Cross-Linux Distro Forensic Data Collection Techniques for IR

Background: One of the IR stages is the "collection" stage, which occurs between containment and analysis. We sometimes need to collect evidence from Kubernetes pods or Docker containers, which can run different Linux distributions and create new challenges for incident responders. Likewise, on‑premises or VM environments that are not using containers — and environments without Kubernetes or Docker — can also present difficulties, especially when collecting logs or cloning disks.

Challenge: As we dive deeper into action items, one method for cloning a disk is to use specialized forensic kits for data acquisition, or to use the out-of-the-box Linux utility dd, which is included by default in many distributions.

Challenge for all distors related to DD: All ubuntu distros support DD Alpine linux contains DD

Sometimes, the dd command may not be available to resolve such issues. In these cases, you can use the cp command to create a backup and then archive it. However, this method has some disadvantages because certain directories, such as /proc and some folders under /sys, cannot be copied.

cp -r / /mnt/backup/ 2>/dev/null

To bypass these restrictions, another method is to use rsync and exclude those folders.

sudo rsync -aAXv / /mnt/backup   --exclude="/sys/" --exclude="/proc/"

Conclusion: In this article, we have described only on-premises hosted Linux environments. The situation changes when we start to deal with Kubernetes clusters or cloud-hosted systems, which we will explore in the next chapters.