Finally, we get to this lovely gem, Kali Linux, fully discussed in detail from its installation to advanced forensics usage in the next chapter and throughout this book.
- Homepage: https://www.kali.org/
- Based on: Debian
- Distribution type: Penetration testing, forensics, and anti-forensics
Kali Linux was created as a penetration testing or pen-testing distro under the name BackTrack, which then evolved into Kali Linux, in 2015. This powerful tool is the definite tool of choice for penetration testers and security enthusiasts worldwide. As a Certified EC-Council Instructor (CEI) for the Certified Ethical Hacker (CEH) course, this operating system is usually the star of the class due to its many impressive bundled security programs, ranging from scanning and reconnaissance tools to advanced exploitation tools and reporting tools.
Like the above-mentioned tools, Kali Linux can be used as a live response forensic tool, as it contains many of the tools required for full investigations. Kali, however, can also be used as a complete operating system, as it can be fully installed to a hard disk or flash drive and also contains several tools for productivity and entertainment. It comes with many of the required drivers for successful use of hardware, graphics, and networking, and also runs smoothly on both 32 bit and 64 bit systems with minimal resources; it can also be installed on certain mobile devices, such as Nexus and OnePlus phones and tablets.
Adding to its versatility, upon booting from a live CD/DVD or flash drive, the investigator has several options to choose from, including Live (forensic mode), which leaves the evidence drive intact and does not tamper with it by also disabling any auto-mounting of flash drives and other storage media, providing for integrity of the original evidence throughout the investigation.
When booting to Kali Linux from a DVD or flash drive, the user is first presented with options for a live environment and installation. Choosing the third option from the list carries us into Live (forensic mode), as seen in the following screenshot:
Once Kali Live (forensic mode) has booted, the investigator is presented with the exact same home screen as would be seen if using any of the GUIs in Kali, as shown in the following screenshot:
The Kali menu can be found at the top left corner by clicking on Applications. This brings the user to the menu listing which shows the forensics category lower down, as 11 - Forensics. The following screenshot gives an idea of some of the Forensic tools available in Kali that we'll be using later on in the book:
It should be noted that the tools listed are not the only tools available in Kali. There are several other tools that can be brought up via the Terminal, as we'll see in later chapters.
It's also noteworthy that, when it is in forensic mode, not only does Kali not tamper with the original evidence drive but also does not write data to the swap file, where important data that was recently accessed and stored in memory may reside.
The following screenshot shows another view of accessing the Forensic tools menu using the last icon in the list on the sidebar menu (resembling nine dots in a square formation):
For a full list of the features and packages included in the Kali Linux operating system at the time of this publishing, please visit the following link:
https://tools.kali.org/tools-listing
Out of the three forensic distros mentioned, Kali can operate as a live response forensic tool, but can also be used as a full operating system, just like Windows, Mac, and Android as it contains several built-in tools for productivity and everyday use. The fact that Kali can be installed to a hard disk means that several other tools can be downloaded and updated regularly, giving continuous access to all IT security and forensic tools, allowing the user to save progress as they use the tools and not have to worry too much about restarting their machine should they decide to use it as a full operating system.
Using these open source forensic operating systems, such as Kali, gives us a range of tools to choose from and work with. There exist many tools for performing the same tasks within each category in the distros. This is good, because our findings should be able to be replicated using different tools. This is especially good in instances where the investigator's work may be critiqued and the integrity of the case and evidence questioned and scrutinized; using multiple tools correctly will yield consistent results.