Digital Forensics With Kali Linux
Digital Forensics With Kali Linux
Digital Forensics With Kali Linux
com
https://textbookfull.com/product/digital-
forensics-with-kali-linux-enhance-your-
investigation-skills-by-performing-network-
and-memory-forensics-with-kali-linux-3rd-
edition-parasram/
textbookfull
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://textbookfull.com/product/mastering-kali-linux-for-
advanced-penetration-testing-secure-your-network-with-kali-linux-
the-ultimate-hackers-arsenal-second-edition-velu/
https://textbookfull.com/product/penetration-testing-with-kali-
linux-offensive-security/
https://textbookfull.com/product/penetration-testing-with-kali-
linux-oscp-offensive-security/
https://textbookfull.com/product/kali-linux-2018-windows-
penetration-testing-conduct-network-testing-surveillance-and-pen-
testing-on-ms-windows-using-kali-linux-2018-2nd-edition-halton/
Linux Basics for Hackers Getting Started with
Networking Scripting and Security in Kali Occupytheweb
https://textbookfull.com/product/linux-basics-for-hackers-
getting-started-with-networking-scripting-and-security-in-kali-
occupytheweb/
https://textbookfull.com/product/kali-linux-wireless-penetration-
testing-beginners-guide-third-3rd-edition-cameron-buchanan/
https://textbookfull.com/product/linux-basics-for-hackers-
getting-started-with-networking-scripting-and-security-in-
kali-1st-edition-occupytheweb/
https://textbookfull.com/product/learning-kali-linux-security-
testing-penetration-testing-and-ethical-hacking-first-edition-
messier/
https://textbookfull.com/product/kali-linux-2-assuring-security-
by-penetration-testing-third-edition-gerard-johansen-lee-allen-
tedi-heriyanto-shakeel-ali/
Digital Forensics with Kali Linux
Shiva V. N. Parasram
BIRMINGHAM—MUMBAI
Digital Forensics with Kali Linux
Copyright © 2023 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted
in any form or by any means, without the prior written permission of the publisher, except in the case
of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express
or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable
for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and
products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot
guarantee the accuracy of this information.
ISBN 978-1-83763-515-3
www.packtpub.com
I dedicate this book to my father, Harry Goolcharran Parasram (1950–2021),
an author, teacher, poet, artist, the most brilliant man I’ve ever known, and the
most loving father a son could hope and pray for. The man who taught me the importance
of being patient and kind and knowing when to take risks. The one who got me started with
computers and technology. The man who taught me to care for my family and be a strong,
intelligent, and loving man. Not a day goes by that I don’t think of you. You’re missed every day.
Thank you, daddy. Love you endlessly.
Contributors
I’d like to thank the team at Packt (Shrilekha, Sean, Adrija, and Prachi) for their support; the technical
reviewers, Alex Samm and Deodath Ganga; my guru, Pt. Persad; my parents, Harry and Indra; my
wife, Savi; the loveable Bindi; and Dr. Mala, Dr. Nilash Ramnarine, and Dr. Sharad Mohip. I also
have to thank all my friends who were there for me throughout my most trying times recently. Special
thanks to the CFSI family also. I am truly blessed.
About the reviewers
Alex Samm has worked in the cybersecurity space for over 10 years, primarily focused on penetration
testing and red teaming. He has conducted penetration tests for organizations in the financial sector,
education, public utilities, oil and gas, and state entities. He has also executed incident response and
digital forensics for financial institutions and other state entities.
Alex is currently employed at BDO B.V. as a consultant in their advisory services team and provides
services that include penetration testing, ERP assessments, data analytics, IT risk assessments, and
other digital services.
I’d like to thank my family for all the support they provide. They have encouraged my obsession with
technology and driven me to learn more. Huge thanks to my friends that keep me grounded and
remind me to take time to relax.
Deodath Ganga is an information security and networking professional with over 20 years’ experience
in information technology, networking, and cybersecurity. He is a senior security advisor and consultant
who is positioned as an information security technology risk manager for a client in the global banking
sector. He is also an experienced penetration tester, digital forensic investigator, and purple teamer, as
well as a senior cybersecurity lecturer who teaches ethical hacking, digital forensic investigation, and
cyber defense. Deodath is passionate about cyber safety and works as a senior cybersecurity awareness
officer, educating people about the dangers of the cyber realm and ways to keep themselves safe.
Table of Contents
Prefacexv
2
Introduction to Digital Forensics 15
What is digital forensics? 15 Computer Aided INvestigative
Environment (CAINE) 25
The need for blue and purple teams 16
CSI Linux 30
Digital forensics methodologies
Kali Linux 35
and frameworks 18
DFIR frameworks 20 The need for multiple forensics tools
in digital investigations 39
Comparison of digital forensics
Commercial forensics tools 40
operating systems 21
Anti-forensics – threats to digital forensics 41
Digital evidence and forensics toolkit Linux 23
Summary44
viii Table of Contents
3
Installing Kali Linux 45
Technical requirements 45 Installing Kali as a standalone
Downloading Kali Linux 45 operating system 56
Downloading the required tools and images 48 Installing Kali in VirtualBox 57
Downloading the Kali Linux Preparing the Kali Linux VM 58
Everything torrent 48
Installing Kali Linux on the virtual
Installing Kali Linux on portable machine62
storage media for live DFIR 50 Installing and configuring Kali Linux as a
virtual machine or as a standalone OS 67
Summary80
4
Additional Kali Installations and Post-Installation Tasks 81
Installing a pre-configured version Enabling the root user
of Kali Linux in VirtualBox 81 account in Kali 92
Installing Kali Linux Adding the Kali Linux forensics
on Raspberry Pi4 85 metapackage96
Updating Kali 89 Summary96
5
Installing Wine in Kali Linux 99
What Wine is and the advantages Configuring our Wine installation 105
of using it in Kali Linux 99 Testing our Wine installation 109
Installing Wine 100 Summary114
Table of Contents ix
7
Incident Response, Data Acquisitions, and DFIR Frameworks 141
Evidence acquisition procedures 142 The CoC 150
Incident response and The importance of write blockers 150
first responders 143 Data imaging and maintaining
Evidence collection and evidence integrity 151
documentation144 Message Digest (MD5) hash 152
Physical acquisition tools 145 Secure Hashing Algorithm (SHA) 153
Live versus post-mortem acquisition 148 Data acquisition best practices and
Order of volatility 148 DFIR frameworks 154
Powered-on versus powered-off device DFIR frameworks 155
acquisition148
Summary156
x Table of Contents
9
File Recovery and Data Carving Tools 193
File basics 194 Data carving with Scalpel 205
Downloading the sample files 194 Data extraction with bulk_extractor 209
File recovery and data carving with NTFS recovery using scrounge-ntfs 214
Foremost195 Image recovery using Recoverjpeg 218
Image recovery with Magicrescue 201 Summary222
Table of Contents xi
10
Memory Forensics and Analysis with Volatility 3 223
What’s new in Volatility 3 223 Memory dump analysis using
Downloading sample memory Volatility 3 232
dump files 225 Image and OS verification 232
Installing Volatility 3 in Kali Linux 225 Process identification and analysis 234
Summary243
11
Artifact, Malware, and Ransomware Analysis 245
Identifying devices and operating PDF malware analysis 253
systems with p0f 245 Using Hybrid Analysis for malicious
Looking at the swap_digger tool to file analysis 257
explore Linux artifacts 250 Ransomware analysis
Installing and using swap_digger 250 using Volatility 3 260
Password dumping with The pslist plugin 262
MimiPenguin252 Summary270
13
Performing a Full DFIR Analysis with the Autopsy 4 GUI 291
Autopsy 4 GUI features 291 Creating new cases and getting
Installing Autopsy 4 in Kali Linux acquainted with the Autopsy 4
using Wine 292 interface297
Downloading sample files for Analyzing directories and recovering
automated analysis 297 deleted files and artifacts with
Autopsy 4 305
Summary310
15
Packet Capture Analysis with Xplico 329
Installing Xplico in Kali Linux 329 Using Xplico to automatically
Installing DEFT Linux 8.1 in analyze web, email, and voice traffic 339
VirtualBox331 Automated web traffic analysis 341
Downloading sample analysis files 336 Automated SMTP traffic analysis 345
Automated VoIP traffic analysis 346
Starting Xplico in DEFT Linux 337
Summary348
Table of Contents xiii
16
Network Forensic Analysis Tools 349
Capturing packets using Wireshark 350 Online PCAP analysis using
Packet analysis using NetworkMiner 357 apackets.com371
Packet capture analysis Reporting and presentation 375
with PcapXray 362 Summary376
Online PCAP analysis using
packettotal.com368
Index377
Chapter 5, Installing Wine in Kali Linux, shows the versatility of Linux systems, where you will learn
how to install and use forensic tools designed to be used in the Windows platform, in a Kali Linux
system using Wine.
Chapter 6, Understanding File Systems and Storage Media, dives into the realm of operating systems
and the various formats for file storage, including secret hiding places not seen by the end user, or even
the operating system. We also inspect data about data, known as metadata, and look at its volatility.
Chapter 7, Incident Response, Data Acquisitions, and DFIR Frameworks, asks what happens when
an incident is reported or detected. Who are the first responders and what are the procedures for
maintaining the integrity of the evidence? In this chapter, we look at best practices, procedures, and
frameworks for data acquisition and evidence collection.
Chapter 8, Evidence Acquisition Tools, builds on the theory behind data acquisitions and best practices
and teaches you to use industry-recognized tools such as DC3DD, DD, Guymager, FTK Imager, and
RAM Capturer to perform data and image acquisition while preserving evidence integrity.
Chapter 9, File Recovery and Data Carving Tools, introduces the investigative side of digital forensics
by using various tools such as Magic Rescue, Scalpel, Bulk_Extractor, scrounge_ntfs, and
recoverjpeg to carve and recover data and artifacts from forensically acquired images and media.
Chapter 10, Memory Forensics and Analysis with Volatility 3, takes us into the analysis of memory
artifacts and demonstrates the importance of preserving volatile evidence such as the contents of the
RAM and the paging file.
Chapter 11, Artifact, Malware, and Ransomware Analysis, carries us much deeper into artifact analysis
using p0f, swap_digger, and mimipenguin, and, thereafter, demonstrates how to perform malware
and ransomware analysis using pdf-parser, hybrid-analysis.com, and Volatility.
Chapter 12, Autopsy Forensic Browser, showcases automated file recovery and analysis within Kali
Linux using a single tool.
Chapter 13, Performing a Full DFIR Analysis with the Autopsy 4 GUI, dives much deeper into automated
file carving, data recovery, and analysis using one of the most powerful and free forensic tools, which
takes forensic abilities and investigations to a professional level, catering for all aspects of full digital
forensics investigations, from hashing to reporting.
Chapter 14, Network Discovery Tools, showcases network scanning and reconnaissance tools such as
netdiscover, nmap, and Shodan, which, although not specifically designed for use as forensic tools,
are useful in providing additional information when performing incident response.
Chapter 15, Packet Capture Analysis with Xplico, gives an insightful use of automated packet analysis
using one tool for investigating network and internet traffic.
Chapter 16, Network Forensic Analysis Tools, ends the book by demonstrating how to capture and analyze
packets using a variety of tools and websites including Wireshark, NetworkMiner, packettotal.
com, and apackets.com.
Preface xvii
If you are using the digital version of this book, we advise you to type the code yourself or access
the code from the book’s GitHub repository (a link is available in the next section). Doing so will
help you avoid any potential errors related to the copying and pasting of code.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file
extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Power on
your Pi and Kali will boot. Again, the default username and password are both kali (in lowercase).”
xviii Preface
Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words
in menus or dialog boxes appear in bold. Here is an example: “You can view some of the forensics
tools by clicking on Applications | 11-Forensics on the main Kali menu.”
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at customercare@
packtpub.com and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen.
If you have found a mistake in this book, we would be grateful if you would report this to us. Please
visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would
be grateful if you would provide us with the location address or website name. Please contact us at
copyright@packt.com with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you
are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Preface xix
https://packt.link/free-ebook/9781837635153
As we begin our journey into Digital Forensics and Incident Response (DFIR), it is important that
we have a clear understanding of Blue and Purple Teaming, which is compared to Red Teaming, and
also have a firm grasp on fundamental knowledge required to create a Blue and Purple Teaming lab
environment. This section explains the terminology and looks at the skillsets required in becoming a
Blue and Purple Teamer, and also demonstrates various methods of setting up a DFIR lab environment.
This part has the following chapters:
Before we get started with these topics, the following is a sneak peek at how I got into the world of
Kali Linux, as I feel some of you will be able to relate to my story!
As time passed, I researched many tools found on various platforms for Windows, Macintosh, and
many Linux distributions. I found that many of the tools used in digital forensics could be installed
on various Linux distributions or flavors, and many of these tools were well maintained, constantly
being developed, and widely accepted by peers in the field. Kali Linux is a Linux distribution or flavor,
but before we go any further, let me explain the concept of a Linux distribution or flavor. Consider
your favorite beverage: this beverage can come in many flavors, some without sweeteners or sugar,
in different colors, and even in various sizes. No matter the variations, it’s still the basic ingredients
that comprise the beverage at the core. In this way, too, we have Linux and then different types and
varieties of Linux. Some more popular Linux distros and flavors include RedHat, CentOS, Ubuntu,
Mint, KNOPPIX, and, of course, Kali Linux. More on Kali Linux will be discussed in Chapter 3,
Installing Kali Linux.
With that said, let’s move on to our next section as we get started with exploring the enchanting world
of Kali Linux!
you to run Windows applications in Kali Linux. Although it takes a bit of configuration, I’ve compiled
a step-by-step guide on how to install Wine in Chapter 5, Installing Wine in Kali Linux.
Some of you may be wondering why we would install Wine instead of simply using a Windows machine.
There are quite a few valid reasons actually. Firstly, cost is a major factor. Windows licenses aren’t
cheap if you’re a student, in between jobs, changing careers, or live in a region where the exchange rate
and forex are limiting factors in purchasing licensing. At the time of writing, the cost of a Windows
10 Professional license is $199.00, as listed on Microsoft’s site at https://www.microsoft.
com/en-us/d/windows-10-pro/df77x4d43rkt?activetab=pivot:overviewtab.
Although we will not be using commercial tools in this book, there are some amazing free DFIR tools
that are available for Windows, such as Belkasoft RAM Capturer, Autopsy 4 GUI, and NetworkMiner,
which we can now install within our open source Kali Linux environment instead of on a licensed
Windows machine. These tools will be covered in detail in Chapter 8, Evidence Acquisition Tools,
Chapter 13, Performing a Full DFIR Analysis with the Autopsy 4 GUI, and Chapter 16, Network Forensic
Analysis Tools, respectively.
Another consideration is that Wine again saves us the hassle of having to switch between physical
machines and can also save on resource utilization such as Random Access Memory (RAM), Central
Processing Unit (CPU), Hard Disk Drive (HDD) space, and other resources when using virtual
machines, which we will discuss more in detail in the next chapter.
Finally, we can install many other Windows applications in Kali Linux using tools, whether they be
productivity tools or even tools for penetration testing, thus making our Kali Linux installation the
perfect purple teaming operating system environment, which we will discuss later in this chapter.
Kali Linux users also have the option to download and install (meta)packages manually rather than
downloading a very large installation file. Kali Linux (meta)packages contain tools and dependencies
that may be specific to an assessment or task, such as information gathering, vulnerability assessments,
wireless hacking, and forensics. Alternatively, a user can download the kali-linux-everything (meta)
package. We’ll go into more detail about (meta)package installations in Chapter 4, Additional Kali
Installations and Post-Installation Tasks, but if you’d like to know more about what (meta)packages
exist, you can find the full listing at https://www.kali.org/docs/general-use/
metapackages/.
8 Red, Blue, and Purple Teaming Fundamentals
Yet another reason why Kali Linux is so popular is that there are several versions available for a
multitude of physical, virtual, mobile, and portable devices. Kali is available as a standalone operating
system image and can also be installed virtually using their pre-built images for virtual platforms such
as VMware and VirtualBox, which will be covered in detail in Chapter 3, Installing Kali Linux, and
Chapter 4, Additional Kali Installations and Post-Installation Tasks. There are also versions of Kali for
ARM devices, cloud instances, and even the ability to run Kali Linux in Windows 10 under the Windows
Subsystem for Linux (WSL). On a personal note, I also use the mobile version of Kali Linux called
Kali NetHunter on an old OnePlus phone and also on a Raspberry Pi 4, which, when connected to a
power bank, serve as the ultimate portable security assessment toolkit. As far as installation on mobile
phones goes, NetHunter (and even Kali Linux itself in some cases) can be installed on a variety of phones
from Samsung, Nokia, OnePlus, Sony, Xiaomi, Google, or ZTE. We’ll look at installing Kali Linux in
VirtualBox and Raspberry Pi 4 in Chapter 4, Additional Kali Installations and Post-Installation Tasks.
The fact that Kali Linux offers all these features for free and can be easily upgraded with the addition
of new tools just a couple of clicks and commands away makes it the perfect purple teaming solution.
Let’s take a look at red, blue, and purple teaming and the skillsets required for each team.
• Offensive Security Certified Professional (OSCP): Developed by the creators of Kali Linux
• Certified Ethical Hacker (CEH): From the EC-Council
• Practical Network Penetration Tester (PNPT): Developed by TCM Security
• Pentest+: By CompTIA
• SANS SEC: Courses from the SANS Institute
• e-Learn Junior Penetration Tester (eJPT): Developed by e-Learn Security for beginners
interested in becoming red teamers
Another random document with
no related content on Scribd:
Ráleltek a régi utakra és mámorosan, szinte öntudatlanul lebegve
járták őket keresztül-kasul. A Dunaparton erős szélroham jött
szembe velük.
– A gallérját, Viksi, föl kell hajtani.
Az asszony gépies engedelmességgel gyürte föl a puha prémet
és mosolygott. Így mentek soká, együtt, mint régen.
Csak mikor a csendes, előkelő belvárosi utczába értek, a
keskeny átjáróba, ahol a néni lakott, akkor néztek egymásra hirtelen,
megrettenve, csodálkozón.
A néni lakása, az öt elsőemeleti ablak világosságban úszott, a
villamos lámpafény kisugárzott a nyitott erkélyajtón is, megvilágította
a tömött, szürke kőkorlátot. Felülről zongoraszó hallatszott és
néhány karcsú árnyék járt-kelt a libbenő függönyök megett.
– Hát még most is fogad a néni? – csodálkozott a férfi.
– Újra négy húga nőtt fel – magyarázta suttogva az asszony.
Csendesen, elszomorodva ballagtak a kapuig. A férfi szorongva
kérdezte:
– Nem megyünk föl, úgy-e?
Már a küszöbön voltak és valami szomorú józanság most már
egészen hatalmába kerítette az asszonyt.
– Én fölmegyek, Gábor – mondta most a keresztnevén szólítva őt
– de maga ne jöjjön fel. Tudom, így nem is lehetne, de később se
jöjjön, átöltözve sem. Lássa, elfelejtettem mondani az előbb, a néni
egészen új bútorokat szerzett megint és az almaszagú kis szobából
is szalont csináltak most. Lányszalont, mert a mostani húgai közt
gazdag lányok is vannak. Általában nagyon megváltozott a néni, én
is megváltoztam, maga is. Jobb lesz…
– Mikor jön megint Pestre?
– Nem tudom, éppenséggel nem tudom.
– Viktorin! Nem lehet!
– De. Az jobb lesz úgy, Gábor. Én már olyan jól megszoktam az
életet, én már nem is tudnám máskép, nem is bírnám.
– Mi lett belőlünk, Viksi.
– Jobb így. Azért jó, hogy találkoztunk… Az is jó, hogy minden
így történt, úgyis elromlott volna lassankint minden, ami valaha szép
volt. Isten vele, Gábor, kivánom, hogy hamar egészséges legyen a
felesége.
Gyorsan megfordult és sietve iramlott föl a lépcsőn. Még látni
lehetett a puha, finom köntöse egy-egy redőjét és egyszer
megcsillant a hófehér arcbőre is a lépcsőház lámpája mellett. Aztán
sietve csengetett be a kivilágított lakásba.
A halál meséje.
Updated editions will replace the previous one—the old editions will
be renamed.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.F.