A New Approach for Real Time Evidence Collection from Linux Environment

Evidence collection from computers is an important step in the process of digital investigations. An event could correspond to a system log entry where the operating system has recorded that a particular user or application performs a certain action. Depending on the configuration of the system the logs may omit some types of forensically interesting events and include various forensically uninteresting events. So there is an increased need of a system that will collect evidences related to computer activities. Through this paper a real time computer forensics system that records computer activity for forensic investigation on a Linux based computer system is aimed. This will help investigators who look for evidences in these operating systems. This method is different from the traditional post-mortem method of examining data since activities are being recorded as they are happening.