Forensic research: What OS to use

Question

I have been given an assignment from my school, in wich I have been given a Virtual image of a compromised system. The first thing I need to do is setup a environment to wich we can mount the image. I need to choose an OS, and I was wondering: What should I choose, and why? If anyone could give me any pointers I should look out for, it would be much appreciated! Thanks

Use whatever operating system you feel comfortable with and has the ability to run the tools you need. An investigation into a compromised system can get very technical, and I have a feeling you might want to leverage tools available for Windows and *nix distros to investigate this. Your job is to know how to use these tools to discover data of relevance, then leverage similar tools to help validate your findings. Figure out what you want to look for, figure out what tools help find those artifacts, then choose the OS accordingly. You'll soon find there is no best OS for an examiner. — 0xhughes, Feb 10 '14 at 17:17

score 13 · Accepted Answer · answered Feb 10 '14 at 12:17

13

I would go for Kali Linux .

This Linux distribution is made for pentesting and security analysis. It contains a great many analysis tools, right in your main menu.

In general, I would use an Open Source OS for security-related work, because with Open Source there is public scrutiny that your tools themselves are not compromised.

answered Feb 10 '14 at 12:17

S.L. Barth

5,486
8
38
47

2

Beware with this. In a trial you will face questions like "so, these programs could be modified by anyone?" and "How can you be sure your system hasn't compromised the original image?". In a trial a lot of forensics expert will go to paid proprietary systems, since they are easier to comprehend for judges and lawyers. – kiBytes Feb 10 '14 at 12:23
3

@kiBytes Good points, thanks. After the NSA scandal, though, similar questions could be asked about proprietary software. (Whether they will convince a judge or jury is another story!) Either way, the OP did well to perform analysis on copies of the image. – S.L. Barth Feb 10 '14 at 12:28
2

In an academic environment I believe a distro like Kali is a perfect choice. In a trial there are some known brands most forensics choose to use (although they may use a Linux Distro to help themselves). – kiBytes Feb 10 '14 at 12:31

score 6 · Answer 2 · edited Jul 02 '14 at 16:04

6

The SANS sift kit/workstation (http://digital-forensics.sans.org/community/downloads) is very good if you're looking to learn about forensics, as it comprises things like autopsy and other open source tools which are commonly used. Little extra: http://www.forensicswiki.org/wiki/Main_Page this page helps A LOT when you're getting used to things.

edited Jul 02 '14 at 16:04

elixenide

204
1
3
10

answered Feb 10 '14 at 13:13

daark

272
2
7

score 0 · Answer 3 · answered Feb 10 '14 at 16:16

0

When I was at university I used Backtrack Linux a LOT. It has a lot of forensics (and live forensics) tools preinstalled and it is designed to be used for these purposes - (albeit it is probably most famous for nefarious hacking and spying on suspected cow tippers etc)

answered Feb 10 '14 at 16:16

Steven Wood

101
1

1

BackTrack is no longer maintained. It's successor is Kali Linux. – S.L. Barth Feb 10 '14 at 19:59
aah my bad few years since i went to uni not kept up with distros – Steven Wood Feb 11 '14 at 00:11

score 0 · Answer 4 · answered Feb 10 '14 at 19:10

It depends on the tool you choose. Forensic tools like Autopsy can run on several different operating systems. They can parse the filesystem of the image you've been given, and show you the contents of the files. If such a tool is written in Java, you can run it on Windows, Mac, or Linux.

In forensic work, you are not necessarily trying to "run" the software from the image. You often are simply looking at the files you collect from the system, and piecing together what happened based on file contents, file system attributes such as last-accessed-time, creator ID, etc. If you were to mount the file system in the OS and run programs that accessed those files, your own investigative activity would likely hide the very clues you are seeking to uncover.

But sometimes you won't have much of a choice. If you discover a file named foo.docx, a simple text editor will show you very little, and you will likely need to use Word to view it. That creates another problem: what if the file you're trying to examine contains a virus? Opening it in Word on your computer could subject you to exactly the same problems as the victim computer image you're looking at. In that case, you need to learn to use a virtual machine as a sandbox.

If you discover a file named foo.docx, a simple text editor will show you a lot if you think to unzip the file first. Word documents are just zipped up xml files. — Erick Robertson, Feb 10 '14 at 19:44

miniBill · Answer 5 · 2014-02-10T19:40:56.387

0

If you're comfortable with Linux, consider using Caine or Deft.

Both are distroes meant for forensics use, which means that by default they don't do anything that may modify the data, such as automatically mounting filesystems or activating swaps.

They also contain a lot of useful tools for the job.

edited Feb 10 '14 at 19:40

answered Feb 10 '14 at 19:18

miniBill

335
1
8

Some explaination as to why the poster might want to use each of these distros would make this a better answer. – Xander Feb 10 '14 at 19:36
Better? Added some details – miniBill Feb 10 '14 at 19:41

Forensic research: What OS to use

5 Answers5