In the next series of blog posts I’ll be going over some of the powered feature tools of Kali Linux in the Digital Forensics realm. I did some platform testing for my MSc at USF, and I hope to share some of the details.
In essence, I hope to address some of the digital forensics analysis tools in the open-source project Kali Linux. As computers have evolved over the years in different aspects, so has the landscape of digital forensic tools. The diverse set of organizations today have popularized many commercial market tools among industry professionals, each with their own set of proprietary licenses and policies of use. However, oftentimes we forget that there open-source tools available free of cost and with a wide range of capabilities. Such applications are generally released under the GNU General Public License (GPL) which stipulates that the applications be free, and source code be available to all. This thriving community brings a set of digital forensic tools such as those available under the Kali Linux project. These posts hope to bring out some of the virtues and capabilities of these open-source tools. By no means is it a comparison with proprietary tools, nor a complete in-depth analysis of each tool, but rather an overview of the different functionalities and features which some of the tools possess.
Synopsis of Upcoming Posts
With the rise of technology and the dependency on these systems at all levels, there has been an increase in cybercrimes. This brings value and importance to the field of digital forensics in cybersecurity. To conduct digital forensic investigations one must be equipped with the right set of tools. The majority of digital forensic experts use a vast number of commercial tools and sometimes neglect to realize that there are open source tools alternatives. As a result of this, the Kali Linux open-source project was examined as a potential asset in the digital forensics field with the following objectives:
- Install, configure, and use Kali Linux as the digital forensic environment.
- Explore the flexibility, power, and control of the Kali Linux operating system as a forensic platform.
- Describe Kali Linux’s forensic tools.
- Investigate the capabilities of Kali Linux as a Digital Forensic asset.
- Explore and investigate six different tools in the Kali Linux forensic environment containing: Hashing, Forensic Imaging, File Carving, Network Forensics, Reporting Tools, and full case analysis with the Autopsy / SleuthKit.
- Analyze, perform, and understand data collection analysis on a step by step approach to a case.
- Explore and investigate the Kali Linux bootable forensics mode.
Objective 1 – This objective was completed in order to present this paper together with the findings.
Objective 2 – Kali Linux demonstrated its potential power not only with the digital forensics tools but also with the wide variety of general and penetration testing applications. As a Linux and open-source platform, it allowed the flexibility to install and configure several packages to meet one’s needs. This could be seen in cases such as those of Scalpel, Testdisk / PhotoRec, and Cuckoo. With the source code available, and access to all system files one could easily manipulate the entire system.
Objective 3 – This paper describes some of the fundamentals of digital forensics, open-source software, and history of the Kali Linux project along with its digital forensic tools.
Objective 4 – Investigation on more than six tools was conducted to investigate the capabilities of Kali Linux as a digital forensics asset.
Objective 5 – The tools used in the different predefined areas are as follows:
- Hashing – Guymager, DC3DD, Autopsy, The Sleuth Kit
- Forensic Imaging – DC3DD, Guymager
- File Carving and Data Recovery – Foremost, Scalpel, Bulk_extractor, Testdisk / PhotoRec
- Reporting Tools – Xplico, The Cuckoo Sandbox, Autopsy
- Full Case Analysis – The Cuckoo Sandbox, Xplico, Autopsy / The Sleuth Kit. However, this was not fully constructed to meet every case scenario. A very good case analysis could have expanded beyond the timeline of this project. As such, just the fundamentals were explored.
Other areas which were explored but not in the initial objectives were:
- Network Forensics – Xplico
- Malware Analysis – The Cuckoo Sandbox
Objective 6 – Data collection and analysis were performed in most cases. However, important stages in a step by step process may have been overlooked. This was because much focus was set aside to test the capabilities of the different tools.
Objective 7 – The objective was to use the Live Forensic Mode to acquire and analyze artifacts of files and directories. However, after much research it was found that Live Forensic mode capabilities were the same as those which were already installed on the system used for testing. The Live Forensic mode essentially makes things quick and easy. It preloads Kali Linux with all the forensic software which might be needed for a task. It’s also important to note that when the live forensic mode is at play, the hard drive of the system where it is being booted is never touched. Neither are swap partitions used in through this process nor are removable media devices auto mounted. Basically, the forensic mode should not tamper with anything unless specifically directed by the user to do so. Ultimately, this was seen as an objective that could be deviated and tested with the already existing installed system.
The rest of the posts will contain information and details about the Kali Linux and open-source environment. It also contains step by step demonstrations that were used to accomplish the aforementioned objectives.