Before we setup and configure a Linux forensic workstation, it is helpful to provide an overview of Linux's relevance to forensics. A Linux workstation is a powerful tool for forensic investigation due to the wide support for many file systems, the advanced tools available, and the ability to develop and compile source code. However, since many examiners are not familiar with Linux, the following sections provide a breakdown of some of the more common Linux commands including a description of the command, its general usage, and one or more examples of how the command can be applied.

The advantage of the Penguin Sleuth Kit as a virtual appliance is that there is an immediate reduction in installation and development time – it is essentially a forensics computer ready to go right away.

• Some of the forensic tools already included in the virtual appliance are as follows:
• Sleuth Kit–Forensics Kit: a collection of file system tools that allows you to examine file systems of a suspect computer
• Forensics Browser Autopsy: a browser interface that allows you to investigate the file system and volumes of a computer
• dcfldd – DD Imaging Tool: an enhanced version of GNU dd optimized for forensics
• Data Carver command-line tool: a console program to recover files based on their headers, footers, and internal data structures
• MD5 Hashing Program