Book Image

Digital Forensics with Kali Linux

Book Image

Digital Forensics with Kali Linux

Overview of this book

Kali Linux is a Linux-based distribution used mainly for penetration testing and digital forensics. It has a wide range of tools to help in forensics investigations and incident response mechanisms. You will start by understanding the fundamentals of digital forensics and setting up your Kali Linux environment to perform different investigation practices. The book will delve into the realm of operating systems and the various formats for file storage, including secret hiding places unseen by the end user or even the operating system. The book will also teach you to create forensic images of data and maintain integrity using hashing tools. Next, you will also master some advanced topics such as autopsies and acquiring investigation data from the network, operating system memory, and so on. The book introduces you to powerful tools that will take your forensic abilities and investigations to a professional level, catering for all aspects of full digital forensic investigations from hashing to reporting. By the end of this book, you will have had hands-on experience in implementing all the pillars of digital forensics—acquisition, extraction, analysis, and presentation using Kali Linux tools.
Table of Contents (18 chapters)
Title Page
Credits
Disclaimer
About the Author
About the Reviewers
www.PacktPub.com
Customer Feedback
Preface
10
Revealing Evidence Using DFF

Operating systems and open source tools for digital forensics


Just as there are several commercial tools available, there exist many open source tools available to investigators, amateur and professional alike. Many of these tools are Linux-based and can be found on several freely-available forensic distributions.

The main question that usually arises when choosing tools is usually based on commercial versus open source. Whether using commercial tools or open source tools, the end result should be the same, with preservation and integrity of the original evidence being the main priority.

Note

Budget is always an issue and some commercial tools (as robust, accurate, and user-friendly as they might be) can cost thousands of dollars.

The open source tools are free to use under various open source licenses and should not be counted out just because they are not backed by enterprise developers and researchers. Many of the open source tools are widely reviewed by the forensic community and may be open to more scrutiny, as they are more widely available to the public and are built in non-proprietary code.

Though the focus of this book is on the forensic tools found in Kali Linux, which we will begin looking at toward the end of this section and onward, here are some of the more popular open source forensic distributions, or distros, available.

Each of the distros mentioned in the following sections is freely available at many locations but, for security reasons, we will provide the direct link from their homepages. The operating systems featured in this section are listed only in alphabetical order and do not reflect any ratings, reviews, or even the author's personal preference.

Digital evidence and forensics toolkit Linux

Digital Evidence and Forensics Toolkit (DEFT) Linux comes in a full version and a lighter version called DEFT Zero. For forensic purposes, you may wish to download the full version as the Zero version, does not support mobile forensics and password-cracking features.

Like the other distros mentioned in this list, DEFT, as shown in the following screenshot, is also a fully capable live response forensic tool that can be used on the go in situations where shutting down the machine is not possible and also allows for on-the-fly analysis of RAM and the swap file:

When booting from the DEFT Linux DVD, bootable flash, or other media, the user is presented with various options, including the options to install DEFT Linux to the hard disk, or use as a live-response tool or operating system by selecting the DEFT Linux 8 live option, as shown here:

In the previous screenshot, it can be seen that there are several forensic categories in DEFT Linux 8 such as Antimalware, Data Recovery, Hashing, Imaging, Mobile Forensics, and Network Forensics, Password recovery, and Reporting tools. Within each category exist several tools created by various developers, giving the investigator quite a variety from which to choose.

For a full list of the features and packages included in the Digital Evidence Forensic Toolkit (DEFT) Linux OS at the time of this publishing, please visit the following link:

http://www.deftlinux.net/package-list/

Computer Aided INvestigative Environment

The Computer Aided INvestigative Environment (CAINE) is a live-response bootable CD/DVD with options for booting in safe mode, text mode, as a live system, or in RAM, as shown here:

One of the most noticeable features of CAINE after selecting your boot option is the easy way to find the write-blocker feature, seen and labeled as a BlockON/OFF icon, as shown in the following screenshot. Activating this feature prevents the writing of data by the CAINE OS to the evidence machine or drive:

Forensic Tools is the first menu listed in CAINE. Like DEFT Linux, there are several categories in the menu, as seen in the following screenshot, with several of the more popular tools used in open source forensics. Besides the categories, there are direct links to some of the more well-known tools, such as Guymager and Autopsy, which will both be covered in detail in later chapters:

For a full list of the features and packages included in CAINE at the time of this publishing, please visit the following link:

http://www.caine-live.net/page11/page11.html

 

Kali Linux

Finally, we get to this lovely gem, Kali Linux, fully discussed in detail from its installation to advanced forensics usage in the next chapter and throughout this book.

  • Homepage: https://www.kali.org/
  • Based on: Debian
  • Distribution type: Penetration testing, forensics, and anti-forensics

Kali Linux was created as a penetration testing or pen-testing distro under the name BackTrack, which then evolved into Kali Linux, in 2015. This powerful tool is the definite tool of choice for penetration testers and security enthusiasts worldwide. As a Certified EC-Council Instructor (CEI) for the Certified Ethical Hacker (CEH) course, this operating system is usually the star of the class due to its many impressive bundled security programs, ranging from scanning and reconnaissance tools to advanced exploitation tools and reporting tools.

Like the above-mentioned tools, Kali Linux can be used as a live response forensic tool, as it contains many of the tools required for full investigations. Kali, however, can also be used as a complete operating system, as it can be fully installed to a hard disk or flash drive and also contains several tools for productivity and entertainment. It comes with many of the required drivers for successful use of hardware, graphics, and networking, and also runs smoothly on both 32 bit and 64 bit systems with minimal resources; it can also be installed on certain mobile devices, such as Nexus and OnePlus phones and tablets.

Adding to its versatility, upon booting from a live CD/DVD or flash drive, the investigator has several options to choose from, including Live (forensic mode), which leaves the evidence drive intact and does not tamper with it by also disabling any auto-mounting of flash drives and other storage media, providing for integrity of the original evidence throughout the investigation.

When booting to Kali Linux from a DVD or flash drive, the user is first presented with options for a live environment and installation. Choosing the third option from the list carries us into Live (forensic mode), as seen in the following screenshot:

Once Kali Live (forensic mode) has booted, the investigator is presented with the exact same home screen as would be seen if using any of the GUIs in Kali, as shown in the following screenshot:

The Kali menu can be found at the top left corner by clicking on Applications. This brings the user to the menu listing which shows the forensics category lower down, as 11 - Forensics. The following screenshot gives an idea of some of the Forensic tools available in Kali that we'll be using later on in the book:

It should be noted that the tools listed are not the only tools available in Kali. There are several other tools that can be brought up via the Terminal, as we'll see in later chapters.

It's also noteworthy that, when it is in forensic mode, not only does Kali not tamper with the original evidence drive but also does not write data to the swap file, where important data that was recently accessed and stored in memory may reside.

The following screenshot shows another view of accessing the Forensic tools menu using the last icon in the list on the sidebar menu (resembling nine dots in a square formation):

For a full list of the features and packages included in the Kali Linux operating system at the time of this publishing, please visit the following link:

https://tools.kali.org/tools-listing

Out of the three forensic distros mentioned, Kali can operate as a live response forensic tool, but can also be used as a full operating system, just like Windows, Mac, and Android as it contains several built-in tools for productivity and everyday use. The fact that Kali can be installed to a hard disk means that several other tools can be downloaded and updated regularly, giving continuous access to all IT security and forensic tools, allowing the user to save progress as they use the tools and not have to worry too much about restarting their machine should they decide to use it as a full operating system.

Using these open source forensic operating systems, such as Kali, gives us a range of tools to choose from and work with. There exist many tools for performing the same tasks within each category in the distros. This is good, because our findings should be able to be replicated using different tools. This is especially good in instances where the investigator's work may be critiqued and the integrity of the case and evidence questioned and scrutinized; using multiple tools correctly will yield consistent results.