Linux Distributions for forensics investigation: my own list

A shortlist of six distribution…guess my favorite!

During a digital forensics analysis, a lot of different tools can be used, and it could be useful use a dedicated linux distribution with all tools already installed and configured.

Here a brief list of my choises.

Computer Aided Investigative Environment (CAINE)

CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface: contains numerous tools that help investigators during their analysis, including forensic evidence collection

Digital Evidence & Forensics Toolkit (DEFT)

DEFT Linux distribution made for evidence collection that comes bundled with the Digital Advanced Response Toolkit (DART) for Windows.

Appliance for Digital Investigation and Analysis (ADIA)

A VMware-based appliance designed for small-to-medium sized digital investigation and acquisition and is built entirely from public domain software, like Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark.
The system maintenance is provided by Webmin.

Network Security Toolkit (NST)

NST is a Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional:

The main intent of developing this toolkit was to provide the security professional and network administrator with a comprehensive set of Open Source Network Security Tools.


A Linux distribution customized in order to perform various forenics tasks like password discovery , social media analysis, data carving, windows registry analysis, malware analysis, log analysis and more.

Security Onion

Security Onion is a special Linux distro aimed at network security monitoring featuring advanced analysis tools:

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools.

SANS Investigative Forensic Toolkit (SIFT)

The SIFT Workstation is a VMware appliance, preconfigured with the necessary tools to perform detailed digital forensic examination in a variety of settings.

The SIFT Workstation demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated

How to upgrade from Debian 8 “Jessie” to Debian 9 “Stretch”

Simple, with 5 commands!

Finally, Debian 9 “Stretch” was released in the “stable” branch!

A lot of upgrades, especially in kernel, glibc and other base packages.

Some info from the official wiki (also see the official stretch release notes.):

New features

  • Linux kernel series 4.9, GNU libc 2.24.
  • Desktop environments: GNOME 3.22, KDE Plasma 5.8, MATE 1.16, Xfce 4.12 and others.
  • Programming languages: GCC 6.3, Perl 5.24, Python 3.5, PHP 7.0 and others.
  • nftables is available as a replacement for iptables. See this nftables blog post for details.


  • The dmesg command requires superuser privileges.
  • The X server is no longer setuid, and may be started without root privileges. If the startx command is run as a non-root user, the Xorg.0.log (or Xorg.*.log for alternative displays) file will be written to ~/.local/share/xorg/ instead of /var/log/.
  • All MySQL packages have been superseded by equivalent MariaDB packages (e.g. mariadb-server-10.1). The mysql-server and default-mysql-server metapackages are transitional, and will bring in the MariaDB server.
  • PHP 7.0 replaces PHP 5.6. There are new metapackages without a version number in them: php-fpm, php-cli, etc. You may use these for future compatibility.
  • Most of the library packages with debugging symbols have been moved to a new repository. If you require these packages, you will need to add an entry to your sources.list or sources.list.d. Also note that the package names are different (ending with -dbgsym instead of -dbg).

How to upgrade?

Before you move on with the upgrade, be sure that your current Debian Jessie was fully updated:

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade

and make a backup of your current sources.list:

cp /etc/apt/sources.list /etc/apt/sources.list_backup

Then, you can start with the upgrade.

First, update the package repository:

sed -i 's/jessie/stretch/g' /etc/apt/sources.list

Then, update package index

# apt-get update

and finally execute the below commands to start the upgrade process:

# apt-get upgrade
# apt-get dist-upgrade

Once the process completes, check your Debian version:

# cat /etc/issue
Debian GNU/Linux 9 n l

That’s all folks!

Understanding EXT4

A really interesting series of articles on SANS Digital Forensics Blog

On 2010, Hal Pomeranz has started on SANS Digital Forensics blog a series of technical articles about EXT4 filesystem.

What is EXT4?

EXT4 is a journaling file system for Linux, developed as the successor to ext3: it modifies important data structures of the previous filesystem such as the ones destined to store the file data. The result is a filesystem with an improved design, better performance, reliability and features.
It was accepted as “stable” in the Linux 2.6.28 kernel in October 2008.

The ‘episodes’

The publication of the ‘episodes’ continued since years, and recently Hal has published the part 6, focused on “Directories”.

Here the list of all parts:

1. Extents

20 Dec 2010

EXT4 has moved to 48-bit block addresses. I’ll refer you to the paper cited above for the whys and wherefores of this decision and what it means as far as maximum file system size, etc. What’s really a departure for EXT4 however, is the use of extents rather than the old, inefficient indirect block[3] mechanism used by earlier Unix file systems (e.g. EXT2/EXT3) for tracking file content. Extents are similar to cluster runs in the NTFS file system- essentially they specify an initial block address and the number of blocks that make up the extent. A file that is fragmented will have multiple extents, but EXT4 tries very hard to keep files contiguous.

2. Timestamps

14 Mar 2011

The EXT4 developers tried very hard to maintain backwards compatibility with the EXT2/EXT3 inode layout. 64-bit timestamps and a completely new file creation timestamp obviously complicate this goal. The EXT4 developers solved this problem by putting the extra stuff in the upper 128 bits of the new, larger 256-bit EXT4 inode.

3. Extent Trees

28 Mar 2011

[…] you can only have a maximum of 4 extent structures per inode. Furthermore, there are only 16 bits in each extent structure for representing the number of blocks in the extent, and in fact the upper bit is reserved (it’s used to mark the extent as “reserved but initialized”, part of EXT4’s pre-allocation feature). That means each extent can only contain a maximum of 2¹⁵ blocks- which is 128MB assuming 4K blocks.

Now 128MB is pretty big, but what happens when you have a file that’s bigger than half a gigabyte? Such a file would require more than 4 extents to fully index. Or what happens when you have a file that’s small but very fragmented? Again, you could need more than 4 extents to represent the collections of blocks that make up the file.

4. Demolition Derby

08 Apr 2011

I got curious about what would happen when I deleted my /var/log/messages file. How does the inode change? What happens to block 131090, which holds my extent tree structure? Well, there’s really only one way to find out: I deleted the file… carefully so I didn’t lose any logging data. In fact, I didn’t just delete the file; I used “shred -u /var/log/messages” to overwrite the data blocks with nulls before unlinking the file. Once the file had been purged, I dumped out the both inode associated with the file as well as block 131090 and took a look at them in my hex editor.

5. Large Extents

22 Aug 2011

[…] you can only have 32K blocks in an extent. Assuming a typical 4K block size, that means you can only have 128MB of data in a single extent. A 4GB file is therefore going to require at least 32 extents, and even that assumes you can find 32 runs of 32K contiguous blocks to use. More likely we’ll have more than 32 extents, some of which don’t use the full 128MB length.

6. Directories

07 Jun 2017

One item I never got around to was documenting how directories were structured in EXT. Some recent research has caused me to dive back into this topic, and given me an excuse to add additional detail to this EXT4 series.

If you go back and read earlier posts in this series, you will note that the EXT inode does not store file names. Directories are the only place in traditional Unix file systems where file name information is kept. In EXT, and the classic Unix file systems it is evolved from, directories are simply special files that associate file names with inode numbers.

Furthermore, in the simplest case, EXT directories are just sequential lists of file entries. The entries aren’t even sorted. For the most part, directory entries in EXT are simply added to the directory file in the order files are created in the directory.

I wish you a good reading!

linux-insides: all about linux kernel

…in a free collaborative book!

linux-insides is a online project developed by 0xAX focused on the making of a book about the linux kernel and its insides:

The goal is simple — to share my modest knowledge about the insides of the linux kernel and help people who are interested in linux kernel insides, and other low-level subject matter.

The project is very detailed and already quite complete, here a content summary:




System calls

Timers and time management

Synchronization primitives

Memory management



Data Structures in the Linux Kernel


Initial ram disk

  • initrd




How to use the ip command instead of ifconfig

Did you know that in 2009 it was announced that the ifconfig Linux command would be deprecated?

On mostly Linux distribution the ifconfig command has been deprecated and will be definitely replaced by ip command.
What are de differences between ifconfig and ip?

Let’s try to summarize them:

Show network devices

ip addr show
ip link show

Enable a network interface

ifconfig eth0 up
ip link set eth0 up

A network interface can be disabled with:

ifconfig eth0 down
ip link set eth0 down

Setting IP address

The simple version:

ifconfig eth0
ip address add dev eth0

The complete version with network mask or the broadcast address:

ifconfig eth0 netmask broadcast
ip addr add broadcast dev eth0

Delete an IP address

This feature is available only with ip:

ip addr del dev eth0

Add alias interface

ifconfig eth0:1
ip addr add dev eth0 label eth0:1

Add an entry in the ARP table.

arp -i eth0 -s 00:11:22:33:44:55
ip neigh add lladdr 00:11:22:33:44:55 nud permanent dev eth0

Set ARP resolution off on one device

ifconfig -arp eth0
ip link set dev eth0 arp off

Show the routing table

ip route show

With ip you can query on which interface a packet to a given IP address would be routed to:

ip route get

Changing the routing table

Add a route:

route add -net dev eth3
ip route add dev eth3

Removing entries from a routing table:

route del -net dev eth3
ip route del dev eth3

Add a gateway:

route add -net gw
ip route add via

A most complete list of deprecated commands and them replacement is available on this post of Doug Vitale:

Deprecated Linux networking commands and their replacements


Deprecated Linux networking commands and their replacements
Deprecated Linux networking commands and their replacements
Deprecated Linux networking commands and their replacements

How to make a “Ultra-Geek” Linux Workstation

“Avoid interpreted languages, web-based desktop apps, and JavaScript garbage”

Yesterday i read a really inspiring article written by Joe Nelson, concerning the making of a extremely-geek Linux workstation, with a minimalist and reactive user interface.

Truly interesting, imho, are the ‘Design Goals’ (with my highlights in bold):

  • User actions should complete instantaneously. While I understand if compiling code and rendering videos takes time, opening programs and moving windows should have no observable delay. The system should use minimalist tools.
  • Corollary: cache data offline when possible. Everything from OpenStreetMaps to StackExchange can be stored locally. No reason to repeatedly hit the internet to query them. This also improves privacy because the initial download is indiscriminate and doesn’t reveal personal queries or patterns of computer activity.
  • No idling program should use a perceptible amount of CPU. Why does CalendarAgent on my Macbook sometimes use 150% CPU for fifteen minutes? Who knows. Why are background ChromeHelpers chugging along at upper-single-digit CPU? I didn’t realize that holding a rendered DOM could be so challenging.
  • Avoid interpreted languages, web-based desktop apps, and JavaScript garbage. There, I said it. Take your Electron apps with you to /dev/null!
  • Delegate to quality hardware components. Why use a janky ncurses Linux audio mixer when you can use…an actual audio mixer?
  • Hardware privacy. No cameras or microphones that I can’t physically disconnect. Also real hardware protection for cryptographic keys.
  • Software privacy. Commercial software and operating systems have gotten so terrible about this. I even catch Mac command line tools trying to call Google Analytics. Sorry homebrew, your cute emojis don’t make up for the surveillance.

The selected distro is a Debian stable with i3 as Windows Manager, and a really interesting list of installed softwares:



System tools and utilities

  • Shell: dash
  • VPN: OpenVPN with PrivateInternetAccess config files
  • RFC downloader/reader. Caches locally.
  • Web browser: when possible NetSurf, when necessary Firefox.
  • Pipe text to clipboard: xclip
  • Todo manager: tudu
  • Map and driving directions: Navit with downloadable OpenStreetMap data
  • Desktop notifications — Dunst, be sure to use >= v1.1.0 for a memory leak fix
  • Calendar — calcurse includes support for CalDAV and triggering notification commands
  • Weather forecast — weather retrieves METARs (Meteorological Aerodrome Reports) directly from NOAA
  • File manager — ViFM
  • REST client — Resty + jq
  • Backup and tape rotation — Bacula


  • MUA — NeoMutt includes scriptable new-mail hook, and notmuch indexer
    – Use the maildir storage format
  • MTA — msmtp supports storing password using GnuPG
  • MRA — mbsync syncs the local mailbox with remote imap
  • urlview creates a menu from urls in a text file to open them
  • abook to store and retrieve addresses
  • Calendar integration: mutt + calcurse


  • Password management — passwordstore
  • OpenSSH key management — gpg-agent
  • Editing encrypted files — vim script


  • video: Jitsi
  • audio: Mumble
  • instant messenger: psi
  • irc client: irssi (console) or hexchat (x11)
    – desktop notification via irssi-libnotify
    – hexchat uses libnotify by default I think
  • SMS: dterm through GSM modem
    – Use AT commands like AT+CMGS to send a text
    – Hook up to an RS232 GSM modem like the SIMCOM SIM900

Offline Stackoverflow queries

Video editing

  • kdenlive No need to run KDE window manager, for the KDE part you should only need kdelibs, kdelibs-devel, qt and qt-devel packages.
    Store editing artifacts on ram drive for super speed

System monitoring


Audio player



  • Browsing — feh
  • Editing, raster — GIMP
  • Editing, vector — Inkscape


  • Tech prose editing: Vim + goyo
  • Spreadsheets: sc-im
  • Preview Word files: docx2txt + vim .docx autocmd
  • Word processing: Ted
  • Spell checker: aspell
  • Presentations: Beamer for LaTeX

For more technical information, hardware specifications and setup instruction, take a look to the original (fantastic) post of Joe Nelson: