Full download test bank at ebook textbookfull.

com

Digital Forensics with Kali Linux

Enhance your investigation skills
by performing network and memory
forensics with Kali Linux 3rd
CLICK LINK TO DOWLOAD

https://textbookfull.com/product/digital-
forensics-with-kali-linux-enhance-your-
investigation-skills-by-performing-network-
and-memory-forensics-with-kali-linux-3rd-
edition-parasram/

textbookfull
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Mastering Kali Linux for advanced penetration testing

secure your network with Kali Linux the ultimate
hackers arsenal Second Edition Velu

https://textbookfull.com/product/mastering-kali-linux-for-
advanced-penetration-testing-secure-your-network-with-kali-linux-
the-ultimate-hackers-arsenal-second-edition-velu/

Penetration Testing with Kali Linux Offensive Security

https://textbookfull.com/product/penetration-testing-with-kali-
linux-offensive-security/

Penetration Testing with Kali Linux OSCP Offensive

Security

https://textbookfull.com/product/penetration-testing-with-kali-
linux-oscp-offensive-security/

Kali Linux 2018 Windows Penetration Testing Conduct

network testing surveillance and pen testing on MS
Windows using Kali Linux 2018 2nd Edition Halton

https://textbookfull.com/product/kali-linux-2018-windows-
penetration-testing-conduct-network-testing-surveillance-and-pen-
testing-on-ms-windows-using-kali-linux-2018-2nd-edition-halton/
Linux Basics for Hackers Getting Started with
Networking Scripting and Security in Kali Occupytheweb

https://textbookfull.com/product/linux-basics-for-hackers-
getting-started-with-networking-scripting-and-security-in-kali-
occupytheweb/

Kali Linux Wireless Penetration Testing Beginner's

Guide -Third 3rd Edition Cameron Buchanan

https://textbookfull.com/product/kali-linux-wireless-penetration-
testing-beginners-guide-third-3rd-edition-cameron-buchanan/

Linux Basics for Hackers Getting Started with

Networking Scripting and Security in Kali 1st Edition
Occupytheweb

https://textbookfull.com/product/linux-basics-for-hackers-
getting-started-with-networking-scripting-and-security-in-
kali-1st-edition-occupytheweb/

Learning Kali Linux security testing penetration

testing and ethical hacking First Edition Messier

https://textbookfull.com/product/learning-kali-linux-security-
testing-penetration-testing-and-ethical-hacking-first-edition-
messier/

Kali Linux 2 Assuring Security by Penetration Testing

Third Edition Gerard Johansen Lee Allen Tedi Heriyanto
Shakeel Ali

https://textbookfull.com/product/kali-linux-2-assuring-security-
by-penetration-testing-third-edition-gerard-johansen-lee-allen-
tedi-heriyanto-shakeel-ali/
Digital Forensics with Kali Linux

Enhance your investigation skills by performing network and

memory forensics with Kali Linux 2022.x

Shiva V. N. Parasram

BIRMINGHAM—MUMBAI
Digital Forensics with Kali Linux
Copyright © 2023 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted
in any form or by any means, without the prior written permission of the publisher, except in the case
of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express
or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable
for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and
products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot
guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant
Senior Content Development Editor: Adrija Mitra
Technical Editor: Arjun Varma
Copy Editor: Safis Editing
Project Coordinator: Sean Lobo
Proofreader: Safis Editing
Indexer: Manju Arasan
Production Designer: Shankar Kalbhor
Marketing Coordinator: Marylou De Mello

First published: December 2017

Second edition: April 2020
Third edition: April 2023

Production reference: 1160323

Published by Packt Publishing Ltd.

Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.

ISBN 978-1-83763-515-3

www.packtpub.com
 I dedicate this book to my father, Harry Goolcharran Parasram (1950–2021),
an author, teacher, poet, artist, the most brilliant man I’ve ever known, and the
most loving father a son could hope and pray for. The man who taught me the importance
of being patient and kind and knowing when to take risks. The one who got me started with
computers and technology. The man who taught me to care for my family and be a strong,
intelligent, and loving man. Not a day goes by that I don’t think of you. You’re missed every day.
Thank you, daddy. Love you endlessly.
 Contributors

About the author

Shiva V. N. Parasram is a cybersecurity and risk consultant with over 19 years of experience and is
the executive director of the Computer Forensics and Security Institute (CFSI), which specializes
in pentesting, Digital Forensics and Incident Response (DFIR), and advanced security training with
a global reach. As the only Certified EC-Council Instructor (CEI) in the Caribbean, he has trained
thousands and is the founder of the CFSI CyberFence program. Shiva is also the author of three other
books from Packt Publishing and has delivered workshops regionally and globally for ISACA, ISC2,
universities, and security agencies. He is also a Security Risk Manager Consultant for PTRMS (Canada)
positioned within a global financial institution, and a cybersecurity mentor at Springboard (US).

I’d like to thank the team at Packt (Shrilekha, Sean, Adrija, and Prachi) for their support; the technical
reviewers, Alex Samm and Deodath Ganga; my guru, Pt. Persad; my parents, Harry and Indra; my
wife, Savi; the loveable Bindi; and Dr. Mala, Dr. Nilash Ramnarine, and Dr. Sharad Mohip. I also
have to thank all my friends who were there for me throughout my most trying times recently. Special
thanks to the CFSI family also. I am truly blessed.
About the reviewers
Alex Samm has worked in the cybersecurity space for over 10 years, primarily focused on penetration
testing and red teaming. He has conducted penetration tests for organizations in the financial sector,
education, public utilities, oil and gas, and state entities. He has also executed incident response and
digital forensics for financial institutions and other state entities.
Alex is currently employed at BDO B.V. as a consultant in their advisory services team and provides
services that include penetration testing, ERP assessments, data analytics, IT risk assessments, and
other digital services.

I’d like to thank my family for all the support they provide. They have encouraged my obsession with
technology and driven me to learn more. Huge thanks to my friends that keep me grounded and
remind me to take time to relax.

Deodath Ganga is an information security and networking professional with over 20 years’ experience
in information technology, networking, and cybersecurity. He is a senior security advisor and consultant
who is positioned as an information security technology risk manager for a client in the global banking
sector. He is also an experienced penetration tester, digital forensic investigator, and purple teamer, as
well as a senior cybersecurity lecturer who teaches ethical hacking, digital forensic investigation, and
cyber defense. Deodath is passionate about cyber safety and works as a senior cybersecurity awareness
officer, educating people about the dangers of the cyber realm and ways to keep themselves safe.
 Table of Contents
Prefacexv

Part 1: Blue and Purple Teaming Fundamentals

1
Red, Blue, and Purple Teaming Fundamentals 3
How I got started with Kali Linux 4 Understanding blue teaming 9
What is Kali Linux? 5 Understanding purple teaming 12
Why is Kali Linux so popular? 6 Summary14
Understanding red teaming 8

2
Introduction to Digital Forensics 15
What is digital forensics? 15 Computer Aided INvestigative
Environment (CAINE) 25
The need for blue and purple teams 16
CSI Linux 30
Digital forensics methodologies
Kali Linux 35
and frameworks 18
DFIR frameworks 20 The need for multiple forensics tools
in digital investigations 39
Comparison of digital forensics
Commercial forensics tools 40
operating systems 21
Anti-forensics – threats to digital forensics 41
Digital evidence and forensics toolkit Linux 23
Summary44
viii Table of Contents

3
Installing Kali Linux 45
Technical requirements 45 Installing Kali as a standalone
Downloading Kali Linux 45 operating system 56
Downloading the required tools and images 48 Installing Kali in VirtualBox 57
Downloading the Kali Linux Preparing the Kali Linux VM 58
Everything torrent 48
Installing Kali Linux on the virtual
Installing Kali Linux on portable machine62
storage media for live DFIR 50 Installing and configuring Kali Linux as a
virtual machine or as a standalone OS 67

Summary80

4
Additional Kali Installations and Post-Installation Tasks 81
Installing a pre-configured version Enabling the root user
of Kali Linux in VirtualBox 81 account in Kali 92
Installing Kali Linux Adding the Kali Linux forensics
on Raspberry Pi4 85 metapackage96
Updating Kali 89 Summary96

5
Installing Wine in Kali Linux 99
What Wine is and the advantages Configuring our Wine installation 105
of using it in Kali Linux 99 Testing our Wine installation 109
Installing Wine 100 Summary114
 Table of Contents ix

Part 2: Digital Forensics and Incident Response

Fundamentals and Best Practices
6
Understanding File Systems and Storage 117
History and types of storage media 118 Solid-state drives 131
IBM and the history of storage media 118 File systems and operating systems 133
Removable storage media 119
Microsoft Windows 133
Magnetic tape drives 119
Macintosh (macOS) 134
Floppy disks 119
Linux134
Optical storage media 120
Blu-ray Disc 122 Data types and states 135
Flash storage media 122 Metadata135
USB flash drives 123 Slack space 136
Flash memory cards 125
Volatile and non-volatile data and
Hard disk drives 128
the order of volatility 136
Integrated Drive Electronics HDDs 129
The importance of RAM, the paging
Serial Advanced Technology
Attachment HDDs 130
file, and cache in DFIR 138
Summary139

7
Incident Response, Data Acquisitions, and DFIR Frameworks 141
Evidence acquisition procedures 142 The CoC 150
Incident response and The importance of write blockers 150
first responders 143 Data imaging and maintaining
Evidence collection and evidence integrity 151
documentation144 Message Digest (MD5) hash 152
Physical acquisition tools 145 Secure Hashing Algorithm (SHA) 153

Live versus post-mortem acquisition 148 Data acquisition best practices and
Order of volatility 148 DFIR frameworks 154
Powered-on versus powered-off device DFIR frameworks 155
acquisition148
Summary156
x Table of Contents

Part 3: Kali Linux Digital Forensics and Incident

Response Tools
8
Evidence Acquisition Tools 159
Using the fdisk command for Drive acquisition using Guymager 175
partition recognition 160 Running Guymager 176
Device identification using the Acquiring evidence with Guymager 177
fdisk command 161
Drive and memory acquisition
Creating strong hashes for evidence using FTK Imager in Wine 182
integrity163 Installing FTK Imager 182
Drive acquisition using DC3DD 165 RAM acquisition with FTK Imager 190
Verifying the hash output of image files 171
RAM and paging file acquisition
Erasing a drive using DC3DD 171
using Belkasoft RAM Capturer 191
Drive acquisition using DD 173 Summary192

9
File Recovery and Data Carving Tools 193
File basics 194 Data carving with Scalpel 205
Downloading the sample files 194 Data extraction with bulk_extractor 209
File recovery and data carving with NTFS recovery using scrounge-ntfs 214
Foremost195 Image recovery using Recoverjpeg 218
Image recovery with Magicrescue 201 Summary222
 Table of Contents xi

10
Memory Forensics and Analysis with Volatility 3 223
What’s new in Volatility 3 223 Memory dump analysis using
Downloading sample memory Volatility 3 232
dump files 225 Image and OS verification 232
Installing Volatility 3 in Kali Linux 225 Process identification and analysis 234

Summary243

11
Artifact, Malware, and Ransomware Analysis 245
Identifying devices and operating PDF malware analysis 253
systems with p0f 245 Using Hybrid Analysis for malicious
Looking at the swap_digger tool to file analysis 257
explore Linux artifacts 250 Ransomware analysis
Installing and using swap_digger 250 using Volatility 3 260
Password dumping with The pslist plugin 262
MimiPenguin252 Summary270

Part 4: Automated Digital Forensics and Incident

Response Suites
12
Autopsy Forensic Browser 273
Introduction to Autopsy – The Creating a new case in the Autopsy
Sleuth Kit 274 forensic browser 279
Downloading sample files for Evidence analysis using the Autopsy
use and creating a case in the forensic browser 284
Autopsy browser 275 Summary289
Starting Autopsy 276
xii Table of Contents

13
Performing a Full DFIR Analysis with the Autopsy 4 GUI 291
Autopsy 4 GUI features 291 Creating new cases and getting
Installing Autopsy 4 in Kali Linux acquainted with the Autopsy 4
using Wine 292 interface297
Downloading sample files for Analyzing directories and recovering
automated analysis 297 deleted files and artifacts with
Autopsy 4 305
Summary310

Part 5: Network Forensic Analysis Tools

14
Network Discovery Tools 313
Using netdiscover in Kali Linux to Using Shodan.io to find IoT
identify devices on a network 313 devices including firewalls,
Using Nmap to find additional CCTV, and servers 321
hosts and devices on a network 316 Using Shodan filters for IoT searches 322
Using Nmap to fingerprint Summary327
host details 319

15
Packet Capture Analysis with Xplico 329
Installing Xplico in Kali Linux 329 Using Xplico to automatically
Installing DEFT Linux 8.1 in analyze web, email, and voice traffic 339
VirtualBox331 Automated web traffic analysis 341
Downloading sample analysis files 336 Automated SMTP traffic analysis 345
Automated VoIP traffic analysis 346
Starting Xplico in DEFT Linux 337
Summary348
 Table of Contents xiii

16
Network Forensic Analysis Tools 349
Capturing packets using Wireshark 350 Online PCAP analysis using
Packet analysis using NetworkMiner 357 apackets.com371
Packet capture analysis Reporting and presentation 375
with PcapXray 362 Summary376
Online PCAP analysis using
packettotal.com368

Index377

Other Books You May Enjoy 390

 Preface
In this third edition of this book, you’ll find that the theory and methodologies have remained
mostly the same with updates on general technical information, best practices, and frameworks, as
the procedures and documentation are standard throughout the field; however, you’ll find that the
technical chapters contain new labs using new examples. I’ve also included a few completely new
chapters that go deeper into artifact analysis, automated data recovery, malware, and network analysis,
showcasing several tools with practical exercises that even beginners will find easy to follow. We even
utilize Wine, which will allow us to install very popular (Digital Forensics and Incident Response)
(DFIR) tools built for the Windows platform (such as Autopsy 4) within Kali Linux. This book is quite
useful for Red Teamers and penetration testers who wish to learn about or enhance their DFIR and
Blue Teaming skillsets to become Purple Teamers by combining their penetration testing skills with
the digital forensics and incident response skills that will be taught throughout this book.

Who this book is for

The third edition of this book was carefully structured to be easily understood by individuals at all
levels, from beginners and digital forensics novices to incident response professionals alike, as the first
six chapters serve to get you acquainted with the technologies used and also guide you through setting
up Kali Linux, before delving into forensic analysis, data recovery, malware analysis, automated DFIR
analysis, and network forensics investigations. Red teamers and penetration testers wanting to learn
Blue Teaming skillsets to become Purple Teamers may also find the contents of this book very useful.

What this book covers

Chapter 1, Red, Blue, and Purple Teaming Fundamentals, informs you about the different types of cyber
security teams to which penetration testers and forensic investigators belong, and the skillsets required.
Chapter 2, Introduction to Digital Forensics, introduces you to the world of digital forensics and forensic
methodology, and also introduces you to various forensic operating systems.
Chapter 3, Installing Kali Linux, covers the various methods that can be used to install Kali Linux as a
virtual machine or as a standalone operating system, which can also be run from a flash drive or SD card.
Chapter 4, Additional Kali Installations and Post-Installation Tasks, builds upon the Kali installation and
guides you through performing additional installations and post-installation tasks such as enabling
a root user and updating Kali Linux.
xvi Preface

Chapter 5, Installing Wine in Kali Linux, shows the versatility of Linux systems, where you will learn
how to install and use forensic tools designed to be used in the Windows platform, in a Kali Linux
system using Wine.
Chapter 6, Understanding File Systems and Storage Media, dives into the realm of operating systems
and the various formats for file storage, including secret hiding places not seen by the end user, or even
the operating system. We also inspect data about data, known as metadata, and look at its volatility.
Chapter 7, Incident Response, Data Acquisitions, and DFIR Frameworks, asks what happens when
an incident is reported or detected. Who are the first responders and what are the procedures for
maintaining the integrity of the evidence? In this chapter, we look at best practices, procedures, and
frameworks for data acquisition and evidence collection.
Chapter 8, Evidence Acquisition Tools, builds on the theory behind data acquisitions and best practices
and teaches you to use industry-recognized tools such as DC3DD, DD, Guymager, FTK Imager, and
RAM Capturer to perform data and image acquisition while preserving evidence integrity.
Chapter 9, File Recovery and Data Carving Tools, introduces the investigative side of digital forensics
by using various tools such as Magic Rescue, Scalpel, Bulk_Extractor, scrounge_ntfs, and
recoverjpeg to carve and recover data and artifacts from forensically acquired images and media.
Chapter 10, Memory Forensics and Analysis with Volatility 3, takes us into the analysis of memory
artifacts and demonstrates the importance of preserving volatile evidence such as the contents of the
RAM and the paging file.
Chapter 11, Artifact, Malware, and Ransomware Analysis, carries us much deeper into artifact analysis
using p0f, swap_digger, and mimipenguin, and, thereafter, demonstrates how to perform malware
and ransomware analysis using pdf-parser, hybrid-analysis.com, and Volatility.
Chapter 12, Autopsy Forensic Browser, showcases automated file recovery and analysis within Kali
Linux using a single tool.
Chapter 13, Performing a Full DFIR Analysis with the Autopsy 4 GUI, dives much deeper into automated
file carving, data recovery, and analysis using one of the most powerful and free forensic tools, which
takes forensic abilities and investigations to a professional level, catering for all aspects of full digital
forensics investigations, from hashing to reporting.
Chapter 14, Network Discovery Tools, showcases network scanning and reconnaissance tools such as
netdiscover, nmap, and Shodan, which, although not specifically designed for use as forensic tools,
are useful in providing additional information when performing incident response.
Chapter 15, Packet Capture Analysis with Xplico, gives an insightful use of automated packet analysis
using one tool for investigating network and internet traffic.
Chapter 16, Network Forensic Analysis Tools, ends the book by demonstrating how to capture and analyze
packets using a variety of tools and websites including Wireshark, NetworkMiner, packettotal.
com, and apackets.com.
 Preface xvii

To get the most out of this book

Although we have tried our best to explain all concepts and technologies in this book, it may be
beneficial if you have prior knowledge of downloading and installing software and are at least familiar
with basic computer and networking concepts such as RAM, CPU, virtualization, and network ports.

Software/hardware Operating system requirements

covered in the book
Kali 2022.x and later Minimum specs: A PC or laptop with 8 GB RAM, 250 GB free hard drive
space, and a Ryzen 7 or i5 CPU
Recommended specs: 16 GB RAM, 250 GB free hard drive space, and a
Ryzen 7 or i7 CPU

If you are using the digital version of this book, we advise you to type the code yourself or access
the code from the book’s GitHub repository (a link is available in the next section). Doing so will
help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/
PacktPublishing/Digital-Forensics-with-Kali-Linux-Third-Edition. If
there’s an update to the code, it will be updated in the GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://
github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book.
You can download it here: https://packt.link/vLuYi.

Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file
extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “Power on
your Pi and Kali will boot. Again, the default username and password are both kali (in lowercase).”
xviii Preface

Any command-line input or output is written as follows:

sudo apt update

Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words
in menus or dialog boxes appear in bold. Here is an example: “You can view some of the forensics
tools by clicking on Applications | 11-Forensics on the main Kali menu.”

Tips or important notes

Appear like this.

Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at customercare@
packtpub.com and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen.
If you have found a mistake in this book, we would be grateful if you would report this to us. Please
visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would
be grateful if you would provide us with the location address or website name. Please contact us at
copyright@packt.com with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you
are interested in either writing or contributing to a book, please visit authors.packtpub.com.
 Preface xix

Share Your Thoughts

Once you’ve read Digital Forensics with Kali Linux, we’d love to hear your thoughts! Please click here
to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering
excellent quality content.
xx Preface

Download a free PDF copy of this book

Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere?
Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical
books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content
in your inbox daily
Follow these simple steps to get the benefits:

1. Scan the QR code or visit the link below

https://packt.link/free-ebook/9781837635153

2. Submit your proof of purchase

3. That’s it! We’ll send your free PDF and other benefits to your email directly
 Part 1:
Blue and Purple Teaming
Fundamentals

As we begin our journey into Digital Forensics and Incident Response (DFIR), it is important that
we have a clear understanding of Blue and Purple Teaming, which is compared to Red Teaming, and
also have a firm grasp on fundamental knowledge required to create a Blue and Purple Teaming lab
environment. This section explains the terminology and looks at the skillsets required in becoming a
Blue and Purple Teamer, and also demonstrates various methods of setting up a DFIR lab environment.
This part has the following chapters:

• Chapter 1, Red, Blue, and Purple Teaming Fundamentals

• Chapter 2, Introduction to Digital Forensics
• Chapter 3, Installing Kali Linux
• Chapter 4, Additional Kali Installations and Post-Installation Tasks
• Chapter 5, Installing Wine in Kali Linux
 1
Red, Blue, and Purple
Teaming Fundamentals
Welcome to the third edition of Digital Forensics with Kali Linux, and for those of you who may have
purchased the previous editions, welcome back. I’d also like to sincerely thank you for once again
choosing this exciting title. As with the second edition, this third edition has been updated with
new tools, easy-to-follow labs, and a couple of new chapters. We have an exciting journey ahead of
us, and I’m pleased to announce the inclusion of some major additions, including the installation
of Wine, which will allow us to run Windows tools within Kali Linux and will be covered in its
entirety in Chapter 5, Installing Wine in Kali Linux. Chapter 10, Memory Forensics and Analysis with
Volatility 3, is also brand-new and shows how to perform RAM artifact analysis on newer operating
systems. Another new chapter on using the Autopsy v4 Graphical User Interface (GUI) to perform
full Digital Forensics and Incident Response (DFIR) analysis and investigations can be found in
Chapter 13, Performing a Full DFIR Analysis with the Autopsy 4 GUI.
Besides these major additions, we will also look at some new topics, such as creating a portable Kali
Linux box using Raspberry Pi 4 and learning about tools such as DD-rescue, scrounge-ntfs, Magic
Rescue, PDF-Parser, Timeliner, netdiscover, and introduce Shodan.io and apackets.com for Internet
of Things (IoT) discovery and packet analysis.
For this book, we take a very structured approach to digital forensics, as we would in forensic science.
First, we will stroll into the world of digital forensics, its history, and some of the tools and operating
systems used for forensics, and we will immediately introduce you to the concepts involved in
evidence preservation.
With that said, we have a lot to cover and will start by learning about Kali and the various cybersecurity
teams and the differences between red, blue, and purple teaming. For our returning and advanced
readers who may have prior knowledge of Kali Linux and the respective teams, feel free to skim
through the first two chapters and get straight into the practical aspects in Chapter 3, Installing Kali
Linux, Chapter 4, Additional Kali Installations and Post-Installation Tasks, and Chapter 5, Installing
Wine in Kali Linux, which detail the installations of Kali and Wine.
4 Red, Blue, and Purple Teaming Fundamentals

In this chapter we will cover the following key topics:

• What is Kali Linux?

• Understanding red teaming
• Understanding blue teaming
• Understanding purple teaming

Before we get started with these topics, the following is a sneak peek at how I got into the world of
Kali Linux, as I feel some of you will be able to relate to my story!

How I got started with Kali Linux

Digital forensics has had my attention for well over 15 years. Ever since I was given my first PC (thanks,
Mom and Dad), I’ve always wondered what happened when I deleted my files from my massively large
2 GB (Gigabyte) hard drive or moved my files to (and often hid them on) a less-than-inconspicuous
3.5-inch floppy diskette that maxed out at 1.44 MB (Megabytes) in capacity.
I soon learned that hard and floppy disk drives did not possess the digital immortality I so confidently
believed in. Sadly, many files, documents, and priceless fine art created in Microsoft Paint by yours
truly were lost to the digital afterlife, never to be retrieved again. Sigh. The world shall never know.
It wasn’t until years later that I came across an article on file recovery and associated tools while
browsing the magical World Wide Web (WWW) on my lightning-fast 42 Kbps dial-up internet
connection (made possible by my very expensive USRobotics dial-up modem), which sang the tune
of the technology gods every time I tried to connect to the realm of the internet. This process involved
a stealthy ninja-like skill that would make even a black-ops team envious, as it involved doing so
without my parents noticing, as this would prevent them from using the telephone line to make or
receive phone calls (apologies, dear Mother, Father, and older teenage sister).
The previous article on data recovery wasn’t anywhere near as detailed and fact-filled as the many great
peer-reviewed papers, journals, and books on digital forensics widely available today. As a total novice
(also referred to as a noob) in the field, I did learn a great deal about the basics of file systems, data and
metadata, storage measurements, and the workings of various storage media. It was at this time that,
even though I had read about the Linux operating system and its various distributions (or distros),
I began to get an understanding of why Linux distros were popular for data recovery and forensics.
I managed to bravely download the Auditor and Slax Linux distributions, again on a dial-up
connection. Just downloading these operating systems was quite a feat, which left me feeling highly
accomplished as I did not have any clue as to how to install them, let alone actually use them. In those
days, easy installation and GUIs were still under heavy development, as user-friendly, or in my case,
user-unfriendly, as they were at the time (mostly due to my inexperience, lack of recommended
hardware, and also lack of resources, such as online forums, blogs, and YouTube, which I did not yet
know about).
 What is Kali Linux? 5

As time passed, I researched many tools found on various platforms for Windows, Macintosh, and
many Linux distributions. I found that many of the tools used in digital forensics could be installed
on various Linux distributions or flavors, and many of these tools were well maintained, constantly
being developed, and widely accepted by peers in the field. Kali Linux is a Linux distribution or flavor,
but before we go any further, let me explain the concept of a Linux distribution or flavor. Consider
your favorite beverage: this beverage can come in many flavors, some without sweeteners or sugar,
in different colors, and even in various sizes. No matter the variations, it’s still the basic ingredients
that comprise the beverage at the core. In this way, too, we have Linux and then different types and
varieties of Linux. Some more popular Linux distros and flavors include RedHat, CentOS, Ubuntu,
Mint, KNOPPIX, and, of course, Kali Linux. More on Kali Linux will be discussed in Chapter 3,
Installing Kali Linux.
With that said, let’s move on to our next section as we get started with exploring the enchanting world
of Kali Linux!

What is Kali Linux?

Kali Linux is a Debian-based operating system used globally by cyber security professionals, students,
and IT enthusiasts. Debian is a flavor of Linux that is completely free, stable, constantly updated,
supports many types of hardware, and is also used by popular operating systems such as Ubuntu and
Zorin. Kali Linux is certainly not new to the cybersecurity field and even goes back to the mid-2000s,
but it was known then as BackTrack, which was a combination of two platforms called Auditor Security
and Whax. This merge happened in 2006, with subsequent versions of BackTrack being released up
to 2011 when BackTrack 5, based on Ubuntu 10.04, was released.
In 2013, Offensive Security released the first version of Kali v1 (Moto), which was based on Debian 7,
and then Kali v2 in 2015, which was based on Debian 8. Following this, Kali Linux Rolling was released
in 2016, with the names of the distribution reflecting both the year of release and the major update
of the quarterly period. For example, at the time of writing, I use Kali 2022.3 and 2022.4, both
based on recent versions of Debian. You can find more on the open source and free Debian Project
at https://www.debian.org/intro/about.
As a cybersecurity professional, a Chief Information Security Officer (CISO), penetration tester
(pentester), and subject matter expert in DFIR, I have used BackTrack and now Kali Linux for well
over a decade since I first came across it when I started studying for the Certified Ethical Hacker exam
in 2006. Since then, I’ve used a myriad of operating systems for pentesting and digital forensics, but
my main tool of choice, particularly for pentesting, is Kali Linux. Although Kali Linux has focused
less on DFIR and more on penetration testing, it makes it much easier for me to have both penetration
testing and DFIR tools on one platform rather than have to switch between them.
For our readers who may have purchased the first and second editions of this book, I’d say you’re
certainly in for a treat as I’ve not only updated many labs and introduced new tools in this edition,
but I’ve also included a chapter on installing Wine in Kali Linux. Windows Emulator (Wine) allows
6 Red, Blue, and Purple Teaming Fundamentals

you to run Windows applications in Kali Linux. Although it takes a bit of configuration, I’ve compiled
a step-by-step guide on how to install Wine in Chapter 5, Installing Wine in Kali Linux.
Some of you may be wondering why we would install Wine instead of simply using a Windows machine.
There are quite a few valid reasons actually. Firstly, cost is a major factor. Windows licenses aren’t
cheap if you’re a student, in between jobs, changing careers, or live in a region where the exchange rate
and forex are limiting factors in purchasing licensing. At the time of writing, the cost of a Windows
10 Professional license is $199.00, as listed on Microsoft’s site at https://www.microsoft.
com/en-us/d/windows-10-pro/df77x4d43rkt?activetab=pivot:overviewtab.
Although we will not be using commercial tools in this book, there are some amazing free DFIR tools
that are available for Windows, such as Belkasoft RAM Capturer, Autopsy 4 GUI, and NetworkMiner,
which we can now install within our open source Kali Linux environment instead of on a licensed
Windows machine. These tools will be covered in detail in Chapter 8, Evidence Acquisition Tools,
Chapter 13, Performing a Full DFIR Analysis with the Autopsy 4 GUI, and Chapter 16, Network Forensic
Analysis Tools, respectively.
Another consideration is that Wine again saves us the hassle of having to switch between physical
machines and can also save on resource utilization such as Random Access Memory (RAM), Central
Processing Unit (CPU), Hard Disk Drive (HDD) space, and other resources when using virtual
machines, which we will discuss more in detail in the next chapter.
Finally, we can install many other Windows applications in Kali Linux using tools, whether they be
productivity tools or even tools for penetration testing, thus making our Kali Linux installation the
perfect purple teaming operating system environment, which we will discuss later in this chapter.

Why is Kali Linux so popular?

Aside from being one of the oldest, InfoSec distros (distributions), Kali Linux has a very large support
base, and you can find thousands of tutorials on installation, using built-in tools, and installing additional
tools on YouTube, TikTok, and the internet at large, making it one of the more user-friendly platforms.
Kali Linux also comes with over 600 tools, all of which are nicely categorized in Kali’s Applications
menu. Many of the tools included in Kali can perform various cybersecurity tasks ranging from Open
Source Intelligence (OSINT), scanning, vulnerability assessments, exploitation and penetration testing,
office and productivity tools, and, of course, DFIR. The full listing of tools can be found at https://
www.kali.org/tools/all-tools/.
The following screenshot gives a preview of the category listings in the Kali Linux menu.
 What is Kali Linux? 7

Figure 1.1 – Category listing in the Kali Linux menu

Kali Linux users also have the option to download and install (meta)packages manually rather than
downloading a very large installation file. Kali Linux (meta)packages contain tools and dependencies
that may be specific to an assessment or task, such as information gathering, vulnerability assessments,
wireless hacking, and forensics. Alternatively, a user can download the kali-linux-everything (meta)
package. We’ll go into more detail about (meta)package installations in Chapter 4, Additional Kali
Installations and Post-Installation Tasks, but if you’d like to know more about what (meta)packages
exist, you can find the full listing at https://www.kali.org/docs/general-use/
metapackages/.
8 Red, Blue, and Purple Teaming Fundamentals

Yet another reason why Kali Linux is so popular is that there are several versions available for a
multitude of physical, virtual, mobile, and portable devices. Kali is available as a standalone operating
system image and can also be installed virtually using their pre-built images for virtual platforms such
as VMware and VirtualBox, which will be covered in detail in Chapter 3, Installing Kali Linux, and
Chapter 4, Additional Kali Installations and Post-Installation Tasks. There are also versions of Kali for
ARM devices, cloud instances, and even the ability to run Kali Linux in Windows 10 under the Windows
Subsystem for Linux (WSL). On a personal note, I also use the mobile version of Kali Linux called
Kali NetHunter on an old OnePlus phone and also on a Raspberry Pi 4, which, when connected to a
power bank, serve as the ultimate portable security assessment toolkit. As far as installation on mobile
phones goes, NetHunter (and even Kali Linux itself in some cases) can be installed on a variety of phones
from Samsung, Nokia, OnePlus, Sony, Xiaomi, Google, or ZTE. We’ll look at installing Kali Linux in
VirtualBox and Raspberry Pi 4 in Chapter 4, Additional Kali Installations and Post-Installation Tasks.
The fact that Kali Linux offers all these features for free and can be easily upgraded with the addition
of new tools just a couple of clicks and commands away makes it the perfect purple teaming solution.
Let’s take a look at red, blue, and purple teaming and the skillsets required for each team.

Understanding red teaming

Possibly the most commonly known team among users of Kali Linux, the red team is the name given
to the collective of individuals responsible for handling the offensive side of security as it relates to
OSINT, scanning, vulnerability assessments, and the penetration testing of resources, including but
not limited to individuals, companies, host end users (desktops, laptops, mobiles), and network and
critical infrastructure such as servers, routers, switches, firewalls, NAS, databases, WebApps, and
portals. There are also systems such as IoT, Operational Technology (OT) devices, and Industrial
Control Systems (ICS), which also require assessments by highly skilled red teamers.
Red teamers are generally thought of as highly skilled ethical hackers and penetration testers who, apart
from having the skill sets to conduct the assessments listed previously, may also have the technical
certifications that allow them to do so. Although certifications may not directly reflect the abilities of
the individuals, they have been known to aid in obtaining jobs.
Some red teaming certifications include (but are not limited to):

• Offensive Security Certified Professional (OSCP): Developed by the creators of Kali Linux
• Certified Ethical Hacker (CEH): From the EC-Council
• Practical Network Penetration Tester (PNPT): Developed by TCM Security
• Pentest+: By CompTIA
• SANS SEC: Courses from the SANS Institute
• e-Learn Junior Penetration Tester (eJPT): Developed by e-Learn Security for beginners
interested in becoming red teamers
Another random document with
no related content on Scribd:
 Ráleltek a régi utakra és mámorosan, szinte öntudatlanul lebegve
járták őket keresztül-kasul. A Dunaparton erős szélroham jött
szembe velük.
– A gallérját, Viksi, föl kell hajtani.
Az asszony gépies engedelmességgel gyürte föl a puha prémet
és mosolygott. Így mentek soká, együtt, mint régen.
Csak mikor a csendes, előkelő belvárosi utczába értek, a
keskeny átjáróba, ahol a néni lakott, akkor néztek egymásra hirtelen,
megrettenve, csodálkozón.
A néni lakása, az öt elsőemeleti ablak világosságban úszott, a
villamos lámpafény kisugárzott a nyitott erkélyajtón is, megvilágította
a tömött, szürke kőkorlátot. Felülről zongoraszó hallatszott és
néhány karcsú árnyék járt-kelt a libbenő függönyök megett.
– Hát még most is fogad a néni? – csodálkozott a férfi.
– Újra négy húga nőtt fel – magyarázta suttogva az asszony.
Csendesen, elszomorodva ballagtak a kapuig. A férfi szorongva
kérdezte:
– Nem megyünk föl, úgy-e?
Már a küszöbön voltak és valami szomorú józanság most már
egészen hatalmába kerítette az asszonyt.
– Én fölmegyek, Gábor – mondta most a keresztnevén szólítva őt
– de maga ne jöjjön fel. Tudom, így nem is lehetne, de később se
jöjjön, átöltözve sem. Lássa, elfelejtettem mondani az előbb, a néni
egészen új bútorokat szerzett megint és az almaszagú kis szobából
is szalont csináltak most. Lányszalont, mert a mostani húgai közt
gazdag lányok is vannak. Általában nagyon megváltozott a néni, én
is megváltoztam, maga is. Jobb lesz…
– Mikor jön megint Pestre?
– Nem tudom, éppenséggel nem tudom.
 – Viktorin! Nem lehet!
– De. Az jobb lesz úgy, Gábor. Én már olyan jól megszoktam az
életet, én már nem is tudnám máskép, nem is bírnám.
– Mi lett belőlünk, Viksi.
– Jobb így. Azért jó, hogy találkoztunk… Az is jó, hogy minden
így történt, úgyis elromlott volna lassankint minden, ami valaha szép
volt. Isten vele, Gábor, kivánom, hogy hamar egészséges legyen a
felesége.
Gyorsan megfordult és sietve iramlott föl a lépcsőn. Még látni
lehetett a puha, finom köntöse egy-egy redőjét és egyszer
megcsillant a hófehér arcbőre is a lépcsőház lámpája mellett. Aztán
sietve csengetett be a kivilágított lakásba.
 A halál meséje.

A gálya, melynek kormányosa nincs, megindult a nesztelenül

sikló, fekete vizen. Magányosan pihent rajt’ a Lélek.
Az első pillanatokban még érezni vélte a hullámok kigyós
csuszamlását, – és szerette volna megkérdezni tőlük, vajjon
virágosak-e a Lethe vizének partjai, – és ott, a messze tünedező
sziklarémek ormóin fészkel-e madár? Ám csak valami fáradt sivatag-
fenyért látott azokon túl, ahonnét távoli viharok zúgása hallszik és
lassan foszladozva vándorolnak elő a tépettszárnyú fellegek.
Közelébe jönnek, sűrün sereglenek, összefogódzva lengik körül, –
és halkan a Lélek szemére simulnak.
Mert ezek az opálszínű, vándorló fellegárnyak az elhagyott élet
küldöttei. És habár most egy szempillantásra megnyilnék előtte a
Végtelenség, – a titkok örökforrása, – ő nem nézhet belé miattuk.
Csak az imbolygó ködalakokat látja.
– Mintha valami régi, ezüstzománcú hárfa pengése hallatszanék
messziről, ismeretlen csodatájak felől, – ám a végtelen harmóniába
még ismerős, földi akkordok zörrennek bele, – olyanok, mint egy-egy
eleven, piros színfolt. A Lélek felismeri őket.
 – Ez pohárcsengés volt, – ez lánykacagás. – Így csak a
megbántott asszony panaszolkodása rezeg, – és így hangzik az
emberi inség szava.
És ime, – egyszerre valamennyit elhallgattatja egy magános,
tiszta, szomorú kiáltás, mely egyetlen élő szív mélységeiből fakadt
és egyenes úton követte a távozót. A Lélek felismerte.
– Te vagy, anyám, – te szomorú!
És az anyaszívből egy forró, eleven sugár szállott, – ködön át,
felhőn át, – egyenesen feléje. Utólérte:
– Híd vagy-e te, hogy visszamehetnék rajtad, – mondotta
végtelen szomorúsággal a Lélek és visszahanyatlott a sötét
hullámok színére.
Körülte mind sűrübb lett a köd. Ám egy helyen – közel-e vagy
távol? – talán aranyszínűre bágyad a gomolygó szürkeség. Vagy
olyan az, mint a májusoltárok bátortalan dicsfénye? És átrezdül a
Lélek, amint a jelenés szárnya legyint felé, amint felsurran az
ismeretlen, csillagos magasokba. Ő volt! A soha el nem ért, – a meg
sem illetett, – akinek talán csak halvány képe-mása volt egy földi
leány, – s az igazit a Lélek elpazarolt álmai teremtették meg.
– Az első szerelem vagy! – mondotta.
És akkor jöttek egymásután a többiek. Kék és rózsaszín
sugárkévék, – csillogó szivárványoszlopok, – permetező, kacagó
emlékei elillant perceknek, röpke gyönyöröknek. Majd fátyolos
árnyak, amiket hosszú sóhajok suhognak körül. Egymásután jönnek
elő roskadozón, halványan, – uszálykép vonszolva maguk után
tönkretett életüket. A Lélek feljajdul:
– Az üldözöttek ők, – akiket hitegettem és elűztem.
És mind a könnyek, amik valaha ő miatta ömöltek, – most
végigperegtek rajta és sajtoló fájdalommal égettek millió láthatatlan
sebet. A Lélek könyörgött:
 – Hol a feledés? Mért nem jő, hogy elborítna engem? Az imént
volt-e, vagy sok ezer éve annak, hogy búcsúzva átöleltem ama híd
karfáját. Még mindig én vagyok én, – aki átöleltem és elhagytam az
éjszakában egy hídfő oszlopát, – mert nyugalmat akartam és
feledést, amíg a messziségből felém integetett a csillagszemű város.
És még egyszer, – utoljára, – feltünt előtte a nagy parti város
képe, – amint akkor látta az utolsó éjszakán. Aztán előtüntek a
márványos paloták, az oszlopsoros kapuk, – szőnyeges termek és
redős ablakok pajzán világossága. És körülszárnyalták még egyszer
az ifjuság sejtelmei és illatai, – a lét sűrüsége és a mesterséges
titkok varázsa.
– Hol vagyok ezekben én? kérdezte a Lélek.
És akkor jöttek az ő szülöttei. Eszmék, amelyek belőle fogantak,
rythmusok, amiket ő lélegzett ki, formák, amiket saját képére alkotott
meg. Érezte a mult forradalmait, – a teremtés kínját és gyönyörét, –
a cselekvés viharának szegélyét.
– Fáradt vagyok! lihegte a Lélek. – – –
Most valami könnyü, tompa zúgás jött felé, – enyhe, csillapító
nesz, amit aranyszárnyú lepkeparipák ezüst patkói okoznának, amint
repülve végigszántják a ködöt. Összeomlott minden, – az álmok, az
emlékképek. – A lélek már nem is érezte, vet-é vajjon hullámot
körülte a nagy, fekete folyam.
– Most jön a Semmi! – gondolta.
Még egyszer kitágult, szétterjedt látása előtt minden. Egy nagy,
sugárban fürdő tavaszi mezőt látott, – a delelő nap csillámos foltjait
szétszórva a virágos gyepen. A virágok közt színes lapdát kerget
lihegve egy fényesszemű fiúgyerek.
Egy idegen gyerek! Már nem ismert önmagára és nem ismerte
meg a virágokat, a verőfényt és a lapdát. – Kié ez a rétség? ötlött fel
egy homályos félgondolat. – És ama fehérszínű kastély kié lehet?
 Idő és távolság eloszlott már akkor, – és elmúltak nékie mind az
élet többi szépséges szemfényvesztései, – a dolgok össszetartozása
és a képek színe. Mint a tépett gyöngysor, úgy bomlott szét először
minden, aztán szétpárázott a semmiségbe. Már gondolata nem volt,
– csak valami érzése; alig egy sóhajnyi.
– Beh jó így! – – – – – –
És a lét legutolsó rezdüléseképen a Lélek önmagába tekintett. És
ott a legmélyen, – sohasem ismert rejtelmek helyén most valami
vajudó, felcsukló remegés született. Elébb halkan, mint az
elékivánkozó virágrügy, – aztán mind erősebben, – tombolva. Forró,
vad örvények zuhatagja volt, mely szakadozón, hatalmasan tört
felszínre az utolsó pillanatban. Kiszállottak belőle, és amikor
elhagyták élettelen rom gyanánt, üresen maradt utánuk a Lélek. – –
Mert ők voltak a leigázottak, – a láncon tartott rabszolgák. Ők a
korán elölt érzések, halvaszületett eszmék és tárgytalan
vágyakozások. És mind, a bennfelejtett, elevenen eltemetett
zokogás és mind az álmok, amiket felriasztva félbeszakítottak, a
dalok, amik szóhoz nem jutottak. Azok a dolgok, amik soha nem
történtek meg, noha megtörténendők voltak, és mind a szárnyas
igék, – amik nem hangzottak el. Most felszabadult, formát lelt
valamennyi. Éltek. – – –
– Hol van a Lélek? Merre? kérdezték.
A Lélek pedig akkor már nem volt sehol. Nem pihent többé a
gályán és nem ringott a fekete hullámokon. Egy volt velük. Egy a
homályos, puha köddel és a folyam sötéten csúszó, egyenletes
hullámaival.
A ravatal körül ekkor gyujtogatták a viaszgyertyákat.
 A Soha-ember.

Megesik néha még mostanában is, hogy álmodom felőle.

Ilyenkor épp olyan homályosan, olyan szorongó lélekzettel látok,
mint nyolcesztendős koromban. A rejtelmes félsötétet látom,
rézsutos ívben elhajló, mély pincetorok homályát, amit csak nagyon
halványan szürkített meg egy hasadékon át az alulról beszüremlő
pici napfény.
A kulcslyukon kellett benézni. Egy örökké elzárt és legendásan
mély üreg volt az a várdomb oldalába ásva, nyirkos penészszag és
ijesztő, barlangi hüvösség áradt belőle a réteges terméskőfalak
közül. De legföljebb ha egy méternyire lehetett benn látni valamit, –
ott is csak semmit és üres pincefalat. Azt mesélték, hogy az uraság
bora van lenn és a kulcs a kasznárnál, – de az nem volt igaz.
Nagyon mélynek mondták; egyszer lementek néhányan a faluból és
egy órányira is jártak benne, de a közepén valami elfujta a fáklyákat
és visszaszaladtak. Ennyit tudtam akkor a várpincéről.
Kinn pedig, a domboldalon napfény özönlött, ibolya kéklett a
sáncárkokban és a romok málló kövei közt madárdal hangzott. A
várudvarban, a csonka szégyenoszlop tetején is volt egy
fecskefészek, mert a kis madaraknak nagyon megtetszett az a
széles, rozsdás vaskarika, amihez a rabokat láncolták hajdan.
A kulcslyukon néztem be és körülöttem egy sereg apró,
kenderszőke buksifej tolongott, aranyosan csillogott-villogott a
tavaszi napfényben. Ökölnyi svábbogarak voltak, nehány Liszka,
Agnet, Póli, Léni, Hanz meg Szep, – a mi udvartartásunk – az enyim
és a Marikáé, mert mindenhova jobbágyi hűséggel követtek minket,
a »két plébános-kisasszonyok«-at. Szinte látom őket most is, amint
köribém húzódnak, mert a legnagyobb voltam és legbölcsebb és a
bizalmas, komoly, aggódó kis buta képüket hozzám emelik.
– Ugy-e, ott lakik valami?
– Lakik, – felelem igaz meggyőződéssel.
– Hát nem jön elő onnét?
– Nem, – az nem jön ki onnét – soha.
– Soha, – heisst er – soha.
Rájuk néztem. Azt hiszem, nem értették ezt a szót; egy kicsit
gondolkoztam rajta.
– Soha! Igen, úgy hívják, az a neve. Soha-ember a neve.
És újra a kulcslyukhoz toltam az arcom. Huh! lebbent felém a
hűvös, penészes lehellete, és valami pókhálós, furcsa árnyékot
láttam elsuhanni a pince falán. Ijedten kaptam el a fejem.
– Gyerekek, – mondtam súgva – innét most hamar el kell menni
nekünk. A Soha-ember nem szereti, ha itt hangosan beszélnek és
amiért a nevét hallotta, most haragszik. Majd holnap kibékítjük.
– Haragszik! – suttogta rémülten valamennyi Liszka, Agnet, Hanz
meg Szep.
És a könnyű pici gyereklábak nesztelenül iramodtak le a
domboldal puha füvén, egész az országútig. De még ott is valami
nyomott, feszengő hallgatás fojtogatott mindenkit, talán mert én is
hallgatva és töprengve ballagtam előre. A fordulónál magamhoz
hívtam őket. Suttogva beszéltem:
– Ide hallgassatok! Most csinálunk valamit, hogy a Soha-ember
ne haragudjék, mert az nagy baj volna. Azt kell csinálni, amit én
mondok.
– Mit?
– Holnap reggel mindenki hozzon el hazulról valamit, amit tud.
Egy darab kenyér is jó, vagy bábruha, vagy piros papiros, vagy olyan
gyertyadarab, amilyet az anyátok gyujt rorátén. Ami van. Mind
odamegyünk hozzá és neki adjuk, akkor nem haragszik.
– Jó lesz, – mondták lelkesedve – mint minden új játékon, amit
én találtam ki.
Ott voltak másnap mind és szorongva, megilletődve, hang nélkül
adták elő a zsákmányukat. Nekem egy fél kiflim volt a kávétól,
Marikának egy kis gombolyag rózsaszínű fejtő; volt aki szalonnabőrt
hozott, Hanz egy nyúllábat és Léni egy kék üvegmécsesnek a törött
fülét. Az volt a legszebb. A Marika babakocsijába rakattam mindent,
sok ibolyavirág közé és gajdolva húztuk fel az egészet a
pincegádorig. Ott én megálltam a kulcslyukkal szembe. Belenéztem
soká, mélyen, szuggesztív, rejtelmeket fürkésző nézéssel, aztán
lassan a tömeg felé fordultam.
– Guggoljatok le mind és hajtsátok le a fejeteket!
Megtörtént. Akkor az áldozati tárgyakat egyenkint a kezembe
fogtam és mélyen lehajolva becsusztattam a vasajtó alatti nyíláson.
– A várpince lépcsőfokai fel voltak szedve talán, vagy jóval a küszöb
alatt lehetett az első lépcső, tudj’ az ég, hogyan, de a fél kifli nagyot
koppanva eltűnt. Utána a nyúlláb, az üvegcserép és a többi. Ujból
kifelé fordultam.
– Mondjátok utánam hangosan, amit mondok. De úgy
maradjatok, guggolva; Marika vegyen a kezébe egy csomó ibolyát
és azalatt üssön rá vele a kilincsre, annyiszor, a hányat szólunk.
 Most előmondtam nekik.
– Dodoláma! Baburéka! Antoméda! Helgorába!
A hívek utánam rebegték illő áhítattal, aztán ünnepélyesen
szorongva, megilletődve, mély benyomásokkal hagytuk el a szent
helyet.
Így lettem én egy mélységesen miszteriózus, erkölcsben
pogányul egyszerű, szertartásaiban fantasztikusan merész új vallás
papnője. Én mutattam be mindig az áldozatokat, krumplicukrot,
bábruhát, döglött verebet, aztán a kulcslyukhoz nyomtam a fülem, –
a nép álmélkodó suttogása közben szívtam fel a kinyilatkoztatást és
közöltem velük. Itélkeztem, büntettem és jutalmaztam az Ő nevében,
legendaköröket engedtem képződni köréje és papi rendet
válogattam magam mellé. Marika, a testvérem segédkezett
leginkább és mindig Hanz, a hosszú, ábrándosszemű suhanc tolta
az áldozati kocsit.
Ámde, és erre egészen világosan emlékszem, egyáltalában nem
voltam én csaló és hovatovább még kevésbbé, mint az első
percben. A természetfölötti gondolata megrázta, elkábította,
megtermékenyítette az én kicsi valómat is; hittem, talán még
erősebb lángolással, mint a többiek. A hitem szuggesztív erejével
hatottam, jóhiszemű, kegyes, igaz apostol voltam én.
Eleinte nagyon jó hatással volt ránk az új kultusz, – és otthon
nem győztek eléggé csudálkozni.
– Marika! – szóltam fel a szilvafára. – Maga megint teleeszi
magát zöld gyümölcscsel. Ha beteg lesz, akkor más fog a küszöbnél
állni a virággal.
Vagy:
– Szep! már elszakítottad az új pruszlikot. Mocskos vagy, azt a
Soha-ember egy csöppet sem szereti.
De lassankint túlságosan beleéltük magunkat a dologba, legkivált
én magam. A parasztgyerekek maguk közt csak úgy verekedtek,
firkáltak a falakra, szedték a madárfészket, mint azelőtt, de én benne
éltem a miszteriumokban, amiket a semmiből életre hoztam és
éreztem, hogy túlnőnek rajtam. Minden gondolatomban, játékomban,
rettegésemben ott szerepelt nyomasztó, félelmes hatalmával ez a
láthatatlan szellemszülött, beköltözött a kicsi agyvelőmbe és
megdöbbentett annak bizonyosságával, hogy létezik. Most már
nyugtalan voltam és az egyre erősödő kicsi szektával rettegve jártam
a csodabarlangjához. Már akkor borzasztóan féltem tőle, a semmiből
felrázott természetfelettiségtől. Bizonyosan tudtam, hogy egyszer
meg fog jelenni nekem és igazán meglátom. Álmomban gyakran
láttam már és mert mindent neki tulajdonítottunk, ami érthetetlen és
csodás, tudtuk, hogy az álmoknak is ura ő. Ő ura a szeszélyes
sorsnak, mert ma kikapunk egy letépett gombért és holnap újra
leszakad a gomb, de észre sem veszik. Féltem tőle. De persze, nem
tudtam volna én semmiképpen érthető szóval kifejezni azt, ami
bántott, egyre ködösebb, szörnyűbb nyomással feküdt a lelkemen.
A nyár is elmúlt és csatakos, felleges napok, fehérderes hajnalok
jöttek. Már alig lehetett kijárni a pincéhez, aztán Szep a hordásnál az
apja mellett dolgozott, Liszka pesztonka lett a jegyzőéknél, Marika
köhögött és ágyban feküdt egy hétig. Homályosan éreztem, hogy ez
valami átmeneti válságos idő lesz és a kicsi zsámolyszékemen estig
is elültem mozdulás nélkül, nézve a szürkés eget meg a fekete sarat
odakünn. És egyre gyötrődtem, tépelődtem.
– Fáj neked valami? – kérdezte Marika szürkületkor.
– Nem fáj.
– Hát mi bajod?
– Félek.
– Mitől? – kérdezte kerek szemekkel és már ő is félt.
– Én nem tudom, Marika, mondtam fogvacogva és mozdulni sem
mertem. Én nem tudom, de mindig azt hiszem nappal is, hogy
álmodok. Most is azt gondolom, hogy te nem is vagy az igazi Marika,
aki az én testvérem. Te csak álomból vagy, mert én álmodlak. Én
most alszom a párnámon és a rablók is megölhetnek, mert éjszaka
van és én nem tudok felébredni. Te sem vagy Marika, mert az igazi
Marika most a fiókágyban alszik mellettem és…
– Én nem alszok, én igazi vagyok, – visította szegény és
elhúzódott ösztönszerüleg. Mikor pedig utánakaptam, hogy
megfogjam, igazi-e, rémült kiáltással szaladni kezdett tőlem, én meg
utána, a sötét tornácon át, anyához.
Anya már lámpánál ült és foltozott. Mint két őrült, úgy rohantunk
az ölébe és nagyon sok szó meg simogatás kellett, míg halk
szepegésbe fúlt a görcsös sírásunk. Marika még az anya öléből is
riadtan pislogott rám a nagy, kerek szemével. Bejött a bácsi is, az
anya testvére, mosolygós, piros papbácsi, az is megtudta a
dolgunkat.
– Micsoda fantázia, töprengett pöfékelve, milyen erős fantázia!
Hisz így keletkeztek az eretnek szekták! Te kis égetnivaló boszorka,
te!
De azért mosolygott és pipált. Anya is mosolygott és hát ki
okosabb, mint az édesanyánk. Aznap »koppasztást« rendezett
lefekvés előtt a nagy, mázas fürdőkádban. A meleg, szappanhabos
vizet, oh, be szerettük este, az ő puha kezét a kicsi testünkön, a
lubickolást, amihez eleve víg, kacagós hangulatot csinált anyuka,
utána puha, tiszta ágy, okos beszéd, imádkoztatás nyugodt, komoly
fennszóval, – – és anyuka itt benn marad, amíg elalszunk.
Hanem azért valami homályos borongásképp velünk maradt még
a rejtelmesnek árnyéka egy darab ideig. Elmondom azt is, hogy tűnt
el végképp.
Advent előtti vasárnap volt és mifelénk ilyenkor is szoktak valami
ricsajt rendezni a falusi népek, olyan farsang-farka formájút. A bőjt
előtt még egyszer fánkot sütnek, mézesmálét esznek, táncolnak,
vigadnak a cselédszobában. Úgy volt aznap is. Anya és a bácsi
elnéző jóakarattal tűrték a komédiát. Egyszer csak berohan
lelkendezve, kacarászva a Mári szolgáló és ránk kiált.
– Tessen kigyünni, kezit csókolom, ott van a Soha-ember az
udvaron. A maguk embere, kisasszonykák, nézzék meg hamar.
 Már akkoriban az egész cselédház ismerte és vihogta a
csodaember legendáit.
Megütközve néztem Marikára, ő meg félénken pislogott vissza.
Egy idő óta már nem emlegettük egymásnak a Soha-embert. De
anya jószívűen mosolygott a bolond Márinak és felcihelődött a bácsi
is pipástul, hát mi is kimentünk a Mári kezét fogva.
A tornác végében, az istállók és cselédházak felől hallatszott a
jókedvű lárma, vihancolás. Egy óriási tök üres héja volt ott egy nagy
póznára feltűzve. Orrot, szemet, fület vágtak ki rajta, aztán kibélelték
piros hártyapapírral és gyertyát gyujtottak a közepébe. Furcsa volt,
groteszk, vigyorgó, buta és hétköznapi. A cselédség lármázott,
vicogott körülte, a férfiak a fehérnéphez nyúlkáltak és
együgyüségeket szóltak a vigyorgó tökfilkó felé. A Soha-ember!
Egymásra néztünk Marikával és mi is nevettünk, –
közönségesen, bambán, cselédesen és az jól esett.
Azon a napon megszűnt létezni és kisérteni a mi hatalmaskodó
szellemünk. Nevettünk és többet sohase beszéltünk róla.
 *** END OF THE PROJECT GUTENBERG EBOOK A
GONDOLKODÓK ÉS EGYÉB ELBESZÉLÉSEK ***

Updated editions will replace the previous one—the old editions will
be renamed.

Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright in
these works, so the Foundation (and you!) can copy and distribute it
in the United States without permission and without paying copyright
royalties. Special rules, set forth in the General Terms of Use part of
this license, apply to copying and distributing Project Gutenberg™
electronic works to protect the PROJECT GUTENBERG™ concept
and trademark. Project Gutenberg is a registered trademark, and
may not be used if you charge for an eBook, except by following the
terms of the trademark license, including paying royalties for use of
the Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is very
easy. You may use this eBook for nearly any purpose such as
creation of derivative works, reports, performances and research.
Project Gutenberg eBooks may be modified and printed and given
away—you may do practically ANYTHING in the United States with
eBooks not protected by U.S. copyright law. Redistribution is subject
to the trademark license, especially commercial redistribution.

START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
 PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK

To protect the Project Gutenberg™ mission of promoting the free

distribution of electronic works, by using or distributing this work (or
any other work associated in any way with the phrase “Project
Gutenberg”), you agree to comply with all the terms of the Full
Project Gutenberg™ License available with this file or online at
www.gutenberg.org/license.

Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand, agree
to and accept all the terms of this license and intellectual property
(trademark/copyright) agreement. If you do not agree to abide by all
the terms of this agreement, you must cease using and return or
destroy all copies of Project Gutenberg™ electronic works in your
possession. If you paid a fee for obtaining a copy of or access to a
Project Gutenberg™ electronic work and you do not agree to be
bound by the terms of this agreement, you may obtain a refund from
the person or entity to whom you paid the fee as set forth in
paragraph 1.E.8.

1.B. “Project Gutenberg” is a registered trademark. It may only be

used on or associated in any way with an electronic work by people
who agree to be bound by the terms of this agreement. There are a
few things that you can do with most Project Gutenberg™ electronic
works even without complying with the full terms of this agreement.
See paragraph 1.C below. There are a lot of things you can do with
Project Gutenberg™ electronic works if you follow the terms of this
agreement and help preserve free future access to Project
Gutenberg™ electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright law in
the United States and you are located in the United States, we do
not claim a right to prevent you from copying, distributing,
performing, displaying or creating derivative works based on the
work as long as all references to Project Gutenberg are removed. Of
course, we hope that you will support the Project Gutenberg™
mission of promoting free access to electronic works by freely
sharing Project Gutenberg™ works in compliance with the terms of
this agreement for keeping the Project Gutenberg™ name
associated with the work. You can easily comply with the terms of
this agreement by keeping this work in the same format with its
attached full Project Gutenberg™ License when you share it without
charge with others.

1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the terms
of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.

1.E. Unless you have removed all references to Project Gutenberg:

1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project Gutenberg™
work (any work on which the phrase “Project Gutenberg” appears, or
with which the phrase “Project Gutenberg” is associated) is
accessed, displayed, performed, viewed, copied or distributed:
 This eBook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this eBook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.

1.E.2. If an individual Project Gutenberg™ electronic work is derived

from texts not protected by U.S. copyright law (does not contain a
notice indicating that it is posted with permission of the copyright
holder), the work can be copied and distributed to anyone in the
United States without paying any fees or charges. If you are
redistributing or providing access to a work with the phrase “Project
Gutenberg” associated with or appearing on the work, you must
comply either with the requirements of paragraphs 1.E.1 through
1.E.7 or obtain permission for the use of the work and the Project
Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.

1.E.3. If an individual Project Gutenberg™ electronic work is posted

with the permission of the copyright holder, your use and distribution
must comply with both paragraphs 1.E.1 through 1.E.7 and any
additional terms imposed by the copyright holder. Additional terms
will be linked to the Project Gutenberg™ License for all works posted
with the permission of the copyright holder found at the beginning of
this work.

1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files containing a
part of this work or any other work associated with Project
Gutenberg™.

1.E.5. Do not copy, display, perform, distribute or redistribute this

electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1 with
active links or immediate access to the full terms of the Project
Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if you
provide access to or distribute copies of a Project Gutenberg™ work
in a format other than “Plain Vanilla ASCII” or other format used in
the official version posted on the official Project Gutenberg™ website
(www.gutenberg.org), you must, at no additional cost, fee or expense
to the user, provide a copy, a means of exporting a copy, or a means
of obtaining a copy upon request, of the work in its original “Plain
Vanilla ASCII” or other form. Any alternate format must include the
full Project Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™ works
unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or providing

access to or distributing Project Gutenberg™ electronic works
provided that:

• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
 copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™

electronic work or group of works on different terms than are set
forth in this agreement, you must obtain permission in writing from
the Project Gutenberg Literary Archive Foundation, the manager of
the Project Gutenberg™ trademark. Contact the Foundation as set
forth in Section 3 below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on, transcribe
and proofread works not protected by U.S. copyright law in creating
the Project Gutenberg™ collection. Despite these efforts, Project
Gutenberg™ electronic works, and the medium on which they may
be stored, may contain “Defects,” such as, but not limited to,
incomplete, inaccurate or corrupt data, transcription errors, a
copyright or other intellectual property infringement, a defective or
damaged disk or other medium, a computer virus, or computer
codes that damage or cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except

for the “Right of Replacement or Refund” described in paragraph
1.F.3, the Project Gutenberg Literary Archive Foundation, the owner
of the Project Gutenberg™ trademark, and any other party
distributing a Project Gutenberg™ electronic work under this
agreement, disclaim all liability to you for damages, costs and