Many instances consider Kali Linux as one of the most popular tools available to security professionals. It offers a robust package of programs that security professionals can use to conduct a host of security-based operations. One part of its division of tools is the forensics tab, which contains a collection of tools explicitly designed for performing digital forensics.

Forensics is becoming increasingly important in today’s digital age where many individuals commit crimes using digital technology; understanding forensics can greatly increase the chance of ensuring that criminals don’t get away with a crime.

This article provides you with an overview of the forensic capabilities of Kali Linux.

So, let’s start with the programs as they appear in the forensics menu:

Autopsy

A tool used by the military, law enforcement and other entities when it comes time to perform forensic operations. This package is probably one of the most robust ones available through open source, it combines the functionalities of many other smaller packages that are more focused in their approach into one neat application with a web browser based UI.

It is used to investigate disk images. When you click on Autopsy, it starts the service and its user interphase can be accessed on the web browser at https://9999:Localhost/autopsy.  It gives the user a full range of options required to create a new case file: Case Name, Description, Investigators Name, Hostname, Host time zone, etc.

Its functionalities include – Timeline analysis, keyword search, web artifacts, hash filtering, data carving, multimedia and indicators of compromise. It processes disk images in RAW or E01 formats and creates reports in HTML, XLS, and body file depending on what is required for a particular case.

Its robustness is what makes it such a great tool, be it case management, analysis or reporting, this tool has you covered.

Binwalk 

This tool helps users deal with binary images, enabling them to find the embedded file and executable code by exploring the image file. It acts as a very powerful tool for those who know what they are doing; if they use it right, they can find sensitive information hidden in firmware images that can lead to uncovering a hack or discovering a loophole to exploit. 

This tool developers write in Python and use the libmagic library, making it perfect for usage with magic signatures created for Unix file utility. To make things easier for investigators, it contains a magic signature file which holds the most commonly found signatures in firmware’s, making it easier to spot anomalies.

Bulk Extractor  

This is a very interesting tool when an investigator is looking to extract certain kind of data from the digital evidence file, this tool can carve out email addresses, URL’s, payment card numbers, etc. This is tool works on directories, files, and disk images. The tool can partially corrupt the data or compress it; it will find its way into it.

The tool features capabilities that help users create a pattern in the data that appears repeatedly, such as URLs, email IDs, and more, and displays them in a histogram format. It has a feature by which it creates a word list from the data found, this can assist in cracking the passwords of encrypted files.

Chkrootkit

This program is mostly used in a live boot setting. It is used to locally check the host for any installed rootkits. It comes in handy trying to harden an endpoint or making sure that a hacker has not compromised a system.

Chkrootkit has the capability to detect system binaries for rootkit modification, last log deletions, quick and dirty string replacements, and temp deletions. This is just a taste of what it can do, the package seems simple at first glance but to a forensic investigator, its capabilities are invaluable.

Foremost  

Deleted files which might help solve a digital incident? No problem, Foremost is an easy to use open source package that can carve data out of formatted disks. You might not recover the filename itself, but you can carve out the data it holds.

US Air Force special agents wrote Foremost. Even if it loses the directory information, it still utilizes a list of headers and footers to carve files, allowing for dependable and quick recovery.

Galleta  

When you follow a trail of cookies, this tool will parse them into a format that you can export into a spreadsheet program.

Understanding cookies can be a tough nut to crack, especially if investigators suspect the cookies might serve as evidence in a committed cyber-crime. This program can lend a hand by enabling investigators to structure the data in a better form and allowing them to run it through analysis software, most of which usually require the data to be in some form of a spreadsheet.

Hashdeep

This program is a must when dealing with hashes. Hashdeep focuses its defaults on MD5 and SHA-256. It can process existing files that have moved in a set or new files placed in a set, missing files, or matched files; Hashdeep can work with all these conditions and generate reports that users can scrutinize, and it is very helpful for performing audits.

One of its biggest strengths is performing recursive hash computations with multiple algorithms, which is integral when the time is of the essence.

Volafox

This is a memory analysis tool that has been written in Python, it is focused towards memory forensics for MAC OS X. It works on the Intel x86 and IA-32e framework. If you’re trying to find malware or any other malicious program that was or is residing on the system memory, this is the way to go.

Volatility  

Probably one of the most popular frameworks when it comes to memory forensics. This is a python based tool that lets investigators extract digital data from volatile memory (RAM) samples. You can use it with the majority of the 64 and 32-bit variants of Windows and selective flavors of Linux distros, including Android. It accepts memory dumps in various forms, such as raw format, crash dumps, hibernation files, or VM snapshots, and it provides keen insight into the run-time state of the machine, which you can do independently of the host’s investigation.

Here’s something to think about: investigators can much more easily examine files encrypted on the hard drive when they store and retrieve decrypted files and passwords in the RAM, which significantly cuts down on the investigation’s overall duration.

We will be following up this particular article with an in-depth review of the tools we have mentioned, with test cases.

Have fun and stay ethical.

To learn more about Cyber Forensics. Follow this Link

Author: Abhimanyu Dev is a Certified Ethical Hacker, penetration tester, information security analyst and researcher. Connect with him here

Related posts:

File Transfer Cheatsheet: Windows and Linux Linux Privilege Escalation: PwnKit (CVE 2021-4034)