal region, 97.2° F.; left parietal convolution,
parietal region, 96° F. crossing Rolandic
fissure at its upper
extremity. A good
example of strictly
cortical lesion.
12 F. 30. No history of causation. Headache Carcinoma. C. K. Mills,
continuous, sometimes agonizing. reported at the
Percussion of head caused most pain in The tumor involved meeting of the
right parietal region. Vomiting when the middle portion American
headache was most severe. Vertigo. of the ascending Neurological
Mind clear, but acted slowly: emotional. parietal convolution Association,
Spasm, beginning with twitching of and the upper part June, 1881, Arch.
fingers of left hand: most severe on left of the inferior Med., vol. viii. No.
side, and especially in left arm. Upper parietal lobule, 1, Aug., 1882.
as well as lower fibres of left facial nerve pushing aside the
partially paralyzed; nearly complete interparietal fissure.
paralysis of left arm; slight paralysis of The anterior
left leg. Bowels and bladder partially extremity of the
paralyzed. Impaired sensibility in limbs tumor was about
of left side. Left patellar reflex one-fifth of an inch
diminished. Sight very imperfect. back of the centre
Choked discs. Hearing defective in right of the fissure of
ear. Rolando. On the
inner side of the
tumor the white
matter of the brain
was broken down.
Adherent to the pia
mater; the pia and
dura mater were
united by strong
adhesions.
13 M. 31. Evidences of tuberculosis. Headache Tubercular tumor. C. K. Mills, Arch.
continuous, with severe exacerbations; Med., vol. viii. No.
most severe at vertex. Vertigo. Some Dura and pia mater 1, Aug., 1882.
irritability and emotionality; hallucination adherent over the
that some one was going to come and tumor, which
take him away. Spasm confined to left involved the
arm. Partial paralysis of left arm and leg, posterior
and, late in his illness, of left side of extremities of first
face. Left hemianæsthesia, at first and second frontal
partial, but later complete and and upper thirds of
persistent. Sight impaired; right pupil both ascending
dilated and left contracted before death. convolutions of right
No ophthalmoscopic examination. hemisphere. Interior
Hearing defective in left ear; tinnitus of hemisphere
aurium. Head-temperature taken once: broken down; the
right frontal region, 98° F.; left frontal parts destroyed
region, 96.3° F. Cheyne-Stokes included white
breathing on day of death. matter of the
parietal lobe, the
posterior third of
lenticular nucleus,
and the adjacent
portion of internal
capsule. Miliary
tubercles in pia
mater around and
near the tumor.
14 M. 19. First symptom, headache; then vertigo. Gumma. C. K. Mills, Med.
Sudden right brachial monoplegia; and Surg. Rep.,
possibly some paresis of leg. A large tumor in the vol. li., Aug. 2,
Recovered use of arm; went to work; ascending frontal 1884, p. 119.
was kicked by a mule, and became convolution, at
worse. Headache and right-sided junction of middle
paresis returned. Increasing stupor; and upper thirds:
paralysis of right arm complete; of leg one-third of mass
almost; right facial paresis; ptosis of on convexity of
right side. Partial anæsthesia on right convolution, the
side of face; pain on right side. Slight remainder in fissure
clonic spasms of right arm. Paralysis of of Rolando. Smaller
bowels and bladder in last week. tumor at inferior
Tendency to Cheyne-Stokes respiration. angle of right lobe
No vomiting. Eyes not examined. of cerebellum.
Some basal
meningitis with
effusion.
15 M. 56. Sickness began with an epileptiform Glioma. Samt, Arch. gén.
seizure lasting about ten minutes; de Méd., Jan.,
flexing movements of right arm. Next In the left ascending 1876, from Berlin.
day dragged his right leg slightly. Partial frontal convolution, klin.
convulsions, without loss of occupying the Wochenschr.,
consciousness, followed, and became upper third of this Nos. 40, 87.
very frequent. Two months before death convolution. The
convulsions ceased, but absolute tumor extended
paralysis of the arm and paresis of the backward to the
leg remained. One month later complete fissure of Rolando,
palsy of right half of face occurred. Mind and in front was
became impaired. Complete aphasia. bounded by a
Right-sided anæsthesia. Reflexes of vertical line which
right foot less marked than those of the would meet the
left. Rectal temperature, 100.4° F. At upper extremity of
times deviation of the head and eyes to the vertical frontal
the left. Left frontal and temporal fissure. The inferior
regions tender to pressure. Very late boundary was
nystagmus. No headache. distant about one
and three-quarter
inches from the
longitudinal fissure.
Surrounding
convolutions
flattened and
widened.
16 M. 49. Irritability and loss of memory. Paresis, Glioma. A. Hughes
passing to paralysis, of left arm; paresis Bennett, Brain,
of left leg. Slight left-sided paralysis of Involving the middle vol. v., 1882, p.
tongue. No facial paralysis; no optic portion of the right 550.
neuritis. Ankle-clonus and exaggerated ascending frontal
knee-jerk on left side. No wasting of convolution and
muscles or abnormal electrical posterior end of
reactions. Toward end paroxysmal middle frontal
twitchings of left side, including side of convolution,
face, with left-sided paresis of face. extending as a
Hebetude. Visual hallucinations. spheroidal mass
Complete left hemiplegia. Paralysis of downward to roof of
sphincter. Vomiting. Strong contraction lateral ventricle.
of pupils. Duration about two months.
17 M. 30. Convulsions for twelve years prior to Glioma. J. Hughlings-
death. Character of fit: first, cramping of Jackson, Brain,
right big toe, then twitching of calf- Left hemisphere, vol. v., 1882, p.
muscles and drawing up of leg and including posterior 364.
knee. Most of the fits stop here, without half of superior
loss of consciousness. In some fits the frontal convolution
arm is convulsed after the leg, and upper half of
beginning in fingers, and consciousness ascending frontal
is lost. Paralysis of right leg. Slight convolution, except
convulsive action of left leg. Sensation the extreme end.
of right leg unimpaired. Temporary The superficial area
aphasia at beginning of attack; on one was defined by
occasion the aphasia was present fissure of Rolando
without fit. The right arm probably posteriorly, superior
paretic after each seizure. No facial frontal fissure
palsy. Has as many as thirty fits daily. externally, and
Marked cessation of seizures at one longitudinal fissure
time. Three days before death became internally. Anteriorly,
hemiplegic, with exaggerated deep the tumor gradually
reflexes on paralyzed side; also ankle- merged into normal
clonus. During later years fit sometimes brain. In the
began in hand. No optic neuritis while longitudinal fissure
under observation. the growth
extended to calloso-
marginal fissure.
18 F. 58. General headache, most marked in the Alveolar carcinoma. E. C. Seguin,
occipital region, and always worse at Opera Minora, p.
night. Sore, stiff feeling in neck; at times An ovoid tumor in 495, and Journal
nausea and vomiting. Trembling of left the upper part of of Nervous and
hand; later, paresis. Two sorts of the ascending Mental Disease,
movements of left arm—one, a fine frontal convolution vol. viii. No. 3,
tremor; the other, attacks of jerking. and in its subjacent July, 1881.
Paresis of left arm increasing, with white matter. It
some contracture; slight paresis of left extended well
leg. Sight failing; later, semi-stupor; across the fissure of
pupils small and fixed, the right larger. Rolando.
Right internal rectus weak. Left lower
face paretic. Strong contractures of left
arm and hand. Good knee-jerk. Choked
discs. Some days bright, others almost
moribund. Case advanced to complete
paralysis of left arm and leg; involuntary
evacuations; divergent strabismus and
ptosis; indistinct speech; delirium and
coma.
19 M. 50. History of syphilis and severe fall on the Gumma. H. C. Wood,
head. Vertigo. Prickling sensation in left “Proceedings of
foot, extending to thigh, finally to arm One-third of an inch the Philada.
and head, followed by unconsciousness in thickness at the Neurological
and convulsion. Stupor after convulsion. middle of the Society,” Medical
After this, convulsive attacks at ascending frontal News, vol. xlviii.
intervals. Eighteen months before death convolution. No. 9, Feb. 27,
an apoplectic attack, in which was Membranes fused; 1886, p. 248.
unconscious for several hours. tumor adherent to
Spasmodic attacks, preceded by a them. Œdema of
peculiar twisting of the fingers of the left the brain. Gumma
hand. Paresis of the right hand and arm. in the lungs.
Some diminution of sensation, not well
made out. Slight want of use of the left
leg.
20 M. 59. Gradual loss of speech—aphasia. Myxo-glioma. Petrina, op. cit.
Gradual paralysis of right side. No
headache prior to this. No anæsthesia. In front of the left
Taste, smell, hearing, and sight intact. ascending frontal
Apathetic face. Middle branch of facial convolution,
nerve paralyzed, especially the muscles bounded below by
of the right corner of the mouth. the Sylvian fissure
Wrinkles of forehead less strongly and the upper
marked. Right upper and right lower convolution of the
extremity in strong contracture. Leg island of Reil;
swollen. Increasing torpor of bladder. seems to
Normal electrical reactions, except immediately enter
speedier and increased reaction of the into the structure of
right facial nerve. Reactions of the island. Left optic
convulsibility in the right arm with ten to thalamus and
twenty cells. Very late, unconsciousness corpus striatum
and paralysis of bowels and bladder. moist, but
completely
separated from the
tumor. Convolutions
flattened.
21 M. 35. Had epileptic fits for two years before Gumma. F. H. Martin,
his death. Occasionally the spasms Chicago Med.
began in the left half of the face and Arising from the Journ. and
extended to the arm and leg, but did not membranes, two Exam., vol. xlvi.
become general. After such attacks inches in diameter, 21.
sensation was lost in the left arm, and but very thin,
the arm was paretic for some hours. involved the gray
Toward the close of life the paresis matter of the
became permanent, and extended from posterior
the arm to the leg, and sensibility was extremities of the
somewhat impaired in these limbs. The first and second
temperature was 2.5° F. higher over the frontal convolutions,
right parietal eminence than over the the upper and
left. middle thirds of the
ascending frontal
convolution, and the
adjacent border of
the ascending
parietal convolution
of right hemisphere.
22 F. 57. After excitement lost consciousness. Fibro-glioma. Petrina, op. cit.
Paresis and heaviness of the right upper
extremity. Aphasia; used words Tumor size of fist
inaccurately; short of words and occupied the whole
enunciation impaired. Second attack of of the lower and
loss of consciousness. Twitching in right middle portion of
half of body and face. Paralysis of right the parietal lobe,
upper extremity. Severe pains in right imbedded in both
arm and leg. Another attack of loss of ascending
consciousness, with spasms of right half convolutions.
of body. Right lower extremity and right Ascending frontal
lower face paretic. Slight trismus; right convolution pushed
masseter contracted. Dull headache. aside; the
Organs of sense not affected. annectant gyrus
Understands all that is said to her, and island of Reil
although aphasic. Sensibility good. compressed and
Right-sided pneumonia; œdema of lung. flattened. Fissure of
Sylvius arched over
by tumor. White
substance also
pushed toward the
corpus striatum.
Meninges
congested. Left
parietal bone
somewhat
excavated.
23 F. 39. Began to suffer with epilepsy two weeks Gumma. H. B. Sands,
after a blow on the left parietal region. Med. News, April
The fits were preceded by formication in A gumma one inch 28, 1883.
the right hand and tongue, and began in diameter was
with spasm in the right hand, which was found on the
weak for some hours afterward. A surface of the left
permanent right facial paresis hemisphere, at the
developed one month after the blow, junction of the
and two months later the tongue, arm, middle and lower
and hand were also paretic on the right thirds of the
side. Disturbance of vision due to ascending parietal
choked discs had developed, and convolution, and
temporary attacks of aphasia occurred involving also the
after the frequent convulsions. She sank convolution
into a condition of stupor and aphasia posterior to this.
four months after the first symptoms. The membranes
The skull was then trephined at the seat were adherent to
of the old injury in hopes of evacuating a the gumma.
chronic abscess, but no pus was found.
One week after this she died.
24 M. 25. Four years previous to death had Glioma. Hughes-Bennett
received a blow on the left side of the and Rickman
head. A year later, twitching in the Meningitis was Godlee, British
tongue and the left side of the face. found at the lower Medical Journal,
Twitching of the left arm. Twitching border of the Nov. 29, 1885.
increased. Paroxysmal spasm and wound, spreading
general convulsions, with loss of downward toward
consciousness. Paresis, and then the base of the
slowly-developed paralysis, of the brain.
forearm and hand. Some paresis of left
leg. Double optic neuritis. Violent
headache.
This patient was in charge of Hughes-
Bennett at the Hospital for Epilepsy and
Paralysis, London. He diagnosticated
brain tumor, and suggested its removal.
Rickman Godlee trephined over
suspected region, and removed a
glioma of the size of a walnut. The
operation was performed November
25th. The patient did well until
December 16th, when he was seized
with a rigor, followed by fever, sickness,
and pain in the head. A hernia cerebri of
large dimensions supervening, he died
December 23d.
25 F. —. Syphilitic history. Tingling sensation and After antisyphilitic Macewen,
numbness of the left arm and leg, which treatment and “Proceedings of
increased until it ended within six weeks counter-irritation, Path. and Clin.
from its commencement in complete trephining was Soc. of Glasgow,”
motor paralysis, with a deficiency in the performed over the Glasgow Med.
perception of touch. Left side of the face middle of the Journ., vol. xxi.,
also slightly paretic. Mental confusion ascending parietal 1884, p. 142.
and loss of memory. and frontal
convolutions.
Internal table of the
disc removed was
found softened and
thicker than usual,
having on its
internal surface
projections or
roughnesses. A
second opening
was made over the
occipital region, and
a similar thickening
was found.
Opposite first
opening the dura
mater pale and
thickened. It was
elevated, and a
false membrane of
yellow color was
removed. An
incision was made
in the direction of
the paracentral
lobule, when a gush
of grumous, red-
colored fluid
escaped.
Day after the

operation much
better; on third day
moved her toes;
within a week lifted
her leg; fingers
moved within a
week. Mind greatly
changed for the
better.
Centrum Ovale—Fronto-parietal Region.
26 F. 16. Fell when sixteen months old from the Fibro-glioma. Osler, Medical
table on her head. Left hand, five News, vol. xliii.,
months later, noticed at times to be stiff In the white matter, Jan. 19, 1884, in
and firmly closed. Three months later but touching upon “Proceedings of
the leg became similarly affected, and the gray at several Medico-
two months later general paroxysms. spots at the position Chirurgical
Many seizures for periods of weeks or of the upper end of Society of
months, then intervals of freedom. the ascending Montreal;” also,
Spasm began by contraction of the left frontal convolution Am. Journ. Med.
hand: she would lie down and jerk for a of the right Sci., N. S. vol.
half minute or minute, laughing or hemisphere. The
talking all through it, never losing tumor occupied lxxxix., Jan.,
consciousness. In about six years left largely the anterior 1883, p. 31.
leg became paretic. Seizures became portion of the
much worse and more frequent; paracentral lobule.
unconscious for six weeks, and fifty to
eighty spasms in twenty-four hours. Ten
months without spasms until a week
before death, when they returned with
great violence. Spasms always began in
the left hand; appeared to extend to the
leg first, and then to the face. Intellect
clear.
27 M. —. Severe fall, followed by insensibility. Sarcoma. E. C. Seguin,
Paralysis of the left side followed injury, Opera Minora, p.
but improved. Three years later, Larger than a hen's 215; reprinted
epileptic convulsions: sudden fall, egg in white from the
general spasm, biting tongue. These substance of right Transactions of
attacks replaced by partial or localized hemisphere, the Amer. Neurol.
epilepsy without loss of consciousness: occupying the Ass., vol. ii.,
tonico-clonic spasm of muscles of left whole thickness of 1877.
side of face and neck and of left upper the hemisphere
extremity, especially of the thumb and above the opto-
index finger. Left pupil a trifle larger than striate bodies.
right; left cheek paretic, left arm and Exerted much
forearm absolutely paralyzed; left leg pressure upon
weak. Marked tactile anæsthesia on left these bodies, on
side. Ophthalmoscope showed fulness convolutions near,
of veins, but no neuro-retinitis. Late, and even upon the
some opisthotonos. Deafness in right inner surface of the
ear; axillary temperature, 36.4° C. Pain left hemisphere.
in right arm and leg and in posterior part Adherent to the
of head on right side. Conjugate dura mater. Right
deviation of head and eyes from palsied half of the brain
side. No neuro-retinitis. Localized and much enlarged, and
general convulsions recurred from time lateral ventricle and
to time. septum lucidum
forced over to the

Textbook The Law Enforcement and Forensic Examiner S Introduction To Linux A Comprehensive Beginner S Guide To Linux As A Digital Forensic Platform Barry J Grundy Ebook All Chapter PDF

Uploaded by

Copyright:

Available Formats

Textbook The Law Enforcement and Forensic Examiner S Introduction To Linux A Comprehensive Beginner S Guide To Linux As A Digital Forensic Platform Barry J Grundy Ebook All Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Textbook The Law Enforcement and Forensic Examiner S Introduction To Linux A Comprehensive Beginner S Guide To Linux As A Digital Forensic Platform Barry J Grundy Ebook All Chapter PDF

Uploaded by

Copyright:

Available Formats

The Law Enforcement and Forensic

Examiner s Introduction to Linux A

Linux Administration a Beginner s Guide Wale Soyinka

Practical Forensic Imaging Securing Digital Evidence

Forensic Anthropology: A Comprehensive Introduction,

WordPress fundamentals A comprehensive beginner s guide

Digital Forensic Art Techniques A Professionals Guide

Forex Trading A Comprehensive beginner s guide to learn

Alcohol, Drugs, and Impaired Driving-Forensic Science

Mastering Linux Shell Scripting a practical guide to

A Compr h nsiv B ginn r’s Guid to Linux as a Digital For nsic

FILE LISTING.................................................................................................................... 175

XII. LINUX SUPPORT.....................................................................................................307

All trad marks ar th prop rty of th ir r sp ctiv own rs.

© 1998-2017 Barry J. Grundy ([email protected]): Theis docum nt may b r distribut d,

As always, th r is no possibl way I can thank v ryon that d s rv s it. Ov r th y ars I

My continu d thanks to th Linux K rn l, various distribution, and softwwar d v lopm nt

The LinuxLEO logo was d sign d by Laura Ette r ([email protected]).

The cont nt is m ant to b “b ginn r” l v l, but as th comput r for nsic community

How v r, this is by no m ans m ant to b th d fienitiv “how-to” on for nsic m thods

As always, I am op n to sugg stions and critiqu . My contact information is on th

Theis docum nt is occasionally (infr qu ntly, actually) updat d. Ch ck for n w r

A word about the “GNU” in GNU/Linux

Wh n w talk about th “Linux” op rating syst m, w ar actually talking about th

Why Learn Linux?

W also n d to consid r th us fuln ss of Linux in acad mic and r s arch applications.

Where’s all the GUI tools?

As much as possibl , th tools r pr s nt d in this guid ar callabl from and r quir

K p th s points in mind as you go through th x rcis s h r . Und rstand why and

Thee Exercises – New and Old

LinuxLEO YouTube Channel

htteps://www.youtub .com/chann l/UCRyk5g_LoiYtEGy3dlkAsvQ

Conventions Used in this Document

Theis is ss ntially a command lin (t rminal) s ssion wh r N

...is th command prompt, follow d by th command typ d by th us r and th n th

In Linux, th command prompt can tak diffo r nt forms, d p nding on th nvironm nt

user@hostname:[present working directory]#

m aning that w ar th us r “root” working on th comput r nam d “forensic1”

Theis is an important diffo r nc . The root us r is th syst m “sup rus r” or

Wh r you s llips s (“...”), it indicat s r mov d output for th sak of br vity or

At a minimum, you ar going to want to know and plan for:

• Hard driv partitioning sch m

Most distributions hav a pl thora of docum ntation, including onlin h lp and

Linux com s in a numb r of diffo r nt “flaavors”. The s ar most oftw n r f rr d to as a

It is common to h ar us rs complain that d vic X works und r on distribution, but

On thing w ’v s n mor and mor of lat ly ar som what specialized distros, or in

Som xampl s of sp cializ d distributions that may b of int r st to r ad rs of this

▪ Thee Parrot Project – A S curity distribution that “includ s a full portabl

▪ Thee SANS SIFT Workstation – An advanc d incid nt r spons and digital

▪ Kali Linux – An advanc d p n-t sting and s curity distribution bas d on

On thing to k p in mind: As I m ntion d arli r, if you ar going to us Linux in a

SLACKWARE and Using this Guide

If you ar s l cting a Linux distribution for th sol purpos of l arning through

By d fault, Slackwar 's curr nt installation routin l av s initial disk partitioning up to

If you ar comfortabl with anoth r distribution, th n by all m ans, continu to us and

Download th n d d bootabl m dia fiel s, burn th m to a DVD or r movabl driv and

Slackware Installation Notes

H r ’s som installation advic . R ad this, th n r ad th Installation s ction in th Slack Book

1) Boot th Linux m dia.