Professional Documents
Culture Documents
LaRon Walker
July, 2010
There are many different tools investigators can use to gather information and track
offenders. Unix-based operating systems house a vast majority of these types of tools, and are
commonly used in computer crime investigations. These tools can include, but are not limited to
finger, showmount, mount, echo, rlogin and whoami. These specific tools are designed to
retrieve user information that can help locate where an intrusion or attack originates from.
According the article Finger (2009), finger is a Unix software utility that can help
remotely retrieve user information from another computer across networks. It can also be used
to retrieve details from emails that are otherwise hidden from the general user. This utility can
be very useful when trying to track the origination of email viruses, intrusions, or denial of
Showmount is a command line utility used to show information about clients that are
connected to an NFS server. This can be very useful to investigators when trying to determine if
a suspect’s computer is connected to a specific NFS server. This command can display
information about the hostname as well as the mounted directory or file system of a connected
user.
In basic terms, to mount a device is to make it available for access. Based on the article
mount (2006), for users to have access to files or file systems, the drive must first be mounted.
2
This is a very common tool that most investigators use to access files on computers and hard
drives, as it also allows the copying or displaying of files without altering them in any way. This
utility plays a vital role in investigating computer crimes, and it is the most commonly used
The echo utility a very useful tool when you cannot see what you are typing when
remotely connected to a host through a terminal or shell connection. Echo can also be used with
a pipe or redirect to display the contents of files or directories. Some investigators also use the
echo command to display the contents of environmental variables when searching for embedded
Per the article rlogin (2003), the rlogin tool is used to connect Unix machines to each
other on a network. When attempting to gather information from a Unix host, investigators can
use the rlogin utility to connect remotely to machines. Once connected, investigators can use the
mount utility to gain access to file systems and directories, as well as run commands like echo
The whoami utility displays information about the current user logged in to the current
session. This is a very useful command to investigators when verifying the identity of the
current user that is logged in to a system. In Unix, this can also help verify the current owner of
a terminal session after running commands that may have previously required additional
When used together, all of the above discussed Unix utilities can be a very useful toolkit
for investigators in the process of gathering evidence in computer crimes. Investigators can use
the rlogin utility to connect to remote Unix hosts, use the showmount utility to show the mounted
3
files systems, use the mount command to mount these drives, and use the echo and finger
commands to display the contents of these file systems and directories. These tools for gathering
References
finger. (2009). In The Hutchinson Unabridged Encyclopedia with Atlas and Weather guide.
mount. (2006). In High Definition: A-Z Guide to Personal Technology. Retrieved from
http://www.credoreference.com/entry/hmhighdef/mount
http://www.credoreference.com/entry/webstercom/rlogin