There is also a wide range of Linux distributions that have been created for digital forensics purposes. These distributions, often provided for free, provide tools that can aid a digital forensics investigator. These tools are divided into two main types. The first of these is distributions that are intended as boot CD/DVD or USBs. These are useful for conducting triage or to obtain access to files, without having to image the drive. These distributions can be placed onto a CD/DVD or, more commonly now, a USB device. The examiner then boots the system under investigation into the Linux distribution. There are a number of these distributions available.
The following are two that are popular with digital forensics examiners:
- Digital Evidence and Forensic Toolkit (DEFT) Zero: This is based upon the GNU Linux platform. DEFT can be booted from a USB or CD/DVD. Once booted, the DEFT platform includes a wide range of tools that can be utilized by a digital forensics examiner to perform such functions as the acquisition of mass storage, for example, the hard drive on the system from which it is being booted. DEFT minimizes the risk of altering data on the system by not booting into the swap partition and does not use automated mounting scripts, thereby ensuring the integrity of the system's storage. DEFT can be seen in the following screenshot:
- Paladin: Paladin is another live Linux distribution, based on the Ubuntu OS. Paladin has a number of tools that aid digital forensics tasks such as malware analysis, hashing, and imaging. The forensic toolset includes a number of packages that can be utilized for a wide range of different operating systems. Paladin can be seen in the following screenshot:
Another category of Linux distributions is those designed as platforms for conducting an examination of evidence such as RAM captures and network evidence. There are several distributions available:
- The SANS Investigate Forensic Toolkit (SIFT): This is a comprehensive forensic toolset, based upon the Ubuntu 16.04 Base OS. Tools are included for imaging, memory analysis, timeline creation, and a host of other digital forensics tasks. SIFT is provided for free by the SANS Institute as a standalone virtual machine, available at https://digital-forensics.sans.org/community/downloads. Alternatively, the SIFT can be installed onto an existing Ubuntu 14.04 installation.
Once Ubuntu has been fully installed, run the following command:
wget --quiet -O - https://raw.github.com/sans-dfir/sift-
bootstrap/master/bootstrap.sh | sudo bash -s -- -i -s -y
Once installed, there is a desktop, based upon the Ubuntu distribution, with additional tools that are run from the command line or through a GUI, as can be seen in the following screenshot:
- Computer Aided INvestigative Environment (CAINE): This is another forensic distribution that will be put to further use in this book. CAINE is a GNU/Linux platform that includes a number of tools to assist digital forensics examiners. CAINE can be seen in the following screenshot:
- Linux Forensics Tools Repository (LiFTeR): LiFTeR is a collection of digital forensics tools for the Fedora and Red Hat Linux operating systems. This tool repository is maintained by the Carnegie Mellon University Software Engineering Institute and contains a wide range of tools for intrusion analysis and digital forensics. The package is available from: https://forensics.cert.org/.
- REMnux: REMnux is a specialized tool that has aggregated a number of malware reverse engineering tools into an Ubuntu Linux-based toolkit. There are a number of tools available in REMnux, such as those specifically designed for analyzing Windows and Linux malware and for examining suspicious documents, and it also has the ability to intercept potential malicious network traffic in an isolated container. REMnux can be seen in the following screenshot:
REMnux can be downloaded as a virtual machine from https://remnux.org for a standalone virtual system. REMnux can also be added to either the SIFT workstation or CAINE by utilizing the following command:
wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash
When incorporating different tools into a CSIRT digital forensics capability, it is important to keep several factors in mind. First, tools that have been developed by outsiders should absolutely be tested for efficacy. This can be done through the use of test data, commonly available on the internet. Second, open source tools such as Linux distributions are sometimes not adequately maintained. Digital forensics analysts should ensure that tools such as SIFT, CAINE, and REMnux are updated as new versions of both the tools and underlying operating systems become available. Finally, some tools that we will explore in this book are derived from network monitoring tools, but can also serve as tools in incident response. When using these tools, it is critical to document their use and their justification. If ever the efficacy and reliability of the evidence obtained or analyzed with these tools are called into question, proper documentation can lessen the chances of their use being seen as forensically unsound.
The National Institute of Standards and Technology (NIST) has provided guidance on the proper testing of forensic tools through the Computer Forensics Tool Testing (CFTT) program, found at http://www.cftt.nist.gov/. In addition to specific guidance on testing, there are a number of reports on different forensic hardware and software products. Having this information available for the tools you use provides validation, in the event that their use is ever challenged in a courtroom.