Book Image

Digital Forensics with Kali Linux - Second Edition

By : Shiva V. N. Parasram
Book Image

Digital Forensics with Kali Linux - Second Edition

By: Shiva V. N. Parasram

Overview of this book

Kali Linux is a Linux-based distribution that's widely used for penetration testing and digital forensics. It has a wide range of tools to help for digital forensics investigations and incident response mechanisms. This updated second edition of Digital Forensics with Kali Linux covers the latest version of Kali Linux and The Sleuth Kit. You'll get to grips with modern techniques for analysis, extraction, and reporting using advanced tools such as FTK Imager, hex editor, and Axiom. Updated to cover digital forensics basics and advancements in the world of modern forensics, this book will also delve into the domain of operating systems. Progressing through the chapters, you'll explore various formats for file storage, including secret hiding places unseen by the end user or even the operating system. The book will also show you how to create forensic images of data and maintain integrity using hashing tools. Finally, you'll cover advanced topics such as autopsies and acquiring investigation data from networks, operating system memory, and quantum cryptography. By the end of this book, you'll have gained hands-on experience of implementing all the pillars of digital forensics: acquisition, extraction, analysis, and presentation, all using Kali Linux tools.

Related Content you might be interested in

Current Title:

Small book image
Digital Forensics with Kali Linux - Second Edition
Shiva V. N. Parasram
Apr, 2020 | 334 pages
Small book image
Digital Forensics and Incident Response
Gerard Johansen
Dec, 2022 | 532 pages
Small book image
Learn Computer Forensics – 2nd edition
William Oettinger
Jul, 2022 | 434 pages
Small book image
Windows Forensics Analyst Field Guide
Muhiballah Mohammed
Oct, 2023 | 318 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: Kali Linux – Not Just for Penetration Testing
Section 1: Kali Linux – Not Just for Penetration Testing
Free Chapter
2
Chapter 1: Introduction to Digital Forensics
Chapter 1: Introduction to Digital Forensics
What is digital forensics?
Digital forensics methodology
A brief history of digital forensics
The need for digital forensics as technology advances
Operating systems and open source tools for digital forensics
The need for multiple forensics tools in digital investigations
Commercial forensics tools
Anti-forensics – threats to digital forensics
Summary
Further reading
3
Chapter 2: Installing Kali Linux
Chapter 2: Installing Kali Linux
Software version
Downloading Kali Linux
Installing Kali Linux
Installing Kali Linux in VirtualBox
Summary
4
Section 2: Forensic Fundamentals and Best Practices
Section 2: Forensic Fundamentals and Best Practices
5
Chapter 3: Understanding Filesystems and Storage Media
Chapter 3: Understanding Filesystems and Storage Media
The history of storage media
Filesystems and operating systems
What about the data?
Data volatility
The paging file and its importance in digital forensics
Summary
6
Chapter 4: Incident Response and Data Acquisition
Chapter 4: Incident Response and Data Acquisition
Digital evidence acquisition and procedures
Incident response and first responders
Documentation and evidence collection
Chain of custody
Live acquisition versus post-mortem acquisition
Write blocking
Data imaging and hashing
Device and data acquisition guidelines and best practices
Summary
7
Section 3: Forensic Tools in Kali Linux
Section 3: Forensic Tools in Kali Linux
8
Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager
Chapter 5: Evidence Acquisition and Preservation with dc3dd and Guymager
Drive and partition recognition in Linux
Maintaining evidence integrity
Using dc3dd in Kali Linux
Image acquisition using DD
Image acquisition using Guymager
Windows memory acquisition
Summary
9
Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor
Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor
Forensic test images used in Foremost and Scalpel
Using Foremost for file recovery and data carving
Using Scalpel for data carving
bulk_extractor
Summary
10
Chapter 7: Memory Forensics with Volatility
Chapter 7: Memory Forensics with Volatility
Introducing the Volatility Framework
Downloading test images for use with Volatility
Using Volatility in Kali Linux
Summary
11
Chapter 8: Artifact Analysis
Chapter 8: Artifact Analysis
Identifying devices and operating systems with p0f
Information gathering and fingerprinting with Nmap
Live Linux forensics with Linux Explorer
Ransomware analysis
swap_digger
Password dumping with mimipenguin
Examining Firefox artifacts with pdgmail
Summary
12
Section 4: Automated Digital Forensic Suites
Section 4: Automated Digital Forensic Suites
13
Chapter 9: Autopsy
Chapter 9: Autopsy
Introduction to Autopsy
The sample image file used in Autopsy
Digital forensics with Autopsy
Summary
14
Chapter 10: Analysis with Xplico
Chapter 10: Analysis with Xplico
Software requirements
Installing Xplico in Kali Linux
Starting Xplico in DEFT Linux 8.2
Packet capture analysis using Xplico
Network activity analysis exercise
Summary
15
Chapter 11: Network Analysis
Chapter 11: Network Analysis
Capturing packets using Wireshark
NetworkMiner
Packet capture analysis with PcapXray
Online PCAP analysis
Reporting and presentation
Summary
16
Other Books You May Enjoy
Other Books You May Enjoy

Operating systems and open source tools for digital forensics

Just as there are several commercial tools available, there exist many open source tools available to investigators, amateur and professional alike. Many of these tools are Linux-based and can be found on several freely available forensic distributions.

The main question that usually arises when choosing tools is usually based on commercial versus open source. Whether using commercial tools or open source tools, the end result should be the same, with preservation and integrity of the original evidence being the main priority.

Important note

Budget is always an issue, and some commercial tools (as robust, accurate, and user friendly as they might be) cost thousands of dollars.

The open source tools are free to use under various open source licenses and should not be counted out just because they are not backed by enterprise developers and researchers.

Many of the open source tools are widely reviewed by the forensic community and may be open to more scrutiny, as they are more widely available to the public and are built in non-proprietary code.

Though the focus of this book is on the forensic tools found in Kali Linux, which we will begin looking at toward the end of this section and onward, here are some of the more popular open source forensic distributions available.

Each of the distributions mentioned in the following sections is freely available at many locations but, for security reasons, we will provide the direct link from their home pages. The operating systems featured in this section are listed only in alphabetical order and do not reflect any ratings, reviews, or even the author's personal preference. Please refer to the hash verification of these tools to ensure that the version downloaded matches the exact version uploaded by the developers and creators.

Digital Evidence and Forensics Toolkit (DEFT) Linux

DEFT Linux comes in a full version and a lighter version called DEFT Zero. For forensic purposes, you may wish to download the full version as the Zero version does not support mobile forensics and password-cracking features. You can refer to the following points for downloading them:

As with the other distributions mentioned in this list, DEFT, as shown in the following screenshot, is also a fully capable live-response forensic tool that can be used on the go in situations where shutting down the machine is not possible, and also allows for on-the-fly analysis of RAM and the swap file:

Figure 1.1 – The DEFT splash screen boot options

Figure 1.1 – The DEFT splash screen boot options

When booting from the DEFT Linux DVD, bootable flash, or other media, the user is presented with various options, including the options to install DEFT Linux to the hard disk, or use as a live-response tool or operating system by selecting the DEFT Linux 8 live option, as shown in the following screenshot:

Figure 1.2 – The DEFT desktop environment and application menu

Figure 1.2 – The DEFT desktop environment and application menu

In the preceding screenshot, it can be seen that there are several forensic categories in DEFT Linux 8 such as Antimalware, Data Recovery, Hashing, Imaging, Mobile Forensics, Network Forensics, Password recovery, and Reporting tools. Within each category exist several tools created by various developers, giving the investigator quite a selection from which to choose.

CAINE

CAINE is a live-response bootable CD/DVD with options for booting in safe mode, text mode, as a live system, or in RAM, as shown in the following screenshot:

Figure 1.3 – The DEFT start up boot menu

Figure 1.3 – The DEFT start up boot menu

One of the most noticeable features of CAINE after selecting your boot option is the easy way to find the write-blocker feature, seen and labeled as an UnBlock icon, as shown in the following screenshot. Activating this feature prevents the writing of data by the CAINE operating system to the evidence machine or drive:

Figure 1.4 – The DEFT desktop

Figure 1.4 – The DEFT desktop

Forensic tools is the first menu listed in CAINE. As with DEFT Linux, there are several categories in the menu, as seen in the following screenshot, with several of the more popular tools used in open source forensics. Besides the categories, there are direct links to some of the more well-known tools, such as Guymager and Autopsy, which will both be covered in detail in later chapters:

Figure 1.5 – The DEFT Forensic tools menu

Figure 1.5 – The DEFT Forensic tools menu

For a full list of the features and packages included in CAINE at the time of this publication, please visit the following link:

https://www.caine-live.net/page11/page11.html

The latest version of CAINE 10.0 Infinity can be downloaded from https://www.caine-live.net/page5/page5.html in International Organization for Standardization (ISO) format, approximately 3.6 GB in size.

For installation on a Universal Serial Bus (USB) thumb drive, please ensure that the drive capacity is no less than 8 GB. A bootable CAINE drive can be created in an automated manner using the Rufus tool, which we will see in Chapter 2, Installing Kali Linux.

Kali Linux

Finally, we get to this lovely gem, Kali Linux, fully discussed in detail from its installation to advanced forensics usage in the next chapter and throughout this book. The basic points related to Kali Linux are listed here:

  • Home page: https://www.kali.org/
  • Based on: Debian
  • Distribution type: Penetration testing, forensics, and anti-forensics

Kali Linux was created as a penetration testing, or pen-testing, distribution under the name BackTrack, which then evolved into Kali Linux, in 2015. This powerful tool is the definite tool of choice for penetration testers and security enthusiasts worldwide. As a Certified EC-Council Instructor (CEI) for the Certified Ethical Hacker (CEH) course, this operating system is usually the star of the class due to its many impressive bundled security programs, ranging from scanning and reconnaissance tools to advanced exploitation tools and reporting tools.

As with the previously mentioned tools, Kali Linux can be used as a live-response forensic tool as it contains many of the tools required for full investigations. Kali, however, can also be used as a complete operating system, as it can be fully installed to a hard disk or flash drive and also contains several tools for productivity and entertainment. It comes with many of the required drivers for successful use of hardware, graphics, and networking, and also runs smoothly on both 32-bit and 64-bit systems with minimal resources. It can also be installed on certain mobile devices, such as Nexus and OnePlus, and other phones and tablets.

Adding to its versatility, upon booting from a live CD/DVD or flash drive, the investigator has several options to choose from, including Live (forensic mode), which leaves the evidence drive intact and does not tamper with it by also disabling any auto-mounting of flash drives and other storage media, providing integrity of the original evidence throughout the investigation.

When booting to Kali Linux from a DVD or flash drive, the user is first presented with options for a live environment and installation. Choosing the third option from the list carries us into Live (forensic mode), as seen in the following screenshot:

Figure 1.6 – The Kali Linux Boot menu

Figure 1.6 – The Kali Linux Boot menu

Once Kali Live (forensic mode) has booted, the investigator is presented with the exact same home screen as would be seen if using any of the GUIs in Kali, as shown in the following screenshot:

Figure 1.7 – The Kali Linux desktop environment

Figure 1.7 – The Kali Linux desktop environment

The Kali menu can be found at the top-left corner by clicking on Applications. This brings the user to the menu listing, which shows the forensics category lower down, as 11 - Forensics. The following screenshot gives an idea of some of the forensic tools available in Kali that we'll be using later on in the book:

Figure 1.8 – The Kali Linux Applications menu

Figure 1.8 – The Kali Linux Applications menu

It should be noted that the tools listed are not the only tools available in Kali. There are several other tools that can be brought up via the Terminal, as we'll see in later chapters.

It's also noteworthy that, when in forensic mode, not only does Kali not tamper with the original evidence drive, but also does not write data to the swap file, where important data that was recently accessed and stored in memory may reside.

The following screenshot shows another view of accessing the forensic tools menu, using the last icon in the list on the sidebar menu (resembling nine dots in a square formation):

Figure 1.9 – The Kali Linux Forensics tool menu

Figure 1.9 – The Kali Linux Forensics tool menu

For a full list of the features and packages included in the Kali Linux operating system at the time of this publication, please visit the following link:

https://www.kali.org/releases/kali-linux-2019-3-release/

Out of the three forensic distributions mentioned, Kali can operate as a live-response forensic tool, but can also be used as a full operating system, just like Windows, Mac, and Android, as it contains several built-in tools for productivity and everyday use. The fact that Kali can be installed to a hard disk means that several other tools can be downloaded and updated regularly, giving continuous access to all IT security and forensic tools, allowing the user to save progress as they use the tools and not have to worry too much about restarting their machine, should they decide to use it as a full operating system.

Using these open source forensic operating systems such as Kali gives us a range of tools to choose from and work with. There exist many tools for performing the same tasks within each category in the distributions. This is good, because our findings should be able to be replicated using different tools. This is especially good in instances where the investigator's work may be critiqued and the integrity of the case and evidence questioned and scrutinized; using multiple tools correctly will yield consistent results. Taking this into consideration, we can also look at the requirements and benefits of performing investigations within a forensic lab. Interpol has a very detailed document on Global Guidelines for Digital Forensics Laboratories, which can be downloaded at shorturl.at/ikKR2.

Previous Section
End of Section 6
Next Section