Monday, July 1, 2019

DFIR OS Tsurugi

There are plenty of DFIR OS out in the wild. SANS's SIFT workstation, Sumuri Paladin, and Digital Evidence & Forensics Toolkit (DEFT) are probably the best well known ones. In my previous college class, I was shown an OS called Tsurugi. Tsurugi can be downloaded from their main page at https://tsurugi-linux.org. It is named after a legenary Japanese double-bladed sword used by ancient monks which might be something similar to the image below.

The OS comes in three different types based on Ubuntu 16LTS:

BENTO is the live DFIR distribution similar to Sumuri Paladin and the like. This gives a full set of DFIR tools and write blocker. TSURUGI Acquire provides a light weight version of LAB version for acquiring forensic images. TSUGRI Linux [LAB] provides a complete DFIR suite that can be installed on a computer or VM.

I have yet to really test out BENTO but I did perform a capture with TSURGI Acquire. It used Guymager as the imaging software. The imaging process was straightforward using the tool and with the write blocker in place, it is easy to ensure nothing is written back to the source hard drive. 

This shows the main screen of Guymager when you load it up. The screenshot is from the Guymager site.

I installed the LAB version inside of VirtualBox 6.0 using a red install icon on the desktop which starts up a graphical installer. It also requires you unblock the proper drive to install the Linux version to. Installation was average for wizard installation process for Linux. During the installation, I set to autolog me on. Probably should configure it to not ask for the password when running stuff as 'su' since this is only a lab computer similar to how SIFT works.

After installation, you get the main screen:

From here, all the tools are located under the application menu. 

The menu is catatorized by the type of tool (some tools appear in more then one menu). The full list of tools are located here: https://tsurugi-linux.org/documentation_tsurugi_linux_tools_listing.php#

The major issue that I've had with the system is running 'apt' to update the system. I found that if you end up running apt or similar updates in the system it breaks some of the python modules. I recommend people keep a snapshot after installation in case stuff breaks. 

Other then the update problem, I find it works really well for running any CLI or GUI tool that is provided. The conky window on the right adds notable stats when you are working in the box as a quick reference and works well. I have not had a chance to use all the tools, but it runs similar to other Ubuntu 16 LTS operation systems.

No comments:

Post a Comment