This report aims to provide an overview of different Linux forensic software.2 MotivationNowadays, most web, mail, database, and file servers are Linux servers . Linux is a UNIX system, which means it has strong compatibility, stability, and security features. Linux is used for the mentioned environments because these services require high security. In addition, we can observe an increase in attacks on these servers. Additionally, methods to prevent intrusions on Linux machines are insufficient. Additionally, incident analysis on Linux systems is not adequately considered (Choi, Savoldi, Gubian, Lee, & Lee, 2008). It can also be observed that many investigators do not have experience in Linux investigation (Altheide, 2004). For these reasons, it is necessary to provide a set of tools that assist investigators during their investigations.3 Linux Investigation SoftwareThere is a wide range of Linux investigation software. range of Linux investigation software available. There are single tools such as file sculptors, or entire collections of tools. Below, some of the most popular Linux investigation tools are described. The focus is on The Sleuth Kit because it is organized according to the different layers of the file system. This provides an interesting insight into how forensics is performed on file systems. 3.1 The Sleuth Kit The Sleuth Kit (TSK) is a collection of file system tools originally developed by Brian Carrier. TSK is an improved and extended development of The Coroner's Toolkit (TCT). TCT had severe limitations, so TSK was developed to overcome these shortcomings (Altheide & Carvey, 2011). TSK includes 21 command line utilities. To help orient TSK users, the utilities are named to aid users familiar with UNIX and the Linux command line. The tool name consists of two parts. There is a prefix that indicates the file system level at which the tool operates. The suffix provides information about the expected result. Additionally, there are two layers that do not exactly match the file system model (Altheide & Carvey, 2011):j-: works on the file system journalsimg-: works on image filesThe following table summarizes the meaning of the suffixes .SuffixDescription-statDisplays general information about the queried element-lsLists the contents of the queried layer-catExtracts the contents of the queried layerTable 3‑1: TSK suffixes (Altheide & Carvey, 2011, p. 43)TSK does not include tools that work on the disk layer. The reason is that TSK is a file system forensic analysis framework..