-Version 3.78 released: 8 Dec 2008
-Version 3.65 released: 3 Sept 2008
-Version 3.21 released: 12 Dec 2007
-Version 3.20 released: 22 Oct 2007
-Linux LEO Goes Live: 22 Oct 2007


The Beginner's Guide v3.78 (PDF)
Readme File (txt)
Change log (txt)
ToDo List (txt)

Supplemental Files

Floppy Practice Image (practical.floppy.dd)
"Able2" Ext2 Disk Image (able2.tar.gz)
Practice Log Archive (logs.v3.tar.gz)
Raw Carving Practice (image_carve.raw)
NTFS Image (ntfs_pract.dd.gz)
NTFS E01 (EWF) Image (ntfs_pract.E01)
MD5 Checksums (md5sums.txt)

Community Resources

Linux Forensics (Yahoo Group)
Sleuthkit (Mail list)
SMART (Forum)
Forensic Focus (Forum)

Slackware Information

The Slackbook (
Slackware Basics (
Robby Workman's Pages (
Slackworld Links (
Slackbuilds Software (


E-mail me: here

Welcome to Linux LEO

You have reached the home of the Law Enforcement and Forensic Examiner's Introduction to Linux. The guide has been around for a long time now, without any sort of permanent home. This Web site hopefully takes care of that.

Recent News (December 2008)

As of December 8, 2008, there's another new version of the guide (3.78). The purpose of this release is mostly to account for changes in the latest version of the Sleuthkit (now at version 3.x). This resulted in some changed tool names and the removal of at least one exercise in the LinuxLEO guide to account for how the new version of Sleuthkit handles deleted files in NTFS (see the changelog). The guide is still just under 200 pages long.

The next version of this guide will be a major revision. It will actually be more of a book than a guide!

The Purpose of this Site

This site is intended to be a simple on line repository for documents (the guide and upcoming additions) that I've written to assist members of the computer forensic community learn more about Linux and its potential as a forensic tool. This is NOT meant to be another "community portal" with forums and articles, etc. There's already plenty of those around (see "Resources" on the left). I've been asked plenty of times to open a forum or mail list for those with questions about the guide, but I don't have the time to administer such an undertaking, and I really feel more can be learned by visiting some of the already established resources. Having said that...feel free to e-mail me at any time with any questions, comments or flames. Feedback is exceedingly important to me. Positive or negative...

The Guide

The Law Enforcement and Forensic Examiner's Introduction to Linux, A Beginner's Guide is my repayment to the community. When I first started to learn how to use Linux as a forensic tool, I had help from plenty of people. I look at this guide as my way of continuing that spirit of sharing knowledge. The first version of the guide was written for a class I was asked to assist with in late 1999. This is now the third major revision, with many smaller unannounced updates in between. The structure and much of the content has remained the same.

About the Author

I am a Supervisory Criminal Investigator (Special Agent) with a Federal Agency of the US Government. I first started using Linux around 1993.

This Web site and the documents found here are my own work and do not reflect the views of or constitute official policy of any Federal Agency. This Web site is not approved or endorsed by the US Government.