Overview
Paladin is a Linux distribution developed for forensic purposes.
There are two versions: Paladin LTS and Paladin Edge. As the name suggests, LTS stands for Long-Term Support. Edge is lighter and also offers a 32-bit version, so it might be more suitable for preservation tasks.
https://sumuri.com/software/paladin/
Importantly, if you use Paladin LTS for commercial purposes, it is paid (requires a donation of 25 USD or more).
Edge doesn't specify such restrictions, but if you can afford it, consider donating.
In this article, I will cover how to preserve disk images of devices under forensic investigation using Paladin.
I have also previously covered preservation using C.A.IN.E. and Tsurugi.
- https://dev.to/sum3sh1/disk-preservation-using-the-forensic-linux-caine-2hio
- https://dev.to/sum3sh1/disk-preservation-using-the-forensic-linux-tsurugi-linux-21im
Paladin is also an Ubuntu-based OS. The wallpaper is cool.
Launch
In this article, I will use Paladin LTS 8.05.
After downloading, make sure to check the hash value.
› certutil -hashfile carbon-paladin-8.05.iso sha1
SHA1 hash of carbon-paladin-8.05.iso:
cb0de1883ac5ecb6165e2e96b8fd18bed9a159a8
CertUtil: -hashfile command completed successfully.
Preservation Procedure
In this procedure, I am using msuhanov/ntfs-samples/ntfs.raw as the disk image to be preserved.
Preparation
First, adjust the time zone to match your local region. Also, make sure to record the actions taken and their timestamps during preservation. For detailed procedures and precautions, it is good to follow the guidelines of trusted organizations.
Mounting the Disk
In Paladin, you can perform a series of operations using an integrated tool called Paladin Toolbox.
It seems you can not only perform simple partitioning and imaging but also convert images and perform carving. Amazing!
Connect a disk larger than the preservation target (100GB), format it, and mount it. You can do it by simply clicking buttons. You don't need to mount the preservation target.
Preservation
The preservation target is /dev/sdb, and the destination is /dev/sda1.
Click Imager in the side menu to set the image type and other settings. There are five formats available, which is quite a lot.
dd(RAW), EWF(E01), EWF2(Ex01), SMART(S01), DMG(dmg)
For E01, you can choose from three compression levels, which is easy to understand.
None, Fast, Best
Once you've made your selections, click Start.
When it's finished, the log is displayed.
Confirmation
When the preservation is complete, you can confirm that the .E01 file and various logs are preserved on the specified disk.
By looking at paladin.complete.log, you can see that the hash values of the image are recorded.
It seems that MD5 and SHA1 are calculated by default.
Paladin is also properly listed in the CFTT, and the test results are published.
https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical/disk
Conclusion
By using Paladin, I was able to preserve the disk entirely through a GUI.
Compared to Tsurugi Linux and C.A.IN.E., having an integrated tool might be suitable for beginners or for standardized tasks.
I had the impression that macOS forensic researchers often use it, but I had never touched this OS before. Using it, it seems capable of various things, which is interesting.
They also sell various commercial tools and devices, so if you are in a department that can allocate a budget, it might be one of the good options.
This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/04f8f0265e8807
Top comments (0)