If you wish to gather more information, the
tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a
post mortem analysis of a system.
tct allows the user to collect information about deleted files, running processes and more. See the included documentation for more information. These same utilities and some others can be found in
http://www.sleuthkit.org/ by Brian Carrier, which provides a web front-end for forensic analysis of disk images. In Debian you can find both
sleuthkit (the tools) and
autopsy (the graphical front-end).
Recuerde también que los análisis forenses deberían hacerse siempre sobre una copia de seguridad de los datos, nunca sobre los datos mismos, por si se alteran los datos durante el análisis y se pierde la evidencia.
FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.
FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD and with the recovered file system restored on a separate partition.