#DFIR: No. Kali is not a distribution oriented to digital forensic analysis

Hi, minions:

Let me be direct. No. Kali Linux is not a distribution focused on digital forensic analysis.

Let me also explain it. Throughout these years several articles have been published, some of them in media of some relevance within the Infosec and DFIR communities, under the titles "The best distributions for digital forensic analysis", "The best open source forensic tools", or similar titles. 

Within these lists is, most of the time, the Kali Linux distribution, and in many cases even ahead of other systems that have been really developed for digital forensic analysis.

I will not be the one to tell you not to use Kali for digital forensic analysis. In fact, no one should tell you what to use for digital forensic analysis. Keep in mind that a distribution is nothing more than an operating system, (A tool),with another set of tools installed.
You must use something, (call it Windows, Linux, Mac OS, ...), whatever you feel comfortable working with, whatever you feel like doing an analysis with.
Therefore it is vital to know what options we have available. Because tools, like everything else, also evolve.

There are currently many systems and distributions that have been developed for specific work within the DFIR area. Kali, in my opinion, is not one of them. In fact, if you look at the top of the main page, you can clearly read a message, a motto, that says: "Our Most Advanced Penetration Testing Distribution Ever".

(End of my plea).


It is true that Kali Linux has behind it a very large development, with a very large community and with the support of 'Offensive Security'. But it is not a distribution oriented to computer forensic analysis.

Below I will list some Systems developed to deal with the DFIR area, without going into assessing them because, let me insist, no one should tell you what to use. Without valuing them because it is you who should know, if you have not already done so, who should test, if you have not already done so, and who should pour out your own opinions, if you have not already done so, on each of the available tools, without external influences. Each person has his tastes and each person has his needs, (Even his interests).

Live Operating Systems

WinFE, (Windows Forensic Environment): Free. WinFE is a system based on the Windows pre-installation environment, (WinPE). It can be built under Windows 7 Systems and under Windows 10 Systems. And it can also be customized to the needs of each one, with the tools needed, in addition to those already integrated.


Helix: Free. Helix is a custom distribution, based on Ubuntu, with excellent hardware detection and many applications dedicated to incident response and forensic analysis. 


DEFT Zero, (Digital Evidence & Forensic Toolkit): Free. DEFT is a personalized distribution of the live CD of Línux de Ubuntu. It is an easy-to-use system that includes excellent equipment detection and some of the best open source applications dedicated to incident response and computational forensic analysis.


Paladin Edge: Free. Paladin Edge is a modified live Linux distribution, based on Ubuntu, which simplifies various forensic tasks in a well-structured way through the PALADIN toolbox.


Tsurugi AcquireFree. Tsurugi Acquire is a light and optimized version of Tsurugi Linux LAB, (Which I will show you a little later), whose goal is to provide the basic tools necessary to boot a PC and acquire mass storage devices. It installs a small subset of tools to make the ISO smaller and its main purpose is to be fast to boot, reside easily in RAM and support as many architectures as possible.


Labs


CAINE, (Computer Aided INvestigative Environment): Free. CAINE is a live distribution of GNU/Linux based on Ubuntu created as a computer forensic project. It offers a complete forensic environment organized to integrate existing software tools as program modules and provide a friendly graphical interface. The main design goals that CAINE aims to guarantee are: An interoperable environment that supports the digital researcher during the 4 phases of digital research, a user-friendly graphical interface and a semi-automated summary of the final report.


RŌNINFree. RŌNIN is a Linux security distribution, based on Lubuntu, which provides a platform for training and forensic analysis of professional data, penetration testing and incident response. The primary goal of RŌNIN is to provide a fast, lightweight Linux desktop along with a curatorship of security tools and resources that are relevant to professionals, instructors, and students alike.


LosBuntuFree. LosBuntu is a Live DVD Linux distribution that can be used to assist in forensic data investigations. LosBuntu is the result of the desire to have a boot forensic distribution with all the tools and features we like.


SantokuFree. Santoku specializes in mobile forensics, analysis and security, and is presented on an easy-to-use open source platform.


PaladinFree. PALADIN is a modified live Linux distribution, based on Ubuntu, which simplifies various forensic tasks in a scientifically correct way through the PALADIN toolbox. PALADIN is a complete solution for triage, images, exams and reports.


DEFT(Digital Evidence & Forensic Toolkit): Free. DEFT is a distribution made for Digital Forensics and Incident Response, in order to run live, or be installed, on systems without altering or corrupting devices, (hard drives, pendrives, etc...), connected to the PC/Mac where the boot process takes place.


Tsurugi LABFree. Tsuguri LAB is a highly customized Linux distribution designed to support your DFIR investigations, malware analysis and open source intelligence activities. Included in this distribution are the latest versions of the most popular tools you need to conduct an in-depth forensic or incident response investigation, and several useful features such as kernel-level device write-blocking, an OSINT profile switch, and more.


Labs, (OVA)


SIFT, (SANS Investigate Forensic Toolkit): Free. SIFT is a set of free, open source forensic and incident response tools designed for detailed digital forensic examinations in a variety of environments. It can be adapted to any type of incident response and to any set of forensic tools.


XplicoFree. Xplico is a network forensic analysis tool, (NFAT), which is software that reconstructs the content of purchases made with a packet tracker (e.g., Wireshark, tcpdump, Netsniff-ng).


HoneyDriveFree. HoneyDrive is the leading Linux distribution of honeypot.



SkadiFree. Skadi is a free, open source compilation of tools that enables advanced collection, processing and analysis of artifacts and forensic images. It can be scaled to work effectively on laptops, desktops, servers and the cloud.


REMnuxFree. REMnux is a free Linux toolkit to help malware analysts reverse engineer malware. It strives to make it easier for forensic investigators and incident responders to begin using the variety of tools available, free of charge, for malware examination.


DEFT XFree. DEFT X is a complete system dedicated to forensic analysis and incident management. 


System Customization


It is true that Kali presents some tools to carry out some tasks of computer forensic analysis. The same as other distributions, such as BackBox or Parrot. But this does not mean that they are distributions oriented to forensic analysis. In my opinion, they are Security oriented distributions, in general.

As you can see, we have many systems developed specifically to perform the specific task in the DFIR area. It is also true that the systems I mentioned above are preconfigured. But we can customize some of these systems, according to our needs. Remember that, above all, we must use something that we feel comfortable working with.

To give just a few examples, we can use a clean distribution and install the tools we need ourselves, according to our needs. Or we can use our own Windows 10 Operating System. Great things can be done with it. From the use of small forensic utilities that do not need to be installed, to the use of advanced forensic suites. Even if we install the WSL (Windows Subsystem for Linux), we can manage the installation of SIFT in it.


We can also install a Lubuntu System and, on top of it, proceed with the same SIFT configuration, but in a much lighter environment than in the case of the '.ova' file environment.


And in the same way we can proceed with other distributions such as, for example, REMnux and Xplico, which can be installed together in a single Lubuntu System.


Or with Skadi, which can be installed on a Lubuntu System using a script.


As you can see, there are plenty of options for practicing DFIR with the appropriate settings. And if this doesn't please you, you can even make use of BitScout, which is a live, customizable OS building tool written exclusively in bash. Its main purpose is to help quickly create our own forensic boot disk image.

I insist again, use whatever system you want, whatever distribution you want, for whatever you want, (No one tells you what you have to use), but please, call everything by its name. Kali is not a digital forensic distribution.

And if you want to know how many systems and distributions are at your disposal, I refer you some interesting links:






That's all.


Share:
spacer

No hay comentarios:

Publicar un comentario