LinSpec operates as the Initial Triage Layer in a forensic investigation.
Its goal is to determine whether the system's defensive posture allowed or facilitated an intrusion.
LinSpec follows three core principles:
- Non-intrusive analysis
- Deterministic evaluation
- Context generation for deeper analysis
-
Baseline Validation
Identify deviations from hardened kernel configurations -
Exposure Mapping
Detect weak points exploitable by attackers -
Context Generation
Provide insights for memory acquisition (S.I.R.E.N)
LinSpec does not detect malware.
Instead, it answers:
"Was the system defensively prepared to resist compromise?"
- LinSpec → identifies weaknesses
- S.I.R.E.N → captures memory
- K-Scanner → detects malicious artifacts
| Phase | Tool | Purpose |
|---|---|---|
| Triage | LinSpec | Kernel security baseline |
| Acquisition | S.I.R.E.N | Memory capture |
| Analysis | K-Scanner | Threat detection |