Digital forensics and incident response are complementary activities that not only require solid knowledge of operating systems and the internet, but also a lot of tools, depending on the desired goal. One investigator might want to simply recover a file from a forensically acquired hard drive, while another might want to do a full analysis of a system and check multiple items about it. Tsurugi Linux allows doing all of this.
SEE: 5 Linux server distributions you should be using (TechRepublic Premium)
Tsurugi Linux comes in different flavors:
- A full distribution for full live use or installation.
- A virtual machine ready to be installed on your host operating system, no matter which one you use—Windows, Mac or Linux.
- A lighter 32-bit version dedicated to only doing live disk acquisitions.
- A portable forensics toolkit created to help perform live investigations.
The main usage for such a distribution is to be used as a virtual machine that is dedicated to running all the needed investigations. Therefore, we’ll show how to use it that way.
What you’ll need
In addition to a computer running a Windows, Mac or Linux operating system, a virtualization software is needed. Among several ones, we chose VirtualBox because it is a very popular open-source software that is easy to use.
You also need to download the virtual appliance of Tsurugi Linux via one of the mirrors from its download page. On the page, choose a mirror and start downloading the file ending with .ova (Figure A).
How to install the virtual appliance
Open VirtualBox and choose File/Import Appliance then select the local virtual appliance file you just downloaded (Figure B).
Click Next then Import, read and accept the software license agreement. The virtual appliance is being installed (Figure C).
How to launch the virtual appliance
Select the Tsurugi virtual machine in VirtualBox and click Start. The virtual machine gets launched and displays the login page from the default user, tsurugi (Figure D).
Enter the default password, tsurugi. The Linux distribution is now ready for work.
How to set the environment
Now is the time to install the VirtualBox Guest Additions, which will allow the virtual machine to run full screen, share the clipboard or folders between the host and guest machines, and improve its performance.
Select Devices/Insert Guest Additions CD image in VirtualBox.
A CD icon appears, named after the VirtualBox guest additions version (Figure E).
Double click on the CD, then right-click on VBoxLinuxAdditions.run and select Run as Administrator (Figure F).
After installation has run, restart the virtual machine and enjoy the comfort of the virtual machine with the guest additions (Figure G).
Tsurugi Linux main features
Tsurugi Linux is based on the famous Ubuntu LTS distribution (64 bits) with a patched kernel, which implements some interesting features.
Kernel Write Blocker
By default, all devices connected to the system are mounted in read-only mode. This is a necessary feature for any investigator who wants to run an analysis on a device he or she does not want to alter in any way, therefore preserving all evidence on the device.
OSINT Profile Switcher
This feature can be activated with one double-click from the desktop and switches between two different user profiles: one is set for digital forensics and incident response while the second one is set for Open-Source Intelligence purposes.
Hundreds of DFIR tools
DFIR tools are classified in a clever way in Tsurugi Linux, so that any investigator or academic can easily find the appropriate tool serving his or her purpose (Figure H).
Tsurugi Linux distribution shows impressive capabilities for any DFIR professional who wants to have everything he or she needs at hand, in a single distribution. It might also be a distribution of choice for academics and students who might want to check several DFIR or OSINT tools during their studies or research.
Aside from the full Tsurugi Linux distribution, the lighter version that is built for doing live disk acquisition might also be interesting for DFIR professionals, since it allows acquiring different devices in a forensically sound way, preserving evidence by not altering the copied device.
Subscribe to the Developer Insider Newsletter
From the hottest programming languages to commentary on the Linux OS, get the developer and open source news and tips you need to know. Delivered Tuesdays and Thursdays