Kali Linux Linux Security

Kali Linux Forensics Tools

Kali Linux is a powerful Operating system especially designed for Penetration Tester and Security Professionals. Most of its features and tools are made for security researchers and pentesters but it has a separate “Forensics” tab and a separate “Forensics” mode for Forensics Investigators.

Forensics is becoming very important in Cyber Security to detect and backtrack Black Hat Criminals. It is essential to remove Hackers’ malicious backdoors/malwares and trace them back to avoid any possible future incidents. In Kali’s Forensics mode, Operating System doesn’t mount any partition from System’s hard drive and doesn’t leave any changes or fingerprints on host’s system.

Kali Linux comes with pre-installed popular forensics applications and toolkits. Here we’ll review some famous open source tools present in Kali Linux.

Bulk Extractor

Bulk Extractor is a rich-featured tool that can extract useful information like Credit Card Numbers, Domain names, IP Addresses, Emails, Phone Numbers and URLs from evidence Hard-drives/files found during Forensics Investigation. It is helpful in analyzing image or malware, also helps in Cyber investigation and password cracking. It build wordlists based on information found from evidence that can help in password cracking.

Bulk Extractor is popular among other tools because of its incredible speed, multiple platform compatibility and thoroughness. It is fast due to its multi-threaded features and it has ability to scan any type of digital media that include HDDs, SSDs, Mobile Phones, Cameras, SD cards and a lot other types.

Bulk Extractor has following cool features which make it more preferable,

  • It has Graphical UI called “Bulk Extractor Viewer” which is used to interact with Bulk Extractor
  • It has multiple output options like displaying and analyzing the output data in histogram.
  • It can be easily automated by using Python or other scripting languages.
  • It comes with some pre-written scripts that can be used to perform additional scanning
  • Its multi-threaded, can be more fast on systems with multiple CPU cores.
root@azad:~# bulk_extractor --help
Usage: bulk_extractor [options] imagefile

runs bulk extractor and outputs to stdout a summary of what was found where

Required parameters:
imagefile    - the file to extract
or  -R filedir  - recurse through a directory of files
HAS SUPPORT FOR E01 FILES
HAS SUPPORT FOR AFF FILES
-o outdir    - specifies output directory. Must not exist.

bulk_extractor creates this directory.

Options:
-i - INFO mode. Do a quick random sample and print a report.
-b banner.txt- Add banner.txt contents to the top of every output file.
-r alert_list.txt  - a file containing the alert list of features to alert
(can be a feature file or a list of globs)
(can be repeated.)
-w stop_list.txt   - a file containing the stop list of features (white list
(can be a feature file or a list of globs)s
(can be repeated.)
-F <rfile>   - Read a list of regular expressions from <rfile> to find
-f <regex>   - find occurrences of <regex>; may be repeated.
results go into find.txt
...snip...
 
Usage Example
 
root@azad:~# bulk_extractor -o output secret.img

Autopsy

Autopsy is a platform that is used by Cyber Investigators and law enforcements to conduct and report Forensics operations. It is combines many individual utilities that are used for Forensics and recovery and provides them Graphical User Interface.

Autopsy is an open source, free and cross-platform product which is available for Windows, Linux and other UNIX based operating systems. Autopsy can search and investigate data from hard drives of multiple formats including EXT2, EXT3, FAT, NTFS and others.

It is easy to use and there is no need to install in Kali Linux as it ships with pre-installed and pre-configured.

Dumpzilla

Dumpzilla is a cross-platform command line tool written in Python 3 language which is used to dump Forensics related information from web browsers. It doesn’t extract data or information, just displays it in terminal which can be piped, sorted out and stored in files using Operating System commands. Currently, it supports only Firefox based browsers like Firefox, Seamonkey, Iceweasel etc.

Dumpzilla can get following information from browsers

  • Can show live surfing of user in tabs/window.
  • User Downloads, Bookmarks & History.
  • Web forms (Searches, emails, comments..).
  • Cache/thumbnails of previously visited sites.
  • Addons / Extensions and used paths or urls.
  • Browser saved passwords.
  • Cookies and Session data.
root@azad:~# dumpzilla --help
Usage: python dumpzilla.py browser_profile_directory [Options]

Options:

--All (Shows everything but the DOM data. Doesn't extract thumbnails or HTML 5 offline)

--Cookies [-showdom -domain <string> -name <string> -hostcookie <string> -access <date>
 -create <date> -secure <0/1> -httponly <0/1> -range_last -range_create <start>
<end>]

--Permissions [-host <string>]

--Downloads [-range <start> <end>]

--Forms   [-value <string> -range_forms <start> <end>]

--History [-url <string> -title <string> -date <date> -range_history <start> <end>
-frequency]

--Bookmarks [-range_bookmarks <start> <end>]

...snip...

Digital Forensics Framework – DFF

DFF is a file recovery tool and Forensics development platform written in Python and C++. It has set of tools and script with both Command Line and Graphical User Interface. It is used to carry out Forensics Investigation and to gather and report digital evidences.

It is easy to use and can be used by Cyber Professionals as well as newbies to collect and preserve digital Forensics Info. Here we’ll discuss some of its good features

  • Can perform Forensics and recovery on Local as well as remote devices.
  • Both Command Line and Graphical UI with graphical views and filters.
  • Can recover partitions & virtual machine drives.
  • Compatible with a lot of file systems & formats including Linux and Windows.
  • Can recover hidden and deleted files.
  • Can recover data from temporary memory such as Network, Process and etc
root@azad:~# dff -h
DFF
Digital Forensic Framework
 
Usage: /usr/bin/dff [options]
Options:
-v       --version                  display current version
-g       --graphical                launch graphical interface
-b       --batch=FILENAME     executes batch contained in FILENAME
-l       --language=LANG            use LANG as interface language
-h       --help                     display this help message
-d       --debug                    redirect IO to system console
--verbosity=LEVEL          set verbosity level when debugging [0-3]
-c       --config=FILEPATH          use config file from FILEPATH

Foremost

Foremost is a faster and reliable Command line based recovery tool to get back lost files in Forensics Operations. Foremost has the ability to work on images generated by dd, Safeback, Encase, etc, or directly on a drive. Foremost can recover exe, jpg, png, gif, bmp, avi, mpg, wav, pdf, ole, rar and a lot other file types.

root@azad:~# foremost -h

foremost version x.x.x by Jesse Kornblum, Kris Kendall, and Nick Mikus.
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
[-b <size>] [-c <file>] [-o <dir>] [-i <file]
 
-V  - display copyright information and exit
-t  - specify file type.  (-t jpeg,pdf ...)
-d  - turn on indirect block detection (for UNIX file-systems)
-i  - specify input file (default is stdin)
-a  - Write all headers, perform no error detection (corrupted files)
-w  - Only write the audit file, do not write any detected files to the disk
-o  - set output directory (defaults to output)
-c  - set configuration file to use (defaults to foremost.conf)
...snip...
 
Usage example
 
root@azad:~# foremost -t exe,jpeg,pdf,png -i file-image.dd
Processing: file-image.dd
...snip...

Conclusion

Kali, along with its famous Penetration testing tools also has a whole tab dedicated for “Forensics”. It has a separate “Forensics” mode which is available only for Live USBs in which it doesn’t mount host’s partitions. Kali is a little preferable over other Forensics distros such as CAINE because of its support and better compatibility.

About the author

Avatar

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14