Please post any questions you might have while going through Chapter 2: Determining if there was an Incident in the Linux Forensics Book.
Not really a question, but just noting something I find useful.
When collecting the open files on a system, the book mentions "lsof -V". I like to add the "-P" option so that it doesn't convert the well-known port numbers to names.
I can see how that might make sense for a more advanced user. I think some that are newer might prefer to have things interpreted. Thanks for the tip.
Where can i get good-known binaries from? can i just get them from a live cd? do i need to get them based on the OS version?
The book mentions that you don't want to run Python on the subject system due to the memory footprint but what about running a version of Python that is on your forensics USB stick?