Now let's look at some useful Linux tools for forensic activity. Not all of these tools will be covered during the course, but you can use the following list to make your workstation as complete as possible.
Before starting any package download operation, it is advisable to run the following two commands:
apt-get update
This command lists all the available packages and their versions, but it does not install or upgrade any packages.
apt-get upgrade
Useful for downloading and installing newer versions of the packages you have. After updating the lists, the package manager knows about available updates for the software you have installed.
Remember that, in case of doubt, you can use the following command to look for a specific package:
apt cache search [package-name]
Now let's see which packages can come in handy to set-up our workstation. In this paragraph, only the names of the packages will be reported. The standard installation procedure, as seen in the previous paragraph, remains sudo apt-get install [package-name].
aptitude
A text-based interface to the Debian GNU/Linux package system. It allows the user to view the list of packages and to perform package management tasks such as installing, upgrading, and removing packages. Very useful for obtaining information on packages to download, using the syntax
aptitude show [package-name]
Figure 1.4.1
git
Git is popular version control system designed to handle very large projects, most notably the Linux kernel and falls in the category of distributed source code management tools. Every Git working directory is a full-fledged repository with full revision tracking capabilities, not dependent on network access or a central server.
The homonymous package provides the git main components with minimal dependencies.
guymager
Guymager is a forensic imager for media acquisition which makes full usage of multi-processor machines and generates flat (dd), EWF (E01) and AFF images. It also supports disk cloning and it’s really easy to use thanks to its graphical interface.
libewf2
As seen in the previous picture, Libewf is a library with support for reading and writing the Expert Witness Compression Format (EWF) which is simply essential to work with compressed forensic images.
xmount
This tool allows you to convert on-the-fly between multiple input and output hard-disk image types creating a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input hard-disk. Thanks to this tool we will be able to mount our split E01 images and see them displayed as a single dd image.
sleuthkit
Tool for forensics analysis on volume and filesystem data, The Sleuth Kit, also known as TSK, is a collection of UNIX-based command line file and volume system forensic analysis tools which supports several filesystems, as NTFS, FAT, exFAT, HFS+, Ext3, Ext4, UFS and YAFFS2.
We will see in more detail the potential of TSK in paragraph 1.9.
sqlite3
SQLite is a C library that implements an SQL database engine. It will be very useful to analyze sql databases produced by web browsers.
libimage-exiftool-perl
This package consists in a Perl module with an included command-line application called Exiftool for reading (and writing) meta information in a wide variety of media files, such camera and printer models, GPS coordinates, time of the photo shoot and many more.
ecrypts-utils
eCryptfs (Enterprise Cryptographic Filesystem) is a is a package of disk encryption software for Linux. This tool stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decryptable with the proper key with no need to keep track of any additional information aside from what is already in the encrypted file itself.
testdisk
In this package we can find the tool Photorec, originally created to recover lost pictures from digital camera memory, it has been extended to search also for non-audio/video headers, resulting in a great tool for file carving.
dc3dd
dc3dd is a patched version of dd with added features for computer forensics such as on the fly hashing with multiple algorithms and splitting the output.
Setting up an Ubuntu forensic workstation
Now let's look at some useful Linux tools for forensic activity. Not all of these tools will be covered during the course, but you can use the following list to make your workstation as complete as possible.
Before starting any package download operation, it is advisable to run the following two commands:
apt-get update
This command lists all the available packages and their versions, but it does not install or upgrade any packages.
apt-get upgrade
Useful for downloading and installing newer versions of the packages you have. After updating the lists, the package manager knows about available updates for the software you have installed.
Remember that, in case of doubt, you can use the following command to look for a specific package:
apt cache search [package-name]Now let's see which packages can come in handy to set-up our workstation. In this paragraph, only the names of the packages will be reported. The standard installation procedure, as seen in the previous paragraph, remains sudo apt-get install [package-name].
aptitude
A text-based interface to the Debian GNU/Linux package system. It allows the user to view the list of packages and to perform package management tasks such as installing, upgrading, and removing packages. Very useful for obtaining information on packages to download, using the syntax
aptitude show [package-name]
Figure 1.4.1
git
Git is popular version control system designed to handle very large projects, most notably the Linux kernel and falls in the category of distributed source code management tools. Every Git working directory is a full-fledged repository with full revision tracking capabilities, not dependent on network access or a central server.
The homonymous package provides the git main components with minimal dependencies.
guymager
Guymager is a forensic imager for media acquisition which makes full usage of multi-processor machines and generates flat (dd), EWF (E01) and AFF images. It also supports disk cloning and it’s really easy to use thanks to its graphical interface.
libewf2
As seen in the previous picture, Libewf is a library with support for reading and writing the Expert Witness Compression Format (EWF) which is simply essential to work with compressed forensic images.
xmount
This tool allows you to convert on-the-fly between multiple input and output hard-disk image types creating a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input hard-disk. Thanks to this tool we will be able to mount our split E01 images and see them displayed as a single dd image.
sleuthkit
Tool for forensics analysis on volume and filesystem data, The Sleuth Kit, also known as TSK, is a collection of UNIX-based command line file and volume system forensic analysis tools which supports several filesystems, as NTFS, FAT, exFAT, HFS+, Ext3, Ext4, UFS and YAFFS2.
We will see in more detail the potential of TSK in paragraph 1.9.
sqlite3
SQLite is a C library that implements an SQL database engine. It will be very useful to analyze sql databases produced by web browsers.
libimage-exiftool-perl
This package consists in a Perl module with an included command-line application called Exiftool for reading (and writing) meta information in a wide variety of media files, such camera and printer models, GPS coordinates, time of the photo shoot and many more.
ecrypts-utils
eCryptfs (Enterprise Cryptographic Filesystem) is a is a package of disk encryption software for Linux. This tool stores cryptographic metadata in the header of each file written, so that encrypted files can be copied between hosts; the file will be decryptable with the proper key with no need to keep track of any additional information aside from what is already in the encrypted file itself.
testdisk
In this package we can find the tool Photorec, originally created to recover lost pictures from digital camera memory, it has been extended to search also for non-audio/video headers, resulting in a great tool for file carving.
dc3dd
dc3dd is a patched version of dd with added features for computer forensics such as on the fly hashing with multiple algorithms and splitting the output.
-
Add a note