How to install the Tsurugi Linux distribution

Tsurugi Linux is a digital forensics and incident response open-source project based on Ubuntu Linux. Find out how to use this distribution as a virtual machine sitting on your operating system.

image5.jpg

Digital forensics and incident response are complementary activities that not only require solid knowledge of operating systems and the internet, but also a lot of tools, depending on the desired goal. One investigator might want to simply recover a file from a forensically acquired hard drive, while another might want to do a full analysis of a system and check multiple items about it. Tsurugi Linux allows doing all of this.

SEE: 5 Linux server distributions you should be using (TechRepublic Premium)

Tsurugi Linux comes in different flavors: 

  • A full distribution for full live use or installation.
  • A virtual machine ready to be installed on your host operating system, no matter which one you use—Windows, Mac or Linux.
  • A lighter 32-bit version dedicated to only doing live disk acquisitions.
  • A portable forensics toolkit created to help perform live investigations.

The main usage for such a distribution is to be used as a virtual machine that is dedicated to running all the needed investigations. Therefore, we'll show how to use it that way.

What you'll need

In addition to a computer running a Windows, Mac or Linux operating system, a virtualization software is needed. Among several ones, we chose VirtualBox because it is a very popular open-source software that is easy to use.

You also need to download the virtual appliance of Tsurugi Linux via one of the mirrors from its download page. On the page, choose a mirror and start downloading the file ending with .ova (Figure A).

Figure A

image1.jpg

The Tsurugi Linux .ova file for download on one of the official mirrors.

How to install the virtual appliance

Open VirtualBox and choose File/Import Appliance then select the local virtual appliance file you just downloaded (Figure B).

Figure B

image2.jpg

Select the virtual appliance file for installation in VirtualBox.

Click Next then Import, read and accept the software license agreement. The virtual appliance is being installed (Figure C).

Figure C

image3.jpg

Importing the virtual appliance.

How to launch the virtual appliance

Select the Tsurugi virtual machine in VirtualBox and click Start. The virtual machine gets launched and displays the login page from the default user, tsurugi (Figure D). 

Figure D

image4.jpg

The login page for the default tsurugi user.

Enter the default password, tsurugi. The Linux distribution is now ready for work.

How to set the environment

Now is the time to install the VirtualBox Guest Additions, which will allow the virtual machine to run full screen, share the clipboard or folders between the host and guest machines, and improve its performance.

Select Devices/Insert Guest Additions CD image in VirtualBox.

A CD icon appears, named after the VirtualBox guest additions version (Figure E).

Figure E

image5.jpg

VirtualBox Guest Additions CD appears.

Double click on the CD, then right-click on VBoxLinuxAdditions.run and select Run as Administrator (Figure F).

Figure F

image6.jpg

Running the installation of the VirtualBox guest additions.

After installation has run, restart the virtual machine and enjoy the comfort of the virtual machine with the guest additions (Figure G).

Figure G

image7.jpg

Tsurugi Linux desktop.

Tsurugi Linux main features

Tsurugi Linux is based on the famous Ubuntu LTS distribution (64 bits) with a patched kernel, which implements some interesting features.

Kernel Write Blocker

By default, all devices connected to the system are mounted in read-only mode. This is a necessary feature for any investigator who wants to run an analysis on a device he or she does not want to alter in any way, therefore preserving all evidence on the device.

OSINT Profile Switcher

This feature can be activated with one double-click from the desktop and switches between two different user profiles: one is set for digital forensics and incident response while the second one is set for Open-Source Intelligence purposes.

Hundreds of DFIR tools

DFIR tools are classified in a clever way in Tsurugi Linux, so that any investigator or academic can easily find the appropriate tool serving his or her purpose (Figure H).

Figure H

image8.jpg

Tools categories, as shown in Tsurugi Linux.

Tsurugi Linux distribution shows impressive capabilities for any DFIR professional who wants to have everything he or she needs at hand, in a single distribution. It might also be a distribution of choice for academics and students who might want to check several DFIR or OSINT tools during their studies or research.

Aside from the full Tsurugi Linux distribution, the lighter version that is built for doing live disk acquisition might also be interesting for DFIR professionals, since it allows acquiring different devices in a forensically sound way, preserving evidence by not altering the copied device.

Also see