Overview
Tsurugi Linux is a Linux distribution tailored for forensic purposes.
There are two editions: Tsurugi Acquire (a lightweight edition for preservation) and Tsurugi Linux LAB.
In this article, I will cover how to preserve disk images of devices under forensic investigation using Tsurugi.
In separate articles, I have also covered preservation using C.A.IN.E. and Paladin.
- https://dev.to/sum3sh1/disk-preservation-using-the-forensic-linux-caine-2hio
- https://dev.to/sum3sh1/disk-preservation-using-the-forensic-linux-paladin-3mn1
Like C.A.IN.E. and Paladin, Tsurugi is also an Ubuntu-based OS.
Launch
In this article, I will use Tsurugi Acquire 2021.1.
After downloading, make sure to check the hash value:
› certutil -hashfile tsurugi_acquire_2021.1.iso sha512
SHA512 hash of tsurugi_acquire_2021.1.iso:
bd5488e9e75bbcbc6560d166031e84c70bf19c1b9db6f872df99212fef110296c3e7735e39bdee533aaaa92a64e1096fb674b1d45dd4c88cde280442737d77fe
CertUtil: -hashfile command completed successfully.
Preservation Procedure
In this procedure, I am using msuhanov/ntfs-samples/ntfs.raw as the disk image to be preserved.
Preparation
First, adjust the time zone to match your local region. Also, for detailed procedures and precautions, it is good to follow the guidelines of trusted organizations.
Mounting the Disk
In Tsurugi Acquire, all devices are set to readonly by default.
You can open Tsurugi Device Unlocker on the desktop and press the Unlock button to make the target device writable.
Note that once you unlock a device, it seems you cannot revert it back to readonly.
Let's also prepare the disk where the preservation image will be saved.
Prepare a disk larger than the preservation image (100GB), Unlock it, and perform partitioning and formatting.
In the screenshot, I used commands, but Gparted is included, so you can use that instead.
If you click Advanced in Tsurugi Device Unlocker, you can configure settings for each partition.
Preservation
Use Guymager to perform the image preservation. Here, the preservation target is /dev/sdb, and the preservation destination is /dev/sda1.
Right-click on the preservation target /dev/sdb and select Acquire Image.
Other than the save destination, I use the defaults. The settings are to save in E01 format, splitting every 2GB.
You can change the split size from Split size or adjust the hash calculation settings from Hash calculation / verification.
If you are using it for work, it is good to calculate two or more hash values to prepare for collisions.
Press Start to begin disk preservation, and the progress will be displayed.
Confirmation
When the preservation is complete, you can confirm that .E01 files and a .info file are preserved on the specified disk.
The .info file records the version of Guymager used for preservation, detailed information, and the hash values of the preserved image.
Conclusion
By using Tsurugi Linux, I was able to easily preserve the disk through a GUI.
Compared to C.A.IN.E., being able to switch Unlock per disk might be an advantageous point.
Also, since there is an analysis environment called [LAB], it would be a good choice if you want to do both preservation and analysis.
This article was translated by ChatGPT o1-preview.
Original Post(Japanese): https://zenn.dev/sum3sh1/articles/c3a40c4977fe48
Top comments (0)