Operating systems and open source tools for digital forensics
Just as there are several commercial tools available, there exist many open source tools available to investigators, amateur and professional alike. Many of these tools are Linux-based and can be found on several freely available forensic distributions.
The main question that usually arises when choosing tools is usually based on commercial versus open source. Whether using commercial tools or open source tools, the end result should be the same, with preservation and integrity of the original evidence being the main priority.
Important note
Budget is always an issue, and some commercial tools (as robust, accurate, and user friendly as they might be) cost thousands of dollars.
The open source tools are free to use under various open source licenses and should not be counted out just because they are not backed by enterprise developers and researchers.
Many of the open source tools are widely reviewed by the forensic community and may be open to more scrutiny, as they are more widely available to the public and are built in non-proprietary code.
Though the focus of this book is on the forensic tools found in Kali Linux, which we will begin looking at toward the end of this section and onward, here are some of the more popular open source forensic distributions available.
Each of the distributions mentioned in the following sections is freely available at many locations but, for security reasons, we will provide the direct link from their home pages. The operating systems featured in this section are listed only in alphabetical order and do not reflect any ratings, reviews, or even the author's personal preference. Please refer to the hash verification of these tools to ensure that the version downloaded matches the exact version uploaded by the developers and creators.
Digital Evidence and Forensics Toolkit (DEFT) Linux
DEFT Linux comes in a full version and a lighter version called DEFT Zero. For forensic purposes, you may wish to download the full version as the Zero version does not support mobile forensics and password-cracking features. You can refer to the following points for downloading them:
- Download page for DEFT Linux 8: http://na.mirror.garr.it/mirrors/deft/iso/
- Download page for DEFT Linux Z (2018-2): http://na.mirror.garr.it/mirrors/deft/zero/
- Based on: Ubuntu Desktop
- Distribution type: Forensics and incident response
As with the other distributions mentioned in this list, DEFT, as shown in the following screenshot, is also a fully capable live-response forensic tool that can be used on the go in situations where shutting down the machine is not possible, and also allows for on-the-fly analysis of RAM and the swap file:
When booting from the DEFT Linux DVD, bootable flash, or other media, the user is presented with various options, including the options to install DEFT Linux to the hard disk, or use as a live-response tool or operating system by selecting the DEFT Linux 8 live option, as shown in the following screenshot:
In the preceding screenshot, it can be seen that there are several forensic categories in DEFT Linux 8 such as Antimalware, Data Recovery, Hashing, Imaging, Mobile Forensics, Network Forensics, Password recovery, and Reporting tools. Within each category exist several tools created by various developers, giving the investigator quite a selection from which to choose.
CAINE
CAINE is a live-response bootable CD/DVD with options for booting in safe mode, text mode, as a live system, or in RAM, as shown in the following screenshot:
- Home page: http://www.caine-live.net/
- Based on: GNU Linux
- Distribution type: Forensics and incident response
One of the most noticeable features of CAINE after selecting your boot option is the easy way to find the write-blocker feature, seen and labeled as an UnBlock icon, as shown in the following screenshot. Activating this feature prevents the writing of data by the CAINE operating system to the evidence machine or drive:
Forensic tools is the first menu listed in CAINE. As with DEFT Linux, there are several categories in the menu, as seen in the following screenshot, with several of the more popular tools used in open source forensics. Besides the categories, there are direct links to some of the more well-known tools, such as Guymager and Autopsy, which will both be covered in detail in later chapters:
For a full list of the features and packages included in CAINE at the time of this publication, please visit the following link:
https://www.caine-live.net/page11/page11.html
The latest version of CAINE 10.0 Infinity can be downloaded from https://www.caine-live.net/page5/page5.html in International Organization for Standardization (ISO) format, approximately 3.6 GB in size.
For installation on a Universal Serial Bus (USB) thumb drive, please ensure that the drive capacity is no less than 8 GB. A bootable CAINE drive can be created in an automated manner using the Rufus tool, which we will see in Chapter 2, Installing Kali Linux.
Kali Linux
Finally, we get to this lovely gem, Kali Linux, fully discussed in detail from its installation to advanced forensics usage in the next chapter and throughout this book. The basic points related to Kali Linux are listed here:
- Home page: https://www.kali.org/
- Based on: Debian
- Distribution type: Penetration testing, forensics, and anti-forensics
Kali Linux was created as a penetration testing, or pen-testing, distribution under the name BackTrack, which then evolved into Kali Linux, in 2015. This powerful tool is the definite tool of choice for penetration testers and security enthusiasts worldwide. As a Certified EC-Council Instructor (CEI) for the Certified Ethical Hacker (CEH) course, this operating system is usually the star of the class due to its many impressive bundled security programs, ranging from scanning and reconnaissance tools to advanced exploitation tools and reporting tools.
As with the previously mentioned tools, Kali Linux can be used as a live-response forensic tool as it contains many of the tools required for full investigations. Kali, however, can also be used as a complete operating system, as it can be fully installed to a hard disk or flash drive and also contains several tools for productivity and entertainment. It comes with many of the required drivers for successful use of hardware, graphics, and networking, and also runs smoothly on both 32-bit and 64-bit systems with minimal resources. It can also be installed on certain mobile devices, such as Nexus and OnePlus, and other phones and tablets.
Adding to its versatility, upon booting from a live CD/DVD or flash drive, the investigator has several options to choose from, including Live (forensic mode), which leaves the evidence drive intact and does not tamper with it by also disabling any auto-mounting of flash drives and other storage media, providing integrity of the original evidence throughout the investigation.
When booting to Kali Linux from a DVD or flash drive, the user is first presented with options for a live environment and installation. Choosing the third option from the list carries us into Live (forensic mode), as seen in the following screenshot:
Once Kali Live (forensic mode) has booted, the investigator is presented with the exact same home screen as would be seen if using any of the GUIs in Kali, as shown in the following screenshot:
The Kali menu can be found at the top-left corner by clicking on Applications. This brings the user to the menu listing, which shows the forensics category lower down, as 11 - Forensics. The following screenshot gives an idea of some of the forensic tools available in Kali that we'll be using later on in the book:
It should be noted that the tools listed are not the only tools available in Kali. There are several other tools that can be brought up via the Terminal, as we'll see in later chapters.
It's also noteworthy that, when in forensic mode, not only does Kali not tamper with the original evidence drive, but also does not write data to the swap file, where important data that was recently accessed and stored in memory may reside.
The following screenshot shows another view of accessing the forensic tools menu, using the last icon in the list on the sidebar menu (resembling nine dots in a square formation):
For a full list of the features and packages included in the Kali Linux operating system at the time of this publication, please visit the following link:
https://www.kali.org/releases/kali-linux-2019-3-release/
Out of the three forensic distributions mentioned, Kali can operate as a live-response forensic tool, but can also be used as a full operating system, just like Windows, Mac, and Android, as it contains several built-in tools for productivity and everyday use. The fact that Kali can be installed to a hard disk means that several other tools can be downloaded and updated regularly, giving continuous access to all IT security and forensic tools, allowing the user to save progress as they use the tools and not have to worry too much about restarting their machine, should they decide to use it as a full operating system.
Using these open source forensic operating systems such as Kali gives us a range of tools to choose from and work with. There exist many tools for performing the same tasks within each category in the distributions. This is good, because our findings should be able to be replicated using different tools. This is especially good in instances where the investigator's work may be critiqued and the integrity of the case and evidence questioned and scrutinized; using multiple tools correctly will yield consistent results. Taking this into consideration, we can also look at the requirements and benefits of performing investigations within a forensic lab. Interpol has a very detailed document on Global Guidelines for Digital Forensics Laboratories, which can be downloaded at shorturl.at/ikKR2.