Lesson 5, Topic 4
In Progress

Forensic Operating System (OS) Distributions

Lesson Progress
0% Complete

A number of open-source projects develop and maintain customized operating system distributions that provide a framework for successful deployment of digital forensics in any environment. Following is a brief list of most commonly available Forensic OS distributions that are geared towards providing a user friendly environment to conduct a successful and valid forensic exercise that requires minimal deployment time and deliver actionable results. Live distributions can be run from removable media such as CD, DVD, USB or memory cards without any requirement for installation which provides a greater degree of flexibility for starting the forensic investigations.

Forensic OS Distributions List

SANS Investigative Forensics Toolkit (SIFT) Workstation

The SANS Investigative Forensic Toolkit (SIFT) is a computer forensics VMware appliance that is pre-configured with all the necessary tools to perform a detailed digital forensic examination. It is compatible with expert witness format (E01), advanced forensic format (AFF), and raw (dd) evidence formats. SIFT is based on Ubuntu base with many additional tools and capabilities that can match any modern forensic tool suite. It successfully demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

One of the great tools, log2timeline provides a timeline that can be of enormous value to investigators. Please visit the link below for further details and evaluation of this distribution.

License

Free

Website

http://digital-forensics.sans.org/community/downloads

DEFT Linux

Digital Evidence & Forensics Toolkit (DEFT) is a Linux distribution specially developed for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices that are connected to the PC where the boot process takes place. In addition to running Live from removable media, DEFT can also be run as a Virtual Appliance on VMware or Virtualbox. DEFT employs LXDE as desktop environment and WINE for executing Windows tools under Linux. It features a comfortable mount manager for device management. DEFT is paired with DART (acronym for Digital Advanced Response Toolkit), a Forensics System which can be run on Windows and contains the best tools for Forensics and Incident Response. DART features a GUI with logging and integrity check for the instruments here contained. Please visit the link below for further details and evaluation of this distribution.

License

Free

Website

http://www.deftlinux.net/

REMnux Linux Distribution for Reverse-Engineering Malware

REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. The distribution is based on Ubuntu and can be run both on Live media and as a VMWare appliance. A number of tools are incorporated into REMnux by default for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware including Flash programs and obfuscated JavaScript. REMnux also provides the ability to analyze malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics. REMnux supports the use case for emulating network services within an isolated lab environment when performing behavioral malware analysis. Please visit the link below for further details and evaluation of this distribution.

License

Free

Website

http://zeltser.com/remnux/

CAINE Linux

CAINE, acronym for Computer Aided INvestigative Environment is a GNU/Linux based live distribution created as a project of Digital Forensics. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. CAINE claims to provide an interoperable environment that supports the digital investigator during the four phases of the digital investigation, a user friendly graphical interface and a host of user friendly tools. Please visit the link below for further details and evaluation of this distribution.

License

Free

Website

http://www.caine-live.net/

HELIX3 Linux

Helix is another Linux based Incident Response and forensics tools offering that comes in two flavours, the free version, Helix 2009R1, that is available for download but no longer supported and a commercial version Helix PRO that is purchasable through the e-fense.com online store. Both versions are meant to be used by individuals who have a sound understanding of Incident Response and forensic techniques.

Helix comes as a Live CD  that help automatically mount some storage devices like firewire devices and MMC in read/write mode. It relies on file system drivers to provide write protection, mounting some file system types (e.g. XFS) will result in several data writes to the original media. Please visit the link below for further details and evaluation of this distribution.

License

Free / Commercial

Website

http://www.e-fense.com/products.php

Digital Forensics Framework

Digital Forensics Framework (DFF) is a free and Open Source computer forensics software built on top of a dedicated Application Programming Interface (API). It claims to be used both by professional and non-expert people in order to quickly and easily collect, preserve and reveal digital evidences without compromising systems and data. Among standard forensics capabilities, DFF makes strong case for its competency for preserving digital chain of custody, maintaining non-intrusive access to local and remote devices, reading standard digital forensics file formats such as Raw, Encase EWF, AFF 3 file formats, Virtual machine disk reconstruction – VmWare (VMDK) compatibility, Windows and Linux OS forensics, Quick triaging and search for data/meta-data and thorough support for file recovering and volatile memory analysis. It comes in both free and commercial flavours. Please visit the link below for further details and evaluation of this distribution.

License

Free / Commercial

Website

http://www.digital-forensic.org/