iTranslated by AI
Disk Imaging with Tsurugi Linux for Digital Forensics
Overview
Tsurugi Linux is a Linux distribution tailored for forensic purposes.
It comes in two editions: Tsurugi Acquire (a lightweight edition for acquisition) and Tsurugi Linux [LAB] (an investigation edition equipped with many tools).
This article covers how to use Tsurugi to acquire disk images of forensic target devices.
I have also covered acquisition with C.A.IN.E. and Paladin in separate articles.
Incidentally, like C.A.IN.E. and Paladin, Tsurugi is also an Ubuntu-based OS.
Startup
In this article, I am using Tsurugi Acquire 2021.1.
Once downloaded, be sure to check the hash value.
› certutil -hashfile tsurugi_acquire_2021.1.iso sha512
SHA512 hash of tsurugi_acquire_2021.1.iso:
bd5488e9e75bbcbc6560d166031e84c70bf19c1b9db6f872df99212fef110296c3e7735e39bdee533aaaa92a64e1096fb674b1d45dd4c88cde280442737d77fe
CertUtil: -hashfile command completed successfully.
Acquisition Procedure
For this procedure, I am using msuhanov/ntfs-samples/ntfs.raw as the target disk image for acquisition.
Preparation
First, set the time zone to JST. Also, make sure to record the operations performed and the time during the acquisition.
For details on this, the "Evidence Preservation Guidelines" published by the Digital Forensic Research Group are informative.
Mounting the Disk
In Tsurugi Acquire, all devices are set to read-only by default.
You can make the target device writable by opening the Tsurugi Device Unlocker on the desktop and clicking the "Unlock" button.
Note that once you unlock a device, it seems you cannot revert it to read-only.
Make sure you have a disk prepared to store the acquired image as well.
Prepare a disk larger than the image to be acquired (100GB), unlock it, and perform partitioning and formatting.
Although I used commands in the screenshot, Gparted is included, so you can use that as well.
Clicking "Advanced" in Tsurugi Device Unlocker allows you to configure settings per partition.
Acquisition
I will use Guymager to perform the image acquisition. In this scenario, the target is /dev/sdb and the destination is /dev/sda1.
Right-click the target /dev/sdb and select "Acquire image".
Everything except the destination is set to default. It is configured to save in E01 format, split into 2GB chunks.
You can change the split size from "Split size" or adjust the hash calculation settings in "Hash calculation / verification".
If you are using it for work, it is best to calculate at least two types of hash values.
The "Evidence Preservation Guidelines" are also useful for this.
When you press Start, the disk acquisition begins, and the progress is displayed.
Verification
Once the acquisition is finished, you can verify that the .E01 format files and .info files have been saved to the specified disk.
The .info file contains information such as the version of Guymager used for the acquisition, detailed information, and the hash values of the acquired image.
Conclusion
Using Tsurugi Linux allowed me to perform disk acquisition easily with a GUI.
Compared to C.A.IN.E., the ability to toggle Unlock per disk is a nice feature.
Given that the developer, Giovanni, gave a lecture at AVTokyo, Tsurugi Linux is quite well-known in Japan. If you want to perform disk acquisition in a Linux environment but aren't quite sure how, you can't go wrong using this.
As an aside, my own tools are installed by default in Tsurugi Linux [LAB], so I am personally rooting for it. I don't maintain them very much, so I'm afraid of when they might disappear
That's all.
Discussion