Linux-Forensics

On day two of my forensics challenge, I dive deep into Sleuth Kit’s layered toolset. From volumes to inodes, metadata, deleted files, timelines, and journals — I explore the core forensic workflows and decode a real ext4 image step by step.

In this introductory forensics lab, we explore how to mount and examine disk images using loop devices, losetup, SleuthKit tools, and file system inspection techniques. A hands-on walkthrough for raw, split, and forensic image formats like AFF and EWF.